TMC is an independent, primarily volunteer organization that relies on ad revenue to cover its operating costs. Please consider whitelisting TMC on your ad blocker or making a Paypal contribution here: paypal.me/SupportTMC

Hacking the Model S for evil...

Discussion in 'Model S: Driving Dynamics' started by Herbys, Feb 16, 2013.

  1. Herbys

    Herbys Member

    Joined:
    Jul 3, 2012
    Messages:
    66
    #1 Herbys, Feb 16, 2013
    Last edited: Feb 16, 2013
    As a Computer Scientist that has worked in Computer Security for all his life, I'm more than a little bit worried about the potential for someone hacking into my car with evil intent. At best it could lead to someone gaining access to my information, at worst it could end up with my car smashing into a column.
    This has been discussed with other cars, through arcane but still theoretically feasible avenues such as hacking into the Bluetooth network, then finding software holes in the audio system or console, to then escalate to take control of the Car Area Network most modern cars have. It has been even theoretically demonstrated in some regular cars, with the limitations (mostly range) these channels impose.
    The Model S opens this risk to a whole new level. A 3G connected car could, in theory, allow me to hack into it from anywhere in the world. I presume Tesla's software is of a quality comparable to that of the rest of the car, but that doesn't mean there are zero bugs there. The risks, thus, are big. Just as a virus can infect millions of PCs in a single day, an equivalent problem with the Tesla could lead to thousands of accidents, so I presume Tesla is putting special focus in this area.

    So my questions to anyone in the know are:
    * Did Tesla follow a process such as the Security Development Lifecycle when developing their software? If not, it doesn't matter how much attention to quality they put, big software security issues are bound to be there (especially in a green field like car software architecture). Given that this car has a single user-accessible computer that can control things such as steering, acceleration, braking, access and other such behaviors, I'm especially worried about someone building tools to take control of car settings remotely, then escalating into taking control of the UI computer, and exploiting holes in the CAN or controller software to take control of vital car systems such as the drive-by-wire systems.

    * Is there any reference to the security model of the car? Even though I don't buy the "security through obscurity" method (no serious security researcher does) I could understand if Tesla considers that it wouldn't be good to release too much detail at this point since it could lead hackers in the right direction if they are some obvious flaws in the logic, but I would like to see at least that Tesla has defined a software architecture that provide some assurances and that doesn't assume there are no buffer overruns, unchecked inputs, EoPs or other such problems.
    * Any formal process to confidentially communicate vulnerabilities detected? Is there a commitment from Tesla for responsible disclosure of bugs and adequate, timely responses?
    * How is the software update process secured? I presume it is protected by digital signatures in the updates, but is there a chance an unsigned binary is deployed to the cars over the air? What sort of certificates are utilized? What's the assurance process for the root keys of such certificates?
    * Finally, any third-party evaluation of the software in the car? Given the number of software engineers that purchased Teslas (based on the number I know are in the hands of Google, Microsoft and Apple employees) getting some third party involvement shouldn't be hard.

    I hope I don't get responses such as "the car doesn't run Windows, so it doesn't need any of this", "there are no bugs", or "the remote control doesn't have options to drive the car, so this is impossible". All systems are hackable, and most are being hacked every single day. The only thing that can give me some assurance (and that can ensure Tesla won't go under in a single week after a big incident involving many cars) would be a good security process on Tesla's side. Unlike most cars, the Tesla has the advantage of being able to be updated over the air which means that as soon as a vulnerability is identified and a patch is built it can be quickly deployed to cars, but the existence of a fast, streamlined process for doing that is critical. Even more, the ability to do a remote kill of all wireless functionality if a serious vulnerability starts being exploited before there is a fix could at least help avoid a major catastrophe.

    Where does one start to find out about Tesla's security processes and assurances?
    Thanks!
     
  2. steve841

    steve841 Active Member

    Joined:
    Jan 17, 2010
    Messages:
    1,397
    Location:
    Ft. Lauderdale, FL
    I think the Chinese hacked mine and killed my 12 volt battery a few months ago.
     
  3. Jason S

    Jason S Model S Sig Perf (P85)

    Joined:
    Apr 20, 2012
    Messages:
    1,350
    Location:
    Rocklin, CA
    "security through obscurity" method still places some roadblocks for those investigating. Therefore the items you are asking about aren't well known, if at all, outside the company.

