Powerwall Potential Security Issues

[Sylvia Else]

Telsa support seem to have considerable remote access to the internals of powerwall gateways. Most people will likely have the gateway on their internal lan. If it's a wired lan, then the gateway has the potential to see all the traffic on the lan.

If Tesla support got hacked, this would provide a path into the lan of lots of Tesla's customers, with the potential for doing considerable harm.

Ideally the gateway would be isolated on segment of its own, to prevent it from snooping on traffic, and allowed access only to the internet, and such lan web traffic as its owner requires, but this is not something the typical owner will know how to do.

Sylvia.

 

[trace]

You could argue basically the same thing with software updates. If someone was able to hack the software update server (along with the security hashes) it could be big trouble.

What do you think would be the ideal solution? Tesla buying a new dedicated line to someones house (not being a dick- maybe Cellular?). I think we should trust that Tesla has put software / hardware in place to prevent such attacks -- and most traffic is SSL anyways.

 

[Sylvia Else]

You could argue basically the same thing with software updates. If someone was able to hack the software update server (along with the security hashes) it could be big trouble.

One could hope that such things are better protected. Indeed, if updates are signed, there needn't be anything potentially vulnerable on the update server. The worst a hacker could do would be to prevent updates from taking place.

 

[cwied]

This is the age-old IoT vulnerability problem. I'm less worried about a company like Tesla where they at least have a decent software group than a company like LG. I would guess the chances of somebody getting onto my network through my washing machine are probably higher than through my Powerwall.

Even so, it would probably take a targeted hack to do any serious damage on my network. The most likely thing to happen would be for the Powerwall to be co-opted for a botnet. For this reason, I haven't bothered to isolate the Powerwall in my network.

 

[zanary]

Isn't the same thing true for everything you use. From your Wifi Router (like eero), to Tesla' Vehilces, to ADT home security, to Nest to Ring, to Hunter Douglas home automation blinds, to HomePod, etc...

Why just single out the Tesla Powerwall. The assumption is if you an get to it from your iPhone or android device when not at home, then it's possible that it's vulnerable regardless if the vendor's NOC or not in involved.

 

[brkaus]

Isn't the same thing true for everything you use. From your Wifi Router (like eero), to Tesla' Vehilces, to ADT home security, to Nest to Ring, to Hunter Douglas home automation blinds, to HomePod, etc...

Why just single out the Tesla Powerwall. The assumption is if you an get to it from your iPhone or android device when not at home, then it's possible that it's vulnerable regardless if the vendor's NOC or not in involved.

Exactly, anything on the network is a source of risk. I worry more about the cheap android based stuff (kids tablets, etc) that will never see an update and the streaming device as much as anything.

Worse is the teenage kid friends that visit and think they need to be in everyone’s WiFi.

 

[Jigglypuff]

It seems Tesla has good security. I don't know of anyone who has fully hacked their Model S, unlocking autopilot or anything like that. When somebody manages that trick, well, we have another story.

 

[Endoplasmic]

It seems Tesla has good security. I don't know of anyone who has fully hacked their Model S, unlocking autopilot or anything like that. When somebody manages that trick, well, we have another story.

Ah, you don't remember this gem then:

Also, I agree with the others here. As someone who owns a wackton of IoT stuff I just put trust in the companies.

 

[rjdunn]

I’ve managed university infosec teams, and I accept the risk since I want the service.

My son is a cyberspook working for some unnamed TLA (Three Letter Agency) and he tells me I’m näive ;-)

Ah, you don't remember this gem then:

Also, I agree with the others here. As someone who owns a wackton of IoT stuff I just put trust in the companies.

 

[Sylvia Else]

Another point that occurs to me is that in the case of a wired ethernet connection, there is a UTP cable that's, in many cases, accessible from outside the house, just by undoing a screw. It woudn't be particularly difficult to add another WIFI router inside the gateway housing, where owners would be unlikely to find it, providing WIFI access to the lan. There's even power available there.

OK, one might question why anyone would bother, but for some high value owner targets, it might be seen as a convenient way of gaining access to inside information.

