Successful connection on the Model S internal Ethernet network

[widodh]

Good luck on the WiFi, I sniffed that with Wireshark for a very long time but there is no port open. It doesn't respond to ICMP or such.

You'll only see OpenVPN traffic going towards mothership.vn.teslamotors.com, that's all.

On the Ethernet there used to be a OpenSSH daemon and a webserver on port 80. The only attack vector would be that webserver, but there was no CGI to be found there. Just "nowplaying.jpg".

 

[wk057]

Yup, its virtually not even worth the time or effort, honestly. There are virtually zero attack vectors, and no one even knows if the car has bash installed anywhere to begin with, let alone find a way to exploit it if it is.

 

[Olen]

The car obviously runs a dhcp-client, and apparently some dhcp-clients will pass certain dhcp-options to external commands which might trigger a shell of some sort.
Of course it comes down to which dhcp-client it is running, whether it accepts those options, that it does not sanitise them, and will pass them to a process via the shell, AND that the shell is bash.
But if anyone wants to test, I believe this is the most promising approach.

Now, IF you find such an exploit, please act responsibly and report it to Tesla and give them time to fix it before you publish your find anywhere else!

 

[chickensevil]

I did some simple tests last night using tftpd64, setting option 114 and attempting to pass commands to the car and it doesn't seem to be working... that or simple commands have been removed from the car... not sure which... I tried sending a reboot command and a ping (and then monitored my network for the traffic) and neither one appears to be working.

I did learn though that if you do not let it actually connect out to the internet it will refuse to connect to your wifi connection. I purposefully was leaving out DNS servers in the DHCP configurations because I was trying to avoid it having full access outbound and it just wouldn't connect. I thought this was rather clever since when you are on WiFi the 3G card is not active and you want a seamless transition so things like your music doesn't get interrupted during the switch.

Anyway, unless someone else has any bright ideas, I think DHCP is a no-go.

 

[apacheguy]

Now, IF you find such an exploit, please act responsibly and report it to Tesla and give them time to fix it before you publish your find anywhere else!

Hey, I have an idea. The iOS dev team needs to notify Apple before publishing their code on the iOS 8.x jailbreak. That would really work out.

In all seriousness, though, if this is a remote exploit that can be accessed over 3G, then I absolutely agree. Tesla should be notified. If this is a local exploit that requires full access to the car then I full heartedly disagree. On many other car forums you will find ways to "hack" certain components. We shouldn't try to stifle that here. We are an enthusiasts forum after all.

 

[Olen]

Of course, if the exploit requires physical access to the car, then that's a different matter than if all you need is a rogue dhcp-server or a webservice.
I would still have notified Tesla first though, because if I can find the bug so can somebody else, and they might be both better at exploiting it, and have less good intentions...

 

[wk057]

Pretty sure unless the exploit works over 3G (which is improbable since the 3G is under AT&T's NAT setup and is not accessible to anyone really) then it should be posted here. Tesla will certainly see it and fix it regardless.

Wifi... I dont go connecting my car to random wifi APs, so, this is also a non issue. Post away.

Anything else obviously should just be posted here since people who want to utilize it will be able to do so.

At this point I'm more worried that someone will hack my My Tesla account, locate my car, and drive off with it using the new keyless driving stuff than I am about any potential remote exploit.

I mean, at this point I turn remote access off when I'm away from the house when I would otherwise have left it on for climate control, inconveniencing myself for the sake of security since there is virtually none with this keyless driving feature. A password essentially hands my car to a thief.

Obviously my password is pretty long and complex. Making this feature non-optional (either full mobile access or none) was a stupid move, IMO, but thats another thread...

 

[lklundin]

The car obviously runs a dhcp-client

Hi, I registed just to make this comment:

At least some of the computers in the Models seem to run a Debian based Linux (based on initial posts).

Several years ago Debian had the good sense _not_ to link /bin/sh to bash, but rather to dash. (This was done for performance reasons, but still).

So all the Shellshock exploits that rely on /bin/sh being linked to (a vulnerable) bash will not work on those Debian systems.

That should rule out the dhcp-client approach and any fork() in a CGI script and a host of others exploits.

Basically, with Debian and a vulnerable bash, the only
[*] attack vector for shellshock is a bash script executed via CGI.