    Report vulnerabilities via email, track however you wish there. They aren't opening up their bug tracking system.

    Track the 3G communications with Tesla for most other things. Once wireless is enabled, I expect it'll be SSL-type communications.

    The API for the phone app was figured out through taps and somebody created a successfully Windows phone app based on the API discovered.

    Otherwise you should be asking Tesla. And if they give you any information, I'd say SHAME ON THEM. The info you ask for is just homework for a black hat attack.
     
  4. Eberhard

    Eberhard #421 Model S #S32

    Joined:
    Oct 17, 2010
    Messages:
    1,141
    Location:
    Germany
    i would like to hack in my own Model S too. to get all those information, hidden behind the roadsters service/diagnostic screen.
     
  5. EarlyAdopter

    EarlyAdopter Active Member

    Joined:
    Jun 24, 2012
    Messages:
    2,494
    Location:
    Redmond, WA
    The security of the Model S is equivalent to any other Linux PC running a Webkit browser. Don't browse to random websites. That's the most probable avenue of attack. If there are remote vulnerabilities in the bluetooth or wifi stacks in Linux, they'll be there in the Model S. Fortunately, that's exceptionally rare.

    The Model S will have some defense to random drive-by website hijacking as it is a Linux PC running on a Tegra 3 ARM architecture - an unusual combination. No one will have ready made exploits written for that combination. They'll either be x86/Linux or ARM/Android (yes I know Android is based on Linux, but it's enough different to require different ready made exploits).

    Targeted attacks by a motivated attacker are indeed quite possible, within the limits of the attack surface mentioned above, but not likely outside of the security research community. The money these days is all in malware for botnets and spam, or 0days for vulnerability brokers who resell to shady governments (here's looking at you, Vupen), and the Model S isn't particularly interesting for either. Someone might get a nice talk at Blackhat out of a demonstration, but no one is going to 0wn your car from it.

    Presumably the embedded controllers that actually matter and can affect driving take signed firmware updates. Hopefully the signature checks happen in the embedded controllers themselves, and not in the infotainment 3G/WiFi/Bluetooth/Web connected center console PC. If so, all the other stuff in the previous paragraphs and your question is moot. This is all that matters.
     
  6. strider

    strider Active Member

    Joined:
    Oct 20, 2010
    Messages:
    2,917
    Location:
    NE Oklahoma
    And this isn't new w/ Model S. I was talking to a coworker w/ a Mercedes and they have an app that looks almost identical to the Tesla one. So there are plenty of cars these days w/ cellular internet connections. Don't have an answer for you other than to say what Tesla is doing is new but not bleeding edge new.
     
  7. ahimberg

    ahimberg Member

    Joined:
    Aug 8, 2010
    Messages:
    347
    Location:
    Woodinville, WA
    there are lots of ways to hack cars lower tech than the model S, there was some hack demo'd where the tire pressure sensors were used as an attack vector (in a vehicle where those sensors had a wireless comm protocol, some buffer overrun or something was exploited to get into the core car computer). Hard to be secure, and hard to gauge what cars are most interesting (or all cars?).
     
  8. hans

    hans P631

    Joined:
    Sep 27, 2012
    Messages:
    1,123
    Location:
    Menlo Park
    The fact that you can reboot the display while driving the car means there is a certain level of isolation of components which makes me less worried about malicious hacking of the car that would effect the driving. More likely that hackers could get into the embedded Linux and install bot-net agents or keyboard capture apps just like on any other computer.

    Based on what we know now, the most important thing you can do is to pick a strong and unique password for your teslamotors.com login since that is what is used to authenticate the phone apps that can unlock your car and track it's position.
     
  9. richkae

    richkae VIN587

    Joined:
    Jan 15, 2008
    Messages:
    1,917
    The weakest point of the system is your email address. If you use gmail with 2 factor authentication, it may not be - but most email systems are not as strong as gmail. If someone gets into your email they can reset your MyTesla password and then they have access to your car through the app.
    I could enumerate what I think are the other likely weak points, but instead I will just say I bet all of the infrastructure outside of the car is probably more vulnerable than the stuff in the car.
     
