Page 5 of 20 FirstFirst 12345678915 ... LastLast
Results 41 to 50 of 197

Thread: Please Enter Access Code

  1. #41
    Dr. EVS rolosrevenge's Avatar
    Join Date
    Feb 2009
    Location
    Redmond
    Posts
    1,417
    Wait, brianman, did you actually guess the code and get in?

  2. #42
    Senior Member markwj's Avatar
    Join Date
    Apr 2011
    Location
    Hong Kong
    Posts
    2,498
    Quote Originally Posted by Rodolfo Paiz View Post
    Therefore you really have no choice but to employ the best security you can to well-and-truly LOCK people out of those screens. I suggest that, at a minimum, you need to combine a Ranger's individual password with a time-synchronized token such as those by RSA. Moving to two-factor security where one item (password) is something the Ranger KNOWS, but the other item (60-second numeric code on token) is something the Ranger HAS, is a very large step up. And it won't be very hard to program into the car's OS. There are other, even more secure, solutions, but this one works and has a very reasonable cost.
    Nerding out...

    Too complex. RSA would require the car to be online for the ranger to get in. The reasons are twofold: 1) it requires the public keys of all the ranger tokens who could possibly access the cars, which would have to be kept up to date with rangers joining and leaving the company (leaving in particular), and 2) the key fobs suffer from clock drift, so the system relies on the fob being regularly used and the current drift value of the fob from real time regularly updated.

    Point 2 is the big issue. RSA fobs work by the system generating not just the correct code for the current time / 30 seconds, to check against what the user enters, but also codes for N time periods before and after. It is configurable, but usually 4 or 5 time periods each way. If it finds a code that matches, it records the current offset for that user, and uses it in future - so it can deal with drift over time (so long as the user regularly logs on - at least more often than it takes his fob's clock to drift N*30 seconds).

    The RSA system works fantastically for banks because it is a single large centralized system. One ranger would be looking after hundreds of individual cars, and that is a very distributed offline system.

    What does work is a time-limited password based on the unique car. The ranger would visit an online internal website (access to which could be protected by RSA fob, or whatever), and be given a time-limited password valid to access a specific car. The access token would be made up of a hash of the vehicle unique ID (not necessarily vin), the date, and a secret. RSA asymmetric cryptography can be used to avoid the secret being shared. The centralized system better be damn reliable, or rangers might be unable to do their work.

    It is not rocket science, and the various algorithms are public knowledge,

    That said, I reckon the screens that hold proprietary information and/or allow changes to the vehicle systems, should be securely locked down. The other advanced technical information should be available to the user.

    That said, it is probably a waste of time. With physical access to the car, and sufficient determination, whatever Tesla do could be worked around. They can make life difficult for the hacker (tinkerer?), but they cannot stop them. Witness iPhone jail breaking.
    PLEASE NOTE:
    These musings are the copyrighted intellectual property of the author, and are intended as part of a conversation among the Tesla Motors Clubs membership.
    My words may not be quoted by any third party outside the Tesla Motors Clubs forums, without my express consent.

  3. #43
    Member
    Join Date
    Oct 2012
    Location
    Denton, Texas
    Posts
    272
    Agree with everything you said except that it would be a waste of time. Nothing is ever completely "safe", but we still have security. Increasing the difficulty of the hack is helpful and limits the exposure. While it may well be possible to jail-break the Tesla, my guess is that owners are far more reluctant to do that with an $80,000 vehicle than they are a phone. But if all they have to do is enter a static password that works all the time on every car made then that's a much simpler thing and less likely to result in a loss of warranty.
    P3,339: 60 kWh, blue/gray/lacewood, 19 inch wheels, tech package, sound package, air suspension
    Delivered: February 8, 2013

  4. #44
    S85 - VIN:P05130 - 3/2/13 jerry33's Avatar
    Join Date
    Mar 2012
    Location
    Texas
    Posts
    7,862
    And anyway, the RSA fobs were hacked a few months ago so they aren't very secure to start with.
    1. Do not copy anything that I post outside of the TMC forum without permission.
    2. Any advice or opinions posted here are to be taken as my personal opinions only. There is no implied warranty, fitness for purpose, or official statements from any company I may have been or am affiliated with.
    3. Even the best recommendations are wrong when used inappropriately.

  5. #45
    P85 #6649 "Magic Carpet"
    Join Date
    Nov 2012
    Location
    Miami, FL
    Posts
    617
    Also agree that it's not a waste of time. Sure there is someone out there who is determined enough, and skilled enough, to hack into a properly-secured system such as you or I described. But that'll be 1% or less of the potential cases. It limits Tesla's legal risk of being named in a liability suit when someone screws up their internal settings, it reduces the risk and spread of industrial espionage, and if the system is good enough it'll be darned hard to crack.

