Tesla hacked and shut off while driving (with physical access to the car at first)

[yobigd20]

"Cybersecurity researchers were able to take control of a Tesla Model S car and shut it off while it was driving thanks to a security flaw found in the vehicle’s software, according to a new report."

Tesla Model S hacked, shut off while driving - National | Globalnews.ca

 

[bonnie]

Little bit more balanced report here: http://www.wired.com/2015/08/researchers-hacked-model-s-teslas-already/

Also gave kudos to Tesla for architecture, fail safe if something happened, and ability to delivery updates OTA.

Though the Tesla hacks highlight some of the dangers around digitally connected cars, the researchers’ findings are not as serious as those demonstrated two weeks ago against a Chrysler Jeep. In that case, the vehicle had no separation between its infotainment system and the critical drive system, so once researchers compromised the infotainment system they could communicate with the drive system and cut the brakes or control the steering if the car was in reverse. Tesla, however, has a gateway between the infotainment and drive systems that is intended to prevent a hacker, remote or otherwise, from reaching critical functions like these.

 

[Fezzik]

Both of these hacks require physical access to the car, at least initially

This is key.

 

[yobigd20]

Little bit more balanced report here: http://www.wired.com/2015/08/researchers-hacked-model-s-teslas-already/

Also gave kudos to Tesla for architecture, fail safe if something happened, and ability to delivery updates OTA.

yea good point. Tesla already patched it. I wonder if that's the software update that's been sitting waiting to install the last few days that I keep delaying, lol. I wonder if the release notes say "Hey guess what? We fixed a bug that used to let people shut down your MS while you were driving!!" yey! (hah, yeah right, they dont tell us anything in these release notes. they just tell us new features...imagine if they actually disclosed how many real bugs they fix in each release, I bet it's pretty disturbing lol).

 

[MsElectric]

Little bit more balanced report here