You can install our site as a web app on your iOS device by utilizing the Add to Home Screen feature in Safari. Please see this thread for more details on this.
Note: This feature may not be available in some browsers.
Completely disagree. Long story short, people are idiots. There's no better way to put it really. People in general do NOT know what they're doing, and this is especially so when it comes to these cars.
I don't even like giving most people access to the basic diagnostic screens, because you can pretty much screw up a ton of things from there without much effort. Giving random people full root access? Nope. Not going to happen. I don't care how much you think you know about cars or Teslas... you don't know what you're doing inside that MCU. I've not done nearly as many cars as @Ingineer, but I have over 100 or so on my network... out of those I've given root access to maybe 2, and only because they managed to make a good case for it while proving their knowledge of such systems as well as accepting complete responsibility for whatever happens with their car as a result.
As for the hacking issue... if somehow you manage to hack my VPN server (which, as an IT security guy and as the overall over-cautious person I am, this is probably unlikely in the first place, but who knows...), you're not going to get access to anyone's car beyond, at best, remote-app API stuff... and I'd know about it almost immediately and just pull the plug on the server until it was worked out. I also actually secure the vehicle-side system itself against root hacks when I add my software to them so that all known vectors of attack are blocked, as well as some additional security on the car-to-VPN link to make things even more difficult.
Obviously, nothing is perfect, but honestly, I think you should be much more worried about people hacking into Tesla's fleet VPN, which I've personally managed to do multiple times to-date, gaining full network access to every car in Tesla's fleet as well as what is essentially the current root password for every car (and obviously reported such issues to Tesla and was rewards pretty large bounties each time). Tesla's network is a much more tempting target than a small network of salvage vehicles. I've not publicly posted much, if anything about such efforts out of respect for Tesla's awesome software security team... who has pulled Friday night and weekend overtime as a result of my efforts on on more than one occasion. Plus I figure the headlines wouldn't be flattering for them, either.
In any case, if you want full root access to your car... hack it yourself. If you want respectable and honest help with working on a vehicle, talk to @Ingineer or myself.
Beside you 2 guys, do you think there are other people here that are not idiots ?
I personally met other people here who are not idiots and did useful things together in servicing these cars.
Anyway, it is good for this community that at least 2 guys are not idiots so we, all the rest, may pay you guys to do whatever you want on our cars as we are anyway too idiots to understand what you are doing
What happens if, for example, nobody can reach you for a while ? You have already secured other people's cars so they can not be hacked anymore. What these people can do with their cars, as we know are impossible to service without software access ?
Of course I hacked it myself! This is anyway a good test: if you can hack it, you most probably know what is all about and you will not brick it, you are safe to full control it ! But... is is not really rocket science!
This is a contradiction to me: How can Tesla have in the same time an awesome security team and the security flows that you discovered, which are worse than anybody could imagine !
I presume (I have no info, it is just a supposition) that you can not publicly post because they probably made an agreement with you when they paid you bounties. Anyway, nobody here is interested in hacking Tesla network I think. Less people will be interested even in hacking the cars when Tesla will release a free version of Toolbox (if this will ever happen) so anybody could service his car.
There is no such thing as 100% security. I truly believe that anybody who feels responsible should have full access to their car.
My point was why we can not have both: hack our cars ourselves and have paid support from highly experienced guys like you ? I mean, what is the difference if the user has a way to control his car and anytime wants to drop the connection with you, or if something goes wrong with you, the user can move freely to another service guy ?
Although I supported some guys for free repairing dead CIDs, I am not personally interested in providing any paid services to others, I just believe and say it laud that no person in this world is the smartest, nobody knows everything, and nobody should make decisions regarding other people's property without letting these people (idiots or not) have responsible control of their property. Anybody (feeling idiot or not) should stand up for its rights to control its property.
This is why, as Tesla owners, we need to start raising @#@#$# to force a change. We want to be able to fully work on our cars without spending an ungodly amount to peak behind the curtain. We also need easily available and reasonably priced parts. We need the technical manuals to make sure we are doing things correctly and safely.
Beside you 2 guys, do you think there are other people here that are not idiots ?
I personally met other people here who are not idiots and did useful things together in servicing these cars.
Anyway, it is good for this community that at least 2 guys are not idiots so we, all the rest, may pay you guys to do whatever you want on our cars as we are anyway too idiots to understand what you are doing
What happens if, for example, nobody can reach you for a while ? You have already secured other people's cars so they can not be hacked anymore. What these people can do with their cars, as we know are impossible to service without software access ?
Of course I hacked it myself! This is anyway a good test: if you can hack it, you most probably know what is all about and you will not brick it, you are safe to full control it ! But... is is not really rocket science!
This is a contradiction to me: How can Tesla have in the same time an awesome security team and the security flows that you discovered, which are worse than anybody could imagine !
