-
Want to remove ads? Register an account and login to see fewer ads, and become a Supporting Member to remove almost all ads.
Firmware 6.0 (beta version discussion)
- Thread starter VHS-or-Beta
- Start date
bollar
Disgruntled Member
IMO you're overthinking this.
A simple version could work like this:
With a fob in the car, you could authenticate a phone to connect via BT. (I believe this is how the Tesla already works -- you can't pair a phone, unless there's a key on the car).
Once authenticated, the phone is more-or-less equally secure as the fob. (If you have the fob, or a phone, located proximate to the car with an authenticated BT connection, you can drive away.)
However, with the phone, you can add additional authentication requirements, such as a PIN entered on phone or screen, or something fancy like Apple's TouchID, which is more secure than a fob without authentication.
So, I don't see a scenario where the phone is emulating a key -- and I'm almost positive that smartphones don't have the required radios onboard to perform that emulation. I also don't think a cellular connection is required -- again, IMO, a BT connection is sufficient to complete a high security authentication implementation.
There are theoretical hacks against keyless systems, and the Bosch "Keyless Go" (which may or may not be the system Tesla uses) system has been hacked by people who were able to get a receiving antenna within a couple of feet of the fob and car.
There are also theoretical hacks against BT systems, but again, IMO, a BT system is more secure than the existing fob, and only super-spys need to be concerned about this threat.
Authenticating the car to start via cellular is an interesting idea, and it has a certain cool factor, but I share your concern that it could be easily exploited -- basically it depends mainly on your Teslamotors.com password.
+1. If there's ever a way to get a forum discussion back on track and focused it's to release a much overdue firmware update. Raising my glass to that as I write.
Morristhecat
Member
chickensevil
Active Member
It is an interesting idea to limit it through the BT. I will say though that if you did this you would still have to unlock the car through the phone which uses the 3G connection in the car. At least in my testing, the BT radio is not on all the time in the car and only turns on once the screen and such turns on (especially if the car is asleep). But the BT authentication idea would require that you be within a certain proximity of the car in order to actually drive away with it, removing the option of doing it from 500 miles away. If you can't pair your phone with the car without a key present (this is news to me, I did not know this, nor have I ever tried haha), then it would also prevent anyone from pairing a new device to the car and just stealing the vehicle... meaning you would have to have had the key at some point in order to steal the car later using your phone.
That is probably the best possible explanation for how they will do it since it would be the most secure. Just hacking the Bluetooth won't get you anywhere since it would add that second layer of security there.
- - - Updated - - -
Oh and this whole starting the car through your phone thing, is likely why they are also adding in the options on how the car goes to sleep for you. Since if your car is asleep it can take a good 2 or 3 minutes to wake up and connect to your phone. And you will have to wait for that in order to unlock the car with the phone and then drive away with the car using the phone.
I guess I just don't see the big deal here. When driving a car is as simple as hitting someone over the head and taking the key from their {purse,man-bag,pocket,cabinet,keylocker}, I just don't understand why there is so much hand-wringing over the ability to use a teslamotors.com password to activate the car remotely. You need physical access to the car, so it's unlike stealing digital assets which can be done from anywhere.
So what are the malicious use cases?
* My car is at home, I am home. I'm going to give you my key once you can get past the cuteness of the 3 fluffy cats and other obstacles that I may have.
* My car is home, I am not. Rummage around, you're likely to find my keys where the rest of them usually hang. No need to crack my username/password.
* My car sits at a business for a short-term errand. It's easier to wait until I emerge, then demand my key using a weapon.
* My car sits at a business for a long-term errand (including work). You can either wait for me to emerge and take my key, or rummage through my desk/bag/coat.
I know what you're saying... "but what if my phone is found, they notice I have the Tesla app? They can walk around the parking lot until they find my car and drive off!" But just replace "phone" with "key" and it's the same thing, even EASIER! And there's another answer to that - protect your phone with a passcode or other security lock.
Very honestly, the only case that I'd be half-worried about when compared to more conventional ways to steal a car is the case where Tesla's back-end infrastructure is compromised, and for a short period of time some enterprising thieves have the ability to activate any car on demand... i.e., bad burglar #1 learns that all Teslas are now available to him. He sees I have a Tesla, e-mails my VIN # with some payment to "tesla haxxor", and "tesla haxxor" replies with either a new username/password combination or mine (depending upon security of the database and method of compromise), and bad burglar uses that to activate my car. That scenario is dangerous but would be extremely short-lived. The first few people to have their cars stolen this way would report them, police would contact Tesla, Tesla would see that it was activated remotely via the app, and start digging quickly. When it happened more than once it would cause them to lock things down while they dig out. Of course, that's not new to Tesla, either. Most auto manufacturers keep a database of key codes that could be used to cut a new key for any newer car out there -- it's just that there are easier ways to steal a car!
Other than those who have some other beef here (like complaining that Tesla hasn't offered full OAUTH-based API authentication), I just don't understand how this is any less secure than what we deal with today. My $0.02.
So what are the malicious use cases?
* My car is at home, I am home. I'm going to give you my key once you can get past the cuteness of the 3 fluffy cats and other obstacles that I may have.