  10. Herbys

    Herbys Member

    Joined:
    Jul 3, 2012
    Messages:
    66
    #10 Herbys, Feb 17, 2013
    Last edited: Feb 17, 2013
    Jason: maybe you misunderstood what I asked for, otherwise you obviously don't work in computer security. Offering the source code, or even the full API may or may not be good for security (the jury is still out on that). But publishing the security standards, the processes and the general architecture for a commercial product, whether it's a phone or a car, can't hurt security. In most cases obscurity HAMPERS security. If Tesla Motors thinks not publishing the platforms security model will halt hackers, I'm selling my beloved Model S, as I do not have a death wish.
    I understand the value of temporary obscurity while someone sorts their act, but obscurity at this level adds no value in the long term.
    A well-documented and well-reviewed security model helps security, that's a well-accepted fact in CS. I'm not asking for the source code, or for information about bugs, not even API documentation. I'm asking about their PROCESS: is the code peer reviewed? Do they have protections against typical vectors? Does the platform perform Address Space randomization, marks buffers as "no execute" or has a generalized bounds check in all its API inputs? Does the company have a formal and public process to report bugs responsibly?
    Such information doesn't help hackers. If they want to know if the car does ASLR they can find out in seconds. I don't want to hack into my own car to find out, but I could if I wanted. And the cost of a car is of no consequence if what you want is to bring down a whole industry, or even if you just want to kill one rich guy.
    Let's say someone discovers a vulnerability and they don't have a formal process to communicate it. What does a researcher do? They publish it, of course. That's what most white hats do after not finding a formal process to report vulnerabilities. Do you think that would be good for Tesla?

    - - - Updated - - -

    EarlyAdopter: thanks for the info, but it worries me. So if Detroit wants to get rid of Tesla Motors all they have to do is to pay a bunch of Chinese hackers to find a few exploits and crash a few cars. That would be the end of the company. That's a billion dollar exploit, much more valuable than any one in Windows.
    To be sure my point is clear: if my Linux PC crashes or gets pwned, I lose some time, perhaps some money. If my Model S gets hacked with specific intent, and the car doesn't have isolation controls in place, I die.
    I don't care that much if someone steals my car. If a "hacker" can get to do the same things I can do, that's bad, but it is not the end of my life. But if they get to do the things I do not expect to be able to do remotely (drive the car, for example) then I will be very, very worried.

    What sort of controls would put me at ease? Well, technically, I would like there's no direct control from the central computer (the one handling external communications and user interface) to the driveline controller, and that both are connected in a way that blocks the user-facing computer from controlling the car (e.g. the "API" that connects the user interface computer with the driveline controller is very tightly controlled and internally authenticated, it allows very specific actions such as the alteration of certain drivetrain parameters within controlled limits, and offers no way for this computer to issue commands such as "turn left" or "speed up"). I would also like to know Tesla has followed the SDL or something similar (just hiring good coders is not enough, not by a mile). I would like to know they adopted a well-reviewed security architecture rather than creating their own, or if they created their own that they had lots of peer reviewing. The fact that they started with Linux is a decent start (not that I'm a big fan of Linux, but Linux has gone through decades of evolution which has made it reasonably robust as a baseline). But a security model goes well beyond that. I would like to know that no single security bug (because there will be many, that's a fact) can bring the car down.
    I would also like to know that they have a good relationship with the White Hat community. That they encourage well-intended research on their car's security model, and that they encourage responsible disclosure. Because there's so much money at stake that I have no doubt the bad guys will be doing their research. We can only hope that Tesla has done what's necessary to make their work very hard, and that they have good guys working on getting ahead of the race.
     
  11. hans

    hans P631

    Joined:
    Sep 27, 2012
    Messages:
    1,123
    Location:
    Menlo Park
    Herbys, perhaps this car is not for you. I would be shocked to see Tesla release all the information you are asking for. Has any other car manufacturer done all that?
     
  12. Ardie

    Ardie Member

    Joined:
    Oct 4, 2009
    Messages:
    161
    For those of you who don't know (or don't care), almost every car made today uses a simpler version of the Local Area Network, called the Controller Area Network (more commonly called the CAN bus). The CAN bus allows dozens of components to send and receive sensor data and commands. Its all drive-by-wire nowadays.