I presume (I have no info, it is just a supposition) that you can not publicly post because they probably made an agreement with you when they paid you bounties.
Anyway, nobody here is interested in hacking Tesla network I think.
Less people will be interested even in hacking the cars when Tesla will release a free version of Toolbox (if this will ever happen) so anybody could service his car.
There is no such thing as 100% security.
I truly believe that anybody who feels responsible should have full access to their car.
My point was why we can not have both: hack our cars ourselves and have paid support from highly experienced guys like you ? I mean, what is the difference if the user has a way to control his car and anytime wants to drop the connection with you, or if something goes wrong with you, the user can move freely to another service guy ?
Although I supported some guys for free repairing dead CIDs, I am not personally interested in providing any paid services to others, I just believe and say it laud that no person in this world is the smartest, nobody knows everything, and nobody should make decisions regarding other people's property without letting these people (idiots or not) have responsible control of their property. Anybody (feeling idiot or not) should stand up for its rights to control its property.
First, I'm under no such NDA regarding the vulnerabilities reported and the bounties received from Tesla. I personally choose not to publicly post the details of such vulnerabilities for a multitude of reasons. My primary motivation is that I've worked in IT security and know how these things play out. If the team is diligent about correcting an issue that's specific to their software upon reporting, then it doesn't do anyone any good to essentially publicly shame them for having the bug exist in the first place. It's corrected, fortunately no harm was done, and Tesla specifically rewards such white hat work generously.
Not sure I agree. There is a reason that CVEs exist and it is in the general interest of users to have vulnerabilities documented. This is done for practically every OS, every IoT device, etc. I don’t see why Tesla developers should get preferential treatment in this regard.
Further, if there is a vulnerability that allows fleet wide access, it is in the interest of owners to know that this vulnerability exists and which firmware versions are affected. For any other device I own, I can go online and research the vulnerability myself and determine the potential effect on my systems. But Tesla doesn’t disclose this information so it’s a bit of a Black box.
Change log, hahahhahaha. Does tesla even know what one is, sighs.
I mean... they use git internally... shouldn't be that difficult.
As for Marco's "friend", he was engaged in an attempt to hack my server, so I revoked all the VPN keys for his cars to stop his attempts. That means I have no connection to his cars, and that also of course means that his remote app will no longer work. I will not tolerate that kind of behavior.
did tesla do bad?
But it can be re-enabled. Do they check anything online when supercharging? I think there is a setting to not even send the vin for charging telemetry. Anybody tested that?Yeah, Tesla did BAD. Disabling Supercharging (a feature sold with the car) is possibly illegal. Tesla has done this in the past, and there are federal and state laws that prohibit manufacturers (and dealers where applicable) from removing features that were existent at the time the care was first put in service (end users, that's a different story).
And THIS is why my cars don't talk to the Tesla mothership, don't use the Tesla SIMs, etc.
I think most all of us agree that its a pretty dick move to disable it.Yeah, Tesla did BAD. Disabling Supercharging (a feature sold with the car) is possibly illegal. Tesla has done this in the past, and there are federal and state laws that prohibit manufacturers (and dealers where applicable) from removing features that were existent at the time the care was first put in service (end users, that's a different story).
Tesla cannot alter your car after delivery without permission. They know that, but currently it's cheaper for them to just pay for the few lawsuits they get from this bad behavior.I think most all of us agree that its a pretty dick move to disable it.
The question is, is it legal or not. They've been doing this forever, and have actually backed off on it in recent years. That makes me think it is legal in some cases, but who knows. It may be that a prior owner (the insurance company) agreed to have it disabled. Or there maybe some obscure NHTSA rule that allows them to do this to make the car 'safe' That's the key question.
If its illegal, then get a lawyer and have fun, should be a pretty open and shut case.
If its legal, whelp, that's what happens when you buy a salvage.
Tesla cannot alter your car after delivery without permission. They know that, but currently it's cheaper for them to just pay for the few lawsuits they get from this bad behavior.
If you take this to court, you will win, because they admit to the judge of their doing.
I don't know why any company would want to be so hostile to their customers(especially one that sells such expensive products), but they are. Very shortly sighted approach, especially with the Model 3 being such a disaster. Sooner or later this hostility is going to wipe them out. Imagine buying a Model 3, which is a weirdmobile/model S cross that is inferior to the Model S in almost every way, paying $60k for it, and then discovering these shenanigans, along with incompetents service centers, and 6 month+ waits using their body shops that are the worst of the worst. It's a recipe for disaster....
Obviously the people buying the car don't agree with that assessment, especially those who think it's better than the S.Imagine buying a Model 3, which is a weirdmobile/model S cross that is inferior to the Model S in almost every way,
Overall first reaction: this is the best car I’ve ever owned including Tesla Model S (2)