TMC is an independent, primarily volunteer organization that relies on ad revenue to cover its operating costs. Please consider whitelisting TMC on your ad blocker and becoming a Supporting Member. For more info: Support TMC

What are the Tesla update server IP addresses?

Discussion in 'Model S' started by Verynoice, May 8, 2019.

  1. Verynoice

    Verynoice Member

    Joined:
    Dec 12, 2017
    Messages:
    20
    Location:
    Baltimore
    Trying to figure out what IP addresses the Tesla updates come from so I can whitelist them on my home firewall -- anybody know what they might be?
     
  2. St Charles

    St Charles Tesla, not TSLA!

    Joined:
    Jun 21, 2016
    Messages:
    761
    Location:
    Virginia
    • Like x 1
  3. Twiglett

    Twiglett Single pedal driver

    Joined:
    Oct 3, 2014
    Messages:
    2,149
    Location:
    Austin
    Not going to be able to use IP addresses.
    It’s a not a good way of making exceptions anyway and just means things break every time they adjust their environment. Especially as you aren’t going to get notified when they do.
     
    • Like x 2
  4. -DB-

    -DB- Member

    Joined:
    Mar 3, 2019
    Messages:
    182
    Location:
    N.Ireland
    Maybe you can use the car's mac address instead
     
  5. ewoodrick

    ewoodrick Active Member

    Joined:
    Apr 13, 2018
    Messages:
    2,961
    Location:
    Buford, GA
    I believe that the connectivity will be outbound, not inbound. Otherwise the network could never get through the NAT.
     
  6. murphyS90D

    murphyS90D Member

    Joined:
    Jul 2, 2016
    Messages:
    373
    Location:
    Horsham, PA
    It's on the cellular network. The car has to have a phone number so the server(s) can call the car. Otherwise you wouldn't be able to wake up a sleeping car from the app. When the car is sleeping it is not connected to WiFi. I have a router in my garage and most of the time the car is not connected to it.
     
    • Disagree x 1
  7. ucmndd

    ucmndd Active Member

    Joined:
    Mar 10, 2016
    Messages:
    2,560
    Location:
    California
    Why are you whitelisting outbound sessions on your home internet?
     
    • Like x 1
  8. Verynoice

    Verynoice Member

    Joined:
    Dec 12, 2017
    Messages:
    20
    Location:
    Baltimore
    I have a Netgear router/firewall and it's also running a version of Bitlocker software, it reports that certain URL's that the car is trying to access are malicious -- why the car is connecting to URL's with IP address only is odd, so I figured that if I knew what the Tesla update IP addresses were, I would whitelist the Tesla update server and ignore anything else.

    I don't have the URL's handy right now, or I'd post them. So, the real question that I didn't post initially is why does the router think the car is trying to make outbound connections to these odd URL's that Bitlocker says are malicious?

    The Bitlocker software has already flagged two known good sites as malicious and that required me to contact their support to have them whitelisted, so I thought that perhaps this was similar.
     
  9. St Charles

    St Charles Tesla, not TSLA!

    Joined:
    Jun 21, 2016
    Messages:
    761
    Location:
    Virginia
    ...This service is called Bitlocker? You sure about that?

    Regardless, an SSH connection to an IP address is not, by itself, a concern. I would suspect if you packetsniff an SSH session, you'll find that this is quite normal. I would be more concerned that you have a service with enough false positives that you call into question each alert. I'd recommend using a different service if you can.
     
  10. pinball_player

    Joined:
    May 3, 2017
    Messages:
    213
    Location:
    Metrowest, MA
    It is connecting to IP addresses because the data is either HTTPS or SSH. Since the data is encrypted from the car to the destination, there is no way for your router to see the content of the data being sent and received.

    Furthermore, all connections use IP Addresses anyways. The domain name is resolved into an IP address by a DNS server and then the device connects to that IP address. So if your router has the capability, you should see domain name lookups for the servers that your car is connecting to.

    If the connection is secure, then there is no readable data that flows through your router.

    The only way around this is to setup a system where your router issues a certificate for the connection between the device (car), and the router/firewall. Then the firewall decrypts the traffic and then it is re encoded to HTTPS to Tesla. But the device (car) needs to accept that self signed certificate which it will never do.
     
  11. Verynoice

    Verynoice Member

    Joined:
    Dec 12, 2017
    Messages:
    20
    Location:
    Baltimore
    Err- Bitdefender -- sorry about that...
     
  12. Patrick W

    Patrick W Active Member

    Joined:
    Mar 17, 2015
    Messages:
    1,375
    Location:
    SLC, UT
    Just in case it helps answer the original questionI just made a screen save of all the IPs my S has communicated with over the past few hours. It's being very chatty today. :)

    r2.jpg
     
  13. pinball_player

    Joined:
    May 3, 2017
    Messages:
    213
    Location:
    Metrowest, MA
    It would be interesting to see what ports things are connecting on.
     
    • Like x 1
  14. Neil_dsb

    Neil_dsb Member

    Joined:
    Apr 28, 2018
    Messages:
    63
    Location:
    UK
    #14 Neil_dsb, May 10, 2019
    Last edited: May 10, 2019
    See attached my last 30 days of active connection through my security appliance, there are a few website eg Electrek, BTW no SSH (port 22) just https (port 443) and http (port 80)

    ports and ip.PNG
     
  15. Watts_Up

    Watts_Up Member

    Joined:
    Mar 4, 2019
    Messages:
    559
    Location:
    In a galaxy far, far away
    Beside establishing a whitelist, I would be more concerned about knowing which ports are open?
    Anyway, in this kind of OTA update, the weakest point is the DNS server which can easily be compromised unless using a secure connection.
    I imagine that the Tesla updated are correctly signed and tested to protect them from any malicious payload attack.

    Model S making outbound SSH connection from some address on AWS
     

Share This Page

  • About Us

    Formed in 2006, Tesla Motors Club (TMC) was the first independent online Tesla community. Today it remains the largest and most dynamic community of Tesla enthusiasts. Learn more.
  • Do you value your experience at TMC? Consider becoming a Supporting Member of Tesla Motors Club. As a thank you for your contribution, you'll get nearly no ads in the Community and Groups sections. Additional perks are available depending on the level of contribution. Please visit the Account Upgrades page for more details.


    SUPPORT TMC