You can install our site as a web app on your iOS device by utilizing the Add to Home Screen feature in Safari. Please see this thread for more details on this.
Note: This feature may not be available in some browsers.
To have a chance at finding anything you have to use advanced search, and even then chances of success are small.Sorry about that. PS. When I enter e.g. "DEFCON" in the forum search field and press the search icon, I get nothing. Perhaps Javascript from some third party site is required. Oh well.
It is though. They can open your car and steal your things.. or start it, have a joy ride, etc...
Remote access is actually quite a useful feature; think for a moment about having the ability to turn on the A/C before returning to your car on a sweltering summer day, knowing whether your car has finished charging, and so on. You should be able to leave remote access enabled in your car and still be secure, assuming you chose a suitably strong password. Why would such an attack not be considered a vulnerability?The only hacks which I consider vulnerabilities are hacks committed (a) remotely, and (b) with app remote access disabled in the menu. Any such hacks are actually dangerous. Anything else... meh. "Local" hacks, of course, are things we want to be able to do to soup up our cars (once they're out of warranty).
Also realize that all Remote Access calls go through Tesla servers and do not connect directly to the car, likely limiting the ability to really hack the car through remote access.
In USA Today 7/22 there is an article about 2 guys hacking into a Jeep driving down the road at 70 mph.
If only I had poster that story yesterday in this very thread.
Also realize that all Teslas are on the AT&T cellular network.
Even though all remote access calls should go through Tesla servers, this doesn't mean that the car isn't exposed to the open internet.
A bad actor with your car's IP address and the right credentials or authentication bypass will be able to make a call to all available API functions. If they are able to find further vulnerabilities, they could also perform functions that are not directly accessible through the "public" API as well.
I'm guessing this last part is what we are going to see at DEFCON
A bad actor with your car's IP address and the right credentials or authentication bypass will be able to make a call to all available API functions. If they are able to find further vulnerabilities, they could also perform functions that are not directly accessible through the "public" API as well.
I'm guessing this last part is what we are going to see at DEFCON
They still have a month or so, if the vulnerabilities have been disclosed to them already they could easily get a patch out before then.
I don't think it would really ever be an issue for an owner. Most of these vulnerabilities are quite complicated and in general anyone with the skill to do them couldn't be bothered to actually use them. Not always though. It also depends on what the vulnerabilities are. If its just allowing someone to remotely get some of your car data, that's not a big deal. If its honking the horn and unlocking the car, that's a bigger deal, although not really something to be concerned about. If it allows the car to be put into drive, that could be a major issue.
Marketing is where the real issue will be. The local news will undoubtedly pick the story up and run with it regardless of the extent or practicality of the vulnerabilities.
Well, not necessarily. A lot of stuff has a public IP address, but it doesn't mean that you can get in there and mess around. As a software architect, I would probably build a lot of security into the communication between the car and Tesla's servers for control issues, even if none of them are particularly dangerous (like steering or braking). Lots of certificates, VPN, token exchanges, etc... there's a lot you can do that would make it crazy hard or impossible for the car to answer to anyone other than the mothership. The only attack vector that makes me nervous is getting new firmware installed, which I believe you have to confirm, and I assume the confirmation prompt has some kind of check for signed code or something.Also realize that all Teslas are on the AT&T cellular network.
Even though all remote access calls should go through Tesla servers, this doesn't mean that the car isn't exposed to the open internet.
A bad actor with your car's IP address and the right credentials or authentication bypass will be able to make a call to all available API functions. If they are able to find further vulnerabilities, they could also perform functions that are not directly accessible through the "public" API as well.
The car's AT&T IP is useless also, as Tesla still uses the encrypted VPN connection over this link. Even if you MITM attacked via AT&T you wouldn't get anywhere.