    Furthermore, many of the higher-end cars have radios that not only receive, but transmit, too. Cellphone G3, G4, Bluetooth, Wi-Fi, garage door openers, and maybe even LoJack.

    Hacking the Model S for evil is probably no different than hacking any CAN Bus based vehicle. And there are many such cars nowadays.

    So far, if the villian has physical access to your car, and can connect an evil device onto the CAN Bus network (the On-Board Diagnostic port is the obvious choice), then there's a good possibility that the evil device can masquerade as some other device, and do evil things.

    If the villain does not have physical access to your car, then the problems are an order of magnitude more difficult, but theoretically possible. Most cars with On*Star, Satellite Radio, G3, Wi-Fi, & etc. capability are configured to accept manufacturer signals (or upgrades, or directives) to remotely communicate with the car.

    {You may remember a GM commercial that briefly aired where the On*Star system was touted, showing a stolen car slowing down and rolling to a stop as several police cars trailed behind. The On*Star system accessed the car's fuel pump and slowly reduced its power to starve the engine of fuel, bringing it to a controlled stop.}

    If On*Star can access a vehicle on the go, then it is *possible* that our villain may be able to do it, too. But unlikely. After all, GM and the others aren't total dummies. They use a pretty good encryption system already. (I imagine they also use a pretty good gang of lawyers.)

    There is probably a villain or two out there right now trying to find a way to break through the encryption codes and gain access of remote devices, i.e, your car (or more likely, the Army's humvees). But just like Microsoft vs Apple, I would expect the villains to be going after a solution that might give them a greater rate of return should they meet with success (tens of thousands of GM On*Star cars, maybe) instead a puny couple of hundred Tesla Model S cars.

    If this *still* becomes a problem, then it may take a simpler hard-wired solution: Design the car to have a special device installed on the On-Board Diagnostic port (or whatever) that is the *only* way that the car will receive software-altering upgrades. That device is only available at a dealership, and they have to enable it before anything could be modified.

    -- Ardie
    So, how do I download McAfee to the car again?
     
  13. Robert.Boston

    Robert.Boston Model S VIN P01536

    Joined:
    Oct 7, 2011
    Messages:
    7,842
    Location:
    Portland, Maine, USA
    I'm not sure whether hacking the center console will give access to any drive-critical functions. The fact that I can drive while rebooting all the computer systems suggests a physical separation of the systems.
     
  14. jerry33

    jerry33 S85 - VIN:P05130 - 3/2/13

    Joined:
    Mar 8, 2012
    Messages:
    12,743
    Location:
    Texas
    Isn't that sort of like saying, "If you don't want malware on your computer, disconnect from the internet and only load factory supplied media?"
     
  15. Ardie

    Ardie Member

    Joined:
    Oct 4, 2009
    Messages:
    161
    In a way, I guess so. There are those who are, um, "overly super-cautious" about this subject, and such a solution might work well for them.

    For me, I'll wait until there is a confirmed threat before I start lining my garage with copper.

    --Ardie
    That reminds me - I need to put my daughter on the "security breach threat" list.
     
  16. markwj

    markwj Moderator, Asia Pacific

    Joined:
    Apr 10, 2011
    Messages:
    3,655
    Location:
    Hong Kong
  17. JRP3

    JRP3 Hyperactive Member

    Joined:
    Aug 20, 2007
    Messages:
    10,082
    Location:
    Central New York
    "Intel and hackers inside." :scared:
     
  18. CanuckS#69

    CanuckS#69 Member

    Joined:
    Oct 20, 2012
    Messages:
    175
    Location:
    Sutton West, ON
    I think it would make more sense to worry about some driver intentionally hitting your car that some anonymous hacker intentionally causing your car to crash.
     
  19. gray

    gray Member

    Joined:
    Dec 15, 2012
    Messages:
    77
    Location:
    Chicago, IL
    What, to make your car go 80% slower for no apparent reason?
     
  20. FlasherZ

    FlasherZ Sig Model S + Sig Model X + Model 3 Resv

    Joined:
    Jun 21, 2012
    Messages:
    7,019

Share This Page