Your reasoning appears sound, but they suggest otherwise in their blog post.
Sorry I must be slow. Can you show me where in the blog post?
You can install our site as a web app on your iOS device by utilizing the Add to Home Screen feature in Safari. Please see this thread for more details on this.
Note: This feature may not be available in some browsers.
Your reasoning appears sound, but they suggest otherwise in their blog post.
It's an implication more than a direct detailing, but they say:Sorry I must be slow. Can you show me where in the blog post?
Keen Security Lab said:PLEASE DO UPDATE THE FIRMWARE OF YOUR TESLA CAR TO THE LATEST VERSION TO ENSURE THAT THE ISSUES ARE FIXED AND AVOID POTENTIAL DRIVING SAFETY RISKS.
I think you got the exploit wrong or partially wrong. Also Tesla did do a mass firmware update to fix this vulnerability and put out a press release. Did you not get it yet?Since this exploits a remote vector, Tesla can easily patch it without performing a firmware update on the vehicle.
In the video they had the guy drive to a charging station. Possibly they had compromised that wifi access point. Don't know.Ok hang on a second. Tesla is saying that the car must be connected to a malicious wifi network. In the video, they did not show that the car had to be connected to wifi. Everything they said was consistent with this being over LTE. I'll change my opinion based on that.
In the video they had the guy drive to a charging station. Possibly they had compromised that wifi access point. Don't know.
He drove there and came back. (at least that's what I remember happening). What other reason would they have to do that?No they had him *search* for a charging station that was 10 km away.
Since this exploits a remote vector, Tesla can easily patch it without performing a firmware update on the vehicle.
That's what I've been saying all morning. Finally someone understands.They said, and Tesla confirmed, that the attack is when your car uses a malicious WiFi network. I assume they can just inject some code into the network stream and take control of the car. That is why they wanted him to search for a charging location so that he would connect to their hacked WiFi network and that would give them access to the car.
I don't think they had any access to Teslas network or VPN.
Possibly they were able to decrypt the "Tesla Service" password and run their own rogue access point at which point it would connect automatically.In the video they had the guy drive to a charging station. Possibly they had compromised that wifi access point. Don't know.
I wonder if it wouldn't be easier to just disable the web browser entirely. I don't know if that would block the exploit or not, but I think that most of us do just fine without the web browser anyway.The Tesla web browser has a remotely exploitable bug in it... Now I need to find that bug!
IIRC they will be releasing the source for the attack in the next week or so (they waited until Tesla came up with a fix).After reading a bit about that exploit this morning, I learned something very interesting. Tesla's press release, along with someone else's confirmation, explain exactly what happened.
The Tesla web browser has a remotely exploitable bug in it... Now I need to find that bug!
Speak for yourself. I have Tesla Waze up many times plus PlugShare. I have friends who are not smartphone users who use it extensively for things like email and browsing.I wonder if it wouldn't be easier to just disable the web browser entirely. I don't know if that would block the exploit or not, but I think that most of us do just fine without the web browser anyway.
We will know more soon but it sounded like it was both a wifi gateway compromise and a browser exploit.After reading a bit about that exploit this morning, I learned something very interesting. Tesla's press release, along with someone else's confirmation, explain exactly what happened.
The Tesla web browser has a remotely exploitable bug in it... Now I need to find that bug!
Or if they would just update the browser periodically. It's been widely known the web browser hasn't been updated in many years. It appears it took something like this for Tesla to update their browser which people have been asking for a while now. Someone else reported that some sites used to think it was a Firefox browser and now thinks it's Safari.I wonder if it wouldn't be easier to just disable the web browser entirely. I don't know if that would block the exploit or not, but I think that most of us do just fine without the web browser anyway.
Fair enough. I was specifically directing that at @green1, who is looking for a workaround to the exploit. Not to the active firmware community.Speak for yourself. I have Tesla Waze up many times plus PlugShare. I have friends who are not smartphone users who use it extensively for things like email and browsing.
SorryFair enough. I was specifically directing that at @green1, who is looking for a workaround to the exploit. Not to the active firmware community.
I think @green1 is looking to take advantage of the exploit to get root to the OS on his car not a workaround to the exploit but we can drop it. It's fixed now.Fair enough. I was specifically directing that at @green1, who is looking for a workaround to the exploit. Not to the active firmware community.
Other than maybe alterIng future autonomous safety features, I think you will always be able to mod your car, it's your property and if you are not altering the safety that the systems have, then it's fine.Except the other people on the road.