TMC is an independent, primarily volunteer organization that relies on ad revenue to cover its operating costs. Please consider whitelisting TMC on your ad blocker and becoming a Supporting Member. For more info: Support TMC

Tesla hacked and stolen (video)

Discussion in 'Model X' started by Dj B, Nov 25, 2016.

  1. Dj B

    Dj B Member

    Joined:
    Nov 15, 2016
    Messages:
    92
    Location:
    Nevada
    Is this real? If so, I'm nervous about my purchase. Obviously, there are a series of events that need to occur. I don't think I would ever download an unkown app for a free burger, but I might unknowingly download something as hackers continue to get more savvy at getting us click on stuff. Anyone know if this issue has been addressed by TM? Sorry if this has already been addressed, I can't search this site to find any previous threads about it

    https://youtube/5jQAX4540hA
     
    • Love x 1
  2. vigge50

    vigge50 Member

    Joined:
    May 2, 2014
    Messages:
    385
    Location:
    Sverige
    Tesla Norway have comment on it and they said that the bug is not in the Tesla app but in the android system where a app could get control over other apps. If you have don't have a android you shouldn't need to worry and according to this article it have been solved in last version of Android so if you android you schould update your phone.

    Hackers show how to steal a Tesla with a hack that has nothing to do with Tesla…
     
    • Helpful x 1
  3. Haxster

    Haxster Member

    Joined:
    Apr 4, 2016
    Messages:
    516
    Location:
    Silicon Valley
    That's awful...being scammed out of a free burger.
     
    • Funny x 2
    • Like x 1
    • Love x 1
  4. DOCAL

    DOCAL Member

    Joined:
    May 5, 2016
    Messages:
    145
    Location:
    San Jose, CA
    As vigge50 says, this isn't a weakness in anything that Tesla has control over.

    In the car you can turn remote access on or off. If you decide to have it on, then you need to understand that your phone now has limited control over the car. Just like other apps on it may allow access to your bank account, stock broker account, cameras in your house, electronic lock on your front door, thermostat and many other things.

    So make sure your phone has a strong passcode, is encrypted, has remote-wipe enabled, and don't install apps from untrusted sources.
     
    • Informative x 1
    • Like x 1
  5. AnxietyRanger

    AnxietyRanger Well-Known Member

    Joined:
    Aug 22, 2014
    Messages:
    6,166
    Location:
    EU
    Frankly, Tesla really needs more granularity in their remote control security settings. I am always astonished they haven't implemented anything more than an on/off switch inside the car for this.

    Even one extra, sort of middle ground setting, would go a long way in alleviating these concerns. On this setting the car coud allow e.g. setting climate, honking the horn or blinking the lights, seeing the data - the usual parking lot things - but deny opening doors or starting the car (and deny changing these settings unless the key is inside the car, so breaking a window still won't let you drive away).

    As long as the penalty for more security is the inability to use any of these useful remote settings, few people are willing to turn remote off and the risk of something bad happening remains high.
     
    • Like x 3
  6. Saghost

    Saghost Active Member

    Joined:
    Oct 9, 2013
    Messages:
    4,560
    Location:
    Delaware
    It's real, and out of Tesla's control. Notice that they needed four things, though:

    First, they needed a compromised app installed in the phone. I'm pretty sure that the reviews Apple and Google do would keep such an App out of the app stores.

    Second, they needed to find and exploit a hole in the phone's operating system so the compromised app can read data from other apps.

    Third, they needed the phone to be operating on a compromised Wi-Fi network, so the compromised app could send the data.

    Fourth, they needed the user to actually enter the username and password to Tesla, instead of using the token the user got in some prior session like most of us do most days.

    There's not much you can do about gaps in the OS except install updates promptly when offered, but the rest are entirely avoidable - don't install random apps outside the secure structure, don't send any data from unknown Wi-Fi, and if you're on unfamiliar Wi-Fi, don't log in to anywhere secure, including the phone app.

    Even though the exploit shown doesn't involve any bugs on Tesla's side, there are a few things Tesla could do to make it more secure - the granular permissions someone mentioned above, two factor identification of the device making the request, or even requiring biometric verification for some of the actions since I think nearly all current generation phones have a fingerprint reader. (Any or all of these could be made into options selected by an authenticated user or hard requirements.)
     
    • Helpful x 2
    • Like x 2
  7. AnxietyRanger

    AnxietyRanger Well-Known Member

    Joined:
    Aug 22, 2014
    Messages:
    6,166
    Location:
    EU
    Good additional ideas.

    Given how little Tesla has done in the domain (while adding outrageous things like being able to start the car from the app without any additional security), I'd be hesitant to say anything is "out of Tesla's control". There is so much more they could do first... (I get it that a specific Android-related vulnerability is technically out of Tesla's control, but not really in practical terms. Tesla could do a lot to stop it.)
     
  8. Sawyer8888

    Sawyer8888 Member

    Joined:
    Mar 16, 2017
    Messages:
    180
    Location:
    South Florida
    #8 Sawyer8888, May 4, 2017
    Last edited: May 4, 2017
    Exactly. Get a better data plan and stop connecting to that "FREE" WiFi at the mall. Hackers love to draw you in by using the word "free" in the WiFi description. If you see that in the list of available WiFi options, then it's probably a hacker. It's a growing problem that is getting worse by the day.

    Be smart so that your Tesla, your passwords, your bank account, credit cards and everything else connected to your phone (literally everything) won't get stolen.

    This is somewhat old news. Here's a 2015 story on it...

    Hackers set up fake Wi-Fi hotspots to steal your information
     
    • Like x 1
  9. dmd2005

    dmd2005 Member

    Joined:
    Oct 5, 2015
    Messages:
    299
    Location:
    Abbotsford, BC, Canada
    Moral of this story...don't be greedy and buy your own burgers.
     
  10. Canuck

    Canuck Active Member

    Joined:
    Nov 30, 2013
    Messages:
    4,947
    Location:
    South Surrey, BC
    "If you are driving a Tesla and it's stolen, is it now called an Edison?"
    Credit to the comments section of that YouTube video.

    Seriously? If your car gets hacked and stolen I think you'd be the first. If you get it and accidentally total it, you'd join the ranks of many. But both ways, you'd have insurance - so why be nervous? I'm more nervous about a potential crash than the hack, and Tesla protects you extraordinarily well that way.
     
    • Informative x 1
  11. AnxietyRanger

    AnxietyRanger Well-Known Member

    Joined:
    Aug 22, 2014
    Messages:
    6,166
    Location:
    EU
    I believe there have been one or two potential hack and steal cases reported in, was it Germany? I understand in those cases the passwords were brute forced open or somesuch.

    There really are very little in terms of protections in the system itself. Simple on/off switch in the car and an old fashioned username/password in the app.

    More granularity in the car's security settings and multi-factor authentication with revokable certificates is definitely needed to bring it up to date. Until then, keeping remote control off is a valid suggestion, IMO.
     

Share This Page