 

[ChrisMPK]

Another point that occurs to me is that in the case of a wired ethernet connection, there is a UTP cable that's, in many cases, accessible from outside the house, just by undoing a screw. It woudn't be particularly difficult to add another WIFI router inside the gateway housing, where owners would be unlikely to find it, providing WIFI access to the lan. There's even power available there.

OK, one might question why anyone would bother, but for some high value owner targets, it might be seen as a convenient way of gaining access to inside information.

You would have to be on the property first for that. If the target was high value, its' pretty likely that they would have recorded surveillance, monitored alarm and possible on site security.

 

[brkaus]

Another point that occurs to me is that in the case of a wired ethernet connection, there is a UTP cable that's, in many cases, accessible from outside the house, just by undoing a screw. It woudn't be particularly difficult to add another WIFI router inside the gateway housing, where owners would be unlikely to find it, providing WIFI access to the lan. There's even power available there.

OK, one might question why anyone would bother, but for some high value owner targets, it might be seen as a convenient way of gaining access to inside information.

IP based security cameras would have the same risk. Good point. Maybe I should move those over to a VLAN and isolate mine.

 

[cwied]

I don't know. For me it's the remote attacks that are scary, not the physical attacks. The number of people with the skills, motivation and access to do a local attack is so much smaller than the number of people on the Internet trolling for easy targets that it seems like the risk is comparatively small. Besides, I think the attack surface when you include that kind of attack is going to be huge. There are probably plenty of other undesirable things that somebody with that kind of physical access could do if they wanted to.

 

[boaterva]

All of this is one more reason to have IoT devices on a separate guest network. Whether or not that's good enough depends on the Wifi AP and how it's segmented (name, VLAN, etc.). But there is no way these devices need to be on the same Wifi/SSID/VLAN as the rest of your internal devices (PCs, file server, etc. traffic).

For some level of protection, that's the first thing to do. How often does the firmware in your wifi thermometer and refrigerator get updated? (I don't have a connected reefer but the wifi thermometer is very useful, to remotely turn things up and down, and, no, it's not a bleeping Nest!)

So, the point was: The PWs should be on this guest network also, as most of their talking would be external.

 

[Tozz]

Telsa support seem to have considerable remote access to the internals of powerwall gateways. Most people will likely have the gateway on their internal lan. If it's a wired lan, then the gateway has the potential to see all the traffic on the lan.

If Tesla support got hacked, this would provide a path into the lan of lots of Tesla's customers, with the potential for doing considerable harm.

Ideally the gateway would be isolated on segment of its own, to prevent it from snooping on traffic, and allowed access only to the internet, and such lan web traffic as its owner requires, but this is not something the typical owner will know how to do.

This is really the case with almost any device you have in your local network.

- Computers can get remote updates, those updates could contain malware
- Lots of devices such as WiFI doorbells, camera's, accesspoints, routers all run some kind of Linux, they could contain backdoors.
- Mobile phones are a security nightmare.
- Smart TVs, STBs, smart lights with gateways, etc, etc.

If you don't trust the powerwall, don't hook it up to your network. Use a guest network or something. This goes for all WiFi devices you have in your home.

 

[Jigglypuff]

So the technician came, fixed a gateway, and then left. Still, I'm not getting accurate readings. My house is not producing energy yet it says it is. Also a conduit has to be supplemented with an extra one to not overload a conduit as designed and installed. Super strict inspector. Hopefully an electrician will be scheduled in the next couple weeks.

 

[WannabeOwner]

Worse is the teenage kid friends that visit and think they need to be in everyone’s WiF

All of this is one more reason to have IoT devices on a separate guest network. Whether or not that's good enough depends on the Wifi AP and how it's segmented (name, VLAN, etc.). But there is no way these devices need to be on the same Wifi/SSID/VLAN as the rest of your internal devices (PCs, file server, etc. traffic).

Exactly. We have two networks in the house PRIVATE and GUEST. Private(actually a work-from-home requirement too) has PoshNamedNotCheap Routers and Firewalls, and they have a cost-licence MAC address limit, so if all visitors hooked up to that we'd hit connectivity limits for known -MACs ...

All the rest get the GUEST password and good luck tot hem! That WiFi/network gets them straight out of the door bypassing all the security we have on the private network

The Washing machine can have the Guest password if it likes ...