* My car is home, I am not. Rummage around, you're likely to find my keys where the rest of them usually hang. No need to crack my username/password.
* My car sits at a business for a short-term errand. It's easier to wait until I emerge, then demand my key using a weapon.
* My car sits at a business for a long-term errand (including work). You can either wait for me to emerge and take my key, or rummage through my desk/bag/coat.
I know what you're saying... "but what if my phone is found, they notice I have the Tesla app? They can walk around the parking lot until they find my car and drive off!" But just replace "phone" with "key" and it's the same thing, even EASIER! And there's another answer to that - protect your phone with a passcode or other security lock.
Very honestly, the only case that I'd be half-worried about when compared to more conventional ways to steal a car is the case where Tesla's back-end infrastructure is compromised, and for a short period of time some enterprising thieves have the ability to activate any car on demand... i.e., bad burglar #1 learns that all Teslas are now available to him. He sees I have a Tesla, e-mails my VIN # with some payment to "tesla haxxor", and "tesla haxxor" replies with either a new username/password combination or mine (depending upon security of the database and method of compromise), and bad burglar uses that to activate my car. That scenario is dangerous but would be extremely short-lived. The first few people to have their cars stolen this way would report them, police would contact Tesla, Tesla would see that it was activated remotely via the app, and start digging quickly. When it happened more than once it would cause them to lock things down while they dig out. Of course, that's not new to Tesla, either. Most auto manufacturers keep a database of key codes that could be used to cut a new key for any newer car out there -- it's just that there are easier ways to steal a car!
Other than those who have some other beef here (like complaining that Tesla hasn't offered full OAUTH-based API authentication), I just don't understand how this is any less secure than what we deal with today. My $0.02.
I agree. I actually hope they don't implement a pin code on the screen as others have suggested. I don't want to type a code to drive my car. If it requires that, I'll just keep using the fob so I can just get in and drive. I believe most people are just way over-thinking this. I'm anxious to see what Tesla came up with.
GaryREM
Member
+++
Some people seem to have a lot of time on their hands. Go out and take a drive (or maybe still waiting for their MS)!
R²B
All Star
This sounds a lot like hacking the garage door opener. Presumably, it's supposed to only take a few dollars worth of hardware and a program. However, the local police know of no actual cases where this has happened because the brute force methods work just as fast--at least that's what they said in the last neighbourhood watch meeting I attended.
+1.0E9. A minor inconvenience to solve a major security problem is tolerable, but the security mindset tends to produce just the opposite: constant annoyances to solve largely imaginary problems. It would be rather pointless to steal a Model S, because Tesla always knows where it is. So you can't use the car intact. You also can't chop it, because there's no (significant) gray market for Tesla parts. And you can't just break in and steal the stereo, because (a) it's all integrated, and (b) there's no market anyway. In the one report I've heard of a Tesla actually being stolen, the thief couldn't think of any better exit strategy than driving it into a concrete wall.
The gub'mint already has my fingerprints (was a Little League coach) - use of TouchID as a fob substitute would be cool.
green1
Active Member
The only security risk is if Tesla's servers are security stupid. I don't have proof, but I've heard of brute forcing the Tesla password, that worries me a bit. No server should let that be possible. It should have a set number of tries before it locks you out and you have to contact Tesla to reset it.
Other than that, I'd love to start the car and drive away with Bluetooth or NFC on my phone this would be better than doing it via Tesla's servers because it would deal with areas of no cell service (I actually had an idea to hack that in to my current vehicle, shouldn't have been too difficult the way I had planned. But now I've decided to give up on modding that vehicle and wait for my Tesla. )
Other than that, I'd love to start the car and drive away with Bluetooth or NFC on my phone this would be better than doing it via Tesla's servers because it would deal with areas of no cell service (I actually had an idea to hack that in to my current vehicle, shouldn't have been too difficult the way I had planned. But now I've decided to give up on modding that vehicle and wait for my Tesla. )
scott jones
Member
Anyone else mention or think the "release" or screen grabs were a beta test themselves of our possible 6.0?
In other words, it's a look ahead at what's close to the final product. And their goal is to get our real feedback.
And from there, they "may" go as is, makes changes given reactions, or supplement what they've done.
Keep in mind no one has actually gotten 6.0, so it's not a done deal, especially for a good programmer(s).
In other words, it's a look ahead at what's close to the final product. And their goal is to get our real feedback.
And from there, they "may" go as is, makes changes given reactions, or supplement what they've done.
Keep in mind no one has actually gotten 6.0, so it's not a done deal, especially for a good programmer(s).
Seems plausible to me. It also keeps expectations about what's going to be included under control, and contains the disappointment when feature x isn't included.
IMO, it was not a controlled leak. But, if it was, based on the response it has received indicating many people wanted more things and TM tries to accomodate everyone, then we will not see 6.0 till 2015.
So, back to my original opinion. 6.0 release in within 4 weeks with the same/similar features leaked and then more features in 7.0.
HillCountryFun
Member
For a short while there was a Tweet from Elon that mentioned v6.1, so I agree that it sounds like perhaps some of the features that were in 6.0 originally may have been pushed to the next update -
Similar threads