Interesting thread, btw.

[*] The system could have another vulnerability, that would allow an exploit of a vulnerable bash, but that is a different and rarer situation.

 

[disharmony]

Does anyone know the connector type ?

Is it M12? I still use something I created myself but it's annoying and also bended the pins from the original connector (had to repair that by taking it apart and bending it slightly back again, because Tesla couldn't connect anymore due to the bended pins).

And does anyone know where to buy it (preferably in the Netherlands)

 

[wonko]

The connector is a HSD Fakra. You can not buy those easily in Europe. But they are available in China of course. This one here (not related):

http://www.ebay.com/itm/HSD-Fakra-Jack-C-type-connector-PCB-mount-for-Blue-GPS-telematics-or-navigation-/330861619827

for example hat the right connectors, but the wrong coding of the route shell. You would need some tools to make it fit, but it works.

 

[neroden]

A friend who is a Tesla technician and ranger in Norway has informed me you need an access code to send traffic after 5.11. It's as described here earlier, plus an "authenticator" with a rolling / random code. So probably no dice for us in the future :/

If you want to hotrod your car's software, just get the source and reflash your car yourself with your own chosen access code.

Oh, right, Tesla is currently not releasing the source. You'll need someone who is a copyright holder for Linux to sue them for copyright infringement to get it. You'll win, of course, since Tesla's violation is flagrant and wilful.

 

[HankLloydRight]

Oh, right, Tesla is currently not releasing the source. You'll need someone who is a copyright holder for Linux to sue them for copyright infringement to get it. You'll win, of course, since Tesla's violation is flagrant and wilful.

But that's only if they modified the core OS. They're allowed to build on top of it with their own software without releasing the source of that. Nobody (yet) knows for sure if Tesla modified the linux core. just because you use linux as an OS doesn't mean that you have to release *everything* built on top of it. Now if they modified the OS for their own purposes, they would have to release that, but even still, the would not have to release their own code built on top of it.

 

[chickensevil]

Well if you haven't seen this yet, looks like Floppy drives work... which makes me wonder... bootable linux on a floppy? hrmmm... if only I had my Floppy drives hanging around still. I might actually be able to find one at work. Although I doubt very much that you could override the boot order on the system, it might be worth a shot... maybe because it is a floppy, and floppy drives normally defaulted to the top of the boot order it might somehow work???

Anyway, I doubt this will work for long and is likely to be patched out on the next release so you had better get the going while it's good

 

[apacheguy]

Quick, someone boot a custom OS on their MS. Does a floppy have sufficient storage to host an OS? Would be interested to hear if this works.

 

[markb1]

Quick, someone boot a custom OS on their MS. Does a floppy have sufficient storage to host an OS? Would be interested to hear if this works.

There is absolutely no reason to plug a floppy drive into your Model S. Use a usb stick. The trick is to convince the computer to boot off of usb storage, which may be impossible.

 

[HankLloydRight]

But it might be set up to boot from a floopy first, before the hard drive or USB stick.. that's the vector.

 

[green1]

Considering the floppy is connected by USB, I doubt the system would pioritize it over any other USB media. The old floppy boots first thing is with a floppy connected on the old cables, not USB

 

[markb1]

Considering the floppy is connected by USB, I doubt the system would pioritize it over any other USB media. The old floppy boots first thing is with a floppy connected on the old cables, not USB

Yeah, that's what I'm thinking. USB storage is USB storage. You can play your music off a USB stick, hard drive, or floppy drive, because it sees them all as the same thing. It stands to reason if you can boot off one of those devices, you can boot off any of them.

 

[apacheguy]

There is absolutely no reason to plug a floppy drive into your Model S. Use a usb stick. The trick is to convince the computer to boot off of usb storage, which may be impossible.

Right, hence chickenlittle's assumption that a floppy is higher on the boot list. So there is a reason to try a floppy.

Considering the floppy is connected by USB, I doubt the system would pioritize it over any other USB media. The old floppy boots first thing is with a floppy connected on the old cables, not USB

This is also likely true. But it's worth a shot if someone has a USB floppy drive.

Did anyone try a USB boot back when we had keyboard access?

 

[matbl]

If I'm not mistaken from the teardown there are two SD-cards in the center display. Maybe one of them is actually used to boot from....