-
Want to remove ads? Register an account and login to see fewer ads, and become a Supporting Member to remove almost all ads.
Security from the frontlines... (OR How to Hack A Model S talk at DEFCON)
- Thread starter W.Petefish
- Start date
Johan
Ex got M3 in the divorce, waiting for EU Model Y!
Hmm... they had to gain physical access to the car first and plug in an ethernet cable. I think that would be the big security problem? This doesn't scare med a lot....
Any streaming options for this defcon presentation? Would be very interesting to watch.
I've been on the receving end of a few of these kind of reported vulnerabilities by whitehat firms, and find whitehat hackers to be very "good" at using words like critical and similar for issues I would not categorise as such even if said vulnerabilities should of course be fixed promptly.
Needing physical access, as FT-article hints to, to the interior of the car would get in the "nothing to see here, move along"-category for me personally to be honest. I would have no problem with that until the flaw has been corrected.
I've been on the receving end of a few of these kind of reported vulnerabilities by whitehat firms, and find whitehat hackers to be very "good" at using words like critical and similar for issues I would not categorise as such even if said vulnerabilities should of course be fixed promptly.
Needing physical access, as FT-article hints to, to the interior of the car would get in the "nothing to see here, move along"-category for me personally to be honest. I would have no problem with that until the flaw has been corrected.
I posted the link to Wired's article in the Connected Car thread:
Security in the Connected Car era... Jeep remotely victimized
WebKit *could* be used, but they had to use physical access. You'd have to get the driver to surf to a malicious page, though, to make it work remotely.
Security in the Connected Car era... Jeep remotely victimized
WebKit *could* be used, but they had to use physical access. You'd have to get the driver to surf to a malicious page, though, to make it work remotely.
Last edited:
Oh that bit regarding webkit is very interesting. Hopefully this could lead to some changes interms of browser version etc. Just hope the hardware can handle it
Oh that bit regarding webkit is very interesting. Hopefully this could lead to some changes interms of browser version etc. Just hope the hardware can handle it
The quote from the article said that Tesla already had the browser walled off, but did so even more when working with this team. It seems they might double down on the existing browser.
- - - Updated - - -
In addition, it seems that updates aren't signed by Tesla, but at a minimum the cars do require that the updates come *from* Tesla's infrastructure, so they'd have to compromise Tesla's update servers to get rogue firmware installed:
I suspect we'll be seeing signed firmware coming in the next year or so.
It would be worrying if they are able to start the car without the key. As an example many BMWs have been stolen via an OBD-II connector. The thieves break into the car, either by smashing a window or prying the door open, then start it and program a new key via OBD-II.
I'm a bit surprised because it was reported that Tesla had disabled the ability to send traffic via the Ethernet port unless the appropriate security code was entered - so I guess that's untrue:
Successful connection on the Model S internal Ethernet network - Page 29
Also in big news: Researchers have found that ICE cars can be disabled by crimping the fuel line while the car is in motion, possibly causing safety issues. They noted that physical access is required. They also determined that turning the key off or cutting the wire to the fuel pump has similar results.
But seriously, hacking is still a bit of a concern even with the physical access requirement. No telling what could be hacked given enough time once access is gained.
But seriously, hacking is still a bit of a concern even with the physical access requirement. No telling what could be hacked given enough time once access is gained.
lagann
Member
So what this is saying is that they could only do the remote vulnerability once they had done the physical vulnerability. Still not as scary as someone randomly just connecting to your car from the web.
Yeah, big deal. I don't care about vulnerabilities that require physical access except when I can use them for personal use (ie, jailbreak).
While this is certainly not a big discovery, IMO, Tesla does need to learn from what they did find out:
* Firmware updates are unsigned / unauthenticated... this is one of the biggest attack vectors that is getting attention lately. There are a lot of subsystems within the car that have access to critical CAN buses, and I can see a path that leads you to drivetrain CAN bus manipulation if you string a bunch of stuff together
* Entertainment system / touchscreen is important - if you compromise it, you can do anything the operator can do.
I can put a mechanical contraption that would cut a fuel line or some such thing inside an ICE car that can be remotely triggered through a cell phone. Is that considered hacking?
Or how about I get access to someones userid and password through social engineering and steal their money from their bank account - is that also considered hacking?
this is pretty lame.
Or how about I get access to someones userid and password through social engineering and steal their money from their bank account - is that also considered hacking?
this is pretty lame.
The updates may be signed, but the firmware pushes to some of the connected modules may not be.
E.g., Tesla signs the bundle and the car validates that signature; however, the car may unbundle the firmware package and begin pushing updates to modules. The TPMS module might not have the ability to validate firmware -- it may not be signed/authenticated. That could be used as a vector, then - someone develops a new piece of firmware for the TPMS module that permits it to generate arbitrary CANbus messages to the drivetrain; the attacker uses his privilege escalation on the touchscreen to push that firmware to the TPMS, which in turn gives him a method to tunnel CANbus commands through the gateway (masked as TPMS pressure inquiries or something similar).
That's all speculation, of course, but it's the vector that's getting the most attention nowadays in embedded systems.
E.g., Tesla signs the bundle and the car validates that signature; however, the car may unbundle the firmware package and begin pushing updates to modules. The TPMS module might not have the ability to validate firmware -- it may not be signed/authenticated. That could be used as a vector, then - someone develops a new piece of firmware for the TPMS module that permits it to generate arbitrary CANbus messages to the drivetrain; the attacker uses his privilege escalation on the touchscreen to push that firmware to the TPMS, which in turn gives him a method to tunnel CANbus commands through the gateway (masked as TPMS pressure inquiries or something similar).
That's all speculation, of course, but it's the vector that's getting the most attention nowadays in embedded systems.
good, I could not really believe my eyes about that one. Not signing updates seems like the worst rookie mistake ever.
Similar threads