    If all Rangers log into their internal systems using the RSA token as I described, then each Ranger will be using his/her token at least a few times per week and that's more than enough to manage drift. However, I do agree that the car needs to be online for that to happen. There'd have to be a contingency method for the (probably pretty rare) cases when they need to work on a car that does not have connectivity.

    Your method works well too, by the way. As you noted, the algorithms are available, and none of this is rocket science. For that matter, I would hope that all of the communication between the car's internal computers and the mothership is sent over a simple SSL-encrypted connection (HTTPS would work well, so would SSH, and so on...). We have no way of knowing whether Tesla does that or not, but I submit that they're already using Linux so they have all the tools they need (for free, at that) in order to implement some very good common-sense security measures for the car.

    - - - Updated - - -

    Quote Originally Posted by jerry33 View Post
    And anyway, the RSA fobs were hacked a few months ago so they aren't very secure to start with.
    The fobs were hacked, yes. But I've been using them for 10-12 years at least with great results, and I can count the number of times they've been hacked in that time on the fingers of one hand. They're pretty secure. All systems are eventually hacked, because nothing's perfect, but these are pretty good. In this case, I'm just mentioning them as an example of an approach which is far more secure than a simple password. Lots of ways to skin this particular cat.

  6. #46
    R1211 & S282 NigelM's Avatar
    Join Date
    Apr 2011
    Location
    Sarasota, FL
    Posts
    10,639
    Blog Entries
    2
    Posts covering GeorgeB as the most interesting man in the world and speculation about Bonnie being a man in drag went here: The-Most-Interesting-Man-In-The-World

    (Really people? How bored were you all? )

  7. #47
    Model S R231 EU widodh's Avatar
    Join Date
    Jan 2011
    Location
    Middelburg, The Netherlands
    Posts
    3,675
    I think neroden should have tuned it down a bit, but he has a point.

    When I buy the car I want to see that information about my car.

    I don't really mind right now since I'm still waiting, but in the future I'd like to get access to this info.

    Tesla is a new brand and they are fighting the established brands, so I'm not going to 'bug' them with this now, maybe in a year


    Sent from my phone, so my apologies for typos.
    BMW M5 E39 - Kawasaki Z750R - 3-phase power - Not a Roadster owner, but the co-owner of my/our company is

    85kWh - 19" Cyclone grey - Pearl White - Tech Package - PDC - Sunroof - Twin-Chargers - Light package - Nappa Leather

  8. #48
    Junior Member Trixie's Avatar
    Join Date
    Oct 2012
    Location
    California
    Posts
    32
    But half the fun is trying to figure it out . It's like discovering a hidden compartment or secret decoder ring!

  9. #49
    R1211 & S282 NigelM's Avatar
    Join Date
    Apr 2011
    Location
    Sarasota, FL
    Posts
    10,639
    Blog Entries
    2
    @neroden: buying a product doesn't give you a right too any and all proprietary information behind that product; it also doesn't give you a right to publish any of that proprietary information should you manage to access it.

    I would also remind you that everyone expects a certain level of civility here on TMC; GeorgeB is a fellow member and IMO your aggressive tone is not appropriate. Further to that everyone realizes that in his position GB is totally unable to respond in any sort of manner the way another member would have. That makes your aggressive behavior a cheap shot.

  10. #50
    mod squad bonnie's Avatar
    Join Date
    Feb 2011
    Location
    California
    Posts
    9,052
    Blog Entries
    4
    Quote Originally Posted by NigelM View Post
    @neroden: buying a product doesn't give you a right too any and all proprietary information behind that product; it also doesn't give you a right to publish any of that proprietary information should you manage to access it.

    I would also remind you that everyone expects a certain level of civility here on TMC; GeorgeB is a fellow member and IMO your aggressive tone is not appropriate. Further to that everyone realizes that in his position GB is totally unable to respond in any sort of manner the way another member would have. That makes your aggressive behavior a cheap shot.
    Exactly. Very well said, Nigel.
    PLEASE NOTE: Posts are the copyrighted intellectual property of the author, and are intended as part of a conversation within this forum. My words may NOT be quoted outside this forum, without my expressed consent.
    __________________
    Moderator: Model S, Model X, EVents, California, Pacific/Northwest, and Media -- Follow me on twitter and and follow TMC, too!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Know the code?
    By DrComputer in forum Model S: User Interface
    Replies: 0
    Last Post: 2012-10-20, 07:48 AM
  2. SJMN: EVs poised to enter the mainstream
    By rabar10 in forum News
    Replies: 3
    Last Post: 2011-04-11, 09:07 PM
  3. Mazda to enter electric car market in Japan 2012
    By dpeilow in forum Electric Vehicles
    Replies: 2
    Last Post: 2011-01-24, 09:35 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •