[edit: too early in the morning and no coffee. As to your PIN -- still requires an encryption implementation. You are talking about implementation details. Personally, I don't want to have to enter a PIN to use my car or features of it. I think the security/usability balance is adequately addressed by using an unsecured encryption key that is then used to facilitate rapid wiping.]
Actually, Apple's encryption doesn't require a PIN, though they have increasingly pushed users into doing
something to protect their data. It works (roughly) as I outlined. Wiping is accomplished by erasing the encryption key. In such a system you do not
have to have a secret to encrypt the key -- but without it the data is not protected at rest. Tesla certainly
could implement such a system. The point would be not to protect the data at rest, but to allow rapid wiping.
However, this is easier said than done:
- the encryption key must be generated randomly. This is not as easy in practice as it is on paper
- the encryption algorithm must be implemented correctly. This is, again, not as easy in practice as it is on paper and, like the key generation, is another common source of vulnerability
- encryption operations must be fast. This is accomplished on your iPhone, laptop or desktop via hardware acceleration. I'm not sure what the processor capabilities in a Tesla are, but I would not be surprised if they lacked hardware acceleration for AES
- encryption operations should be efficient. Yeah, there's a huge battery -- but introducing another energy drain is still not a good idea. This generally goes hand in hand with hardware acceleration
- wiping capabilities must be securely implemented. Remember the security issues with the first Tesla remote unlock? Having your Tesla wiped by someone else would generally be considered a bad thing.
- remote wiping capabilities would also be a practical necessity. And as soon as you say "remote" then you introduce even more security issues. Is it run through the API? Currently there is an "all or nothing" approach to API tokens granted for an account. Consider e.g., someone wiping all Teslas "for the lulz."
- scope has to be defined and choices have implications. It's easier to have all storage encrypted, but do you really want a wipe to brick the car? And when you reduce the scope to "just" sensitive data you have to determine what constitutes "sensitive" and then evaluate all data. For example, are the logs sensitive?
Again, I'm not saying it
can't or
shouldn't be done, but this sort of thing is not as trivial as "let's just encrypt it." What I'm cautioning is to not expect or push for a rushed implementation. To educate that a fix is more than just turning on a capability, one that requires careful planning and hardware capabilities.
But when the problems with Tesla remote unlock were exposed Tesla
did work on fixing the flaws. I expect this to be addressed as well, and most likely before other manufacturers.