Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Security in the Connected Car era... Jeep remotely victimized

This site may earn commission on affiliate links.
#21
FlasherZ said:
In addition, firmware updates aren't signed, but must come from Tesla - so at least there's not any obvious way for someone to push malicious firmware without compromising Tesla's infrastructure:
Click to expand...

"Must come from Tesla" is pretty loose though because without air-gapped signing there's no guarantee of that. The credentials for VPN were on the SD cards so just by being a Model S owner they can try to attack the VPN server and the infrastructure behind it, which could let them push bad firmware if successful. They can try to obtain access of an employee and escalate permissions. And the list goes on. Having a 4yr old WebKit vulnerability shows that not everything is carefully patched. I'm not trying to bash Tesla, they have done far better than a lot of car makers in a lot of areas. Just saying that it isn't great the firmware wasn't signed or that a known vulnerability hadn't been patched.
 
#22
manis said:
"Must come from Tesla" is pretty loose though because without air-gapped signing there's no guarantee of that. The credentials for VPN were on the SD cards so just by being a Model S owner they can try to attack the VPN server and the infrastructure behind it, which could let them push bad firmware if successful. They can try to obtain access of an employee and escalate permissions. And the list goes on. Having a 4yr old WebKit vulnerability shows that not everything is carefully patched. I'm not trying to bash Tesla, they have done far better than a lot of car makers in a lot of areas. Just saying that it isn't great the firmware wasn't signed or that a known vulnerability hadn't been patched.
Click to expand...

When I said "must come from Tesla", I was referring to their update servers, not the source of the updates. I get what you're saying, I should have been clearer.

As it turns out, Wired reported that Tesla informed them that updates are indeed signed by Tesla and validated by the car; the question is whether all the car's modules do that - IOW, is it possible that having superuser on the touchscreen allows you to push your own firmware to an individual module in the car, because the module doesn't check for signatures.
 
You must log in or register to reply here.

Similar threads

A
Tesla remotely pwned, arbitrary CAN injection
Replies
1
Views
917
Tesla, Inc.
pbceng
P
Wiki
  • Sticky
Wiki Consolidated eMMC Thread (MCU repair) (Black Center Screen)
Replies
2K
Views
302K
Model S
whitex
whitex
Fact Checking
Reporting on Tesla by Russ Mitchell (LA Times)
Replies
98
Views
26K
TSLA Investor Discussions
bhzmark
bhzmark
J
A Comprehensive Review of Leading Tesla FUD Touchpoints
Replies
9
Views
45K
Blog Archive
TSLA Pilot
T
Top
Back
Blog
New
Forum list
Marketplace
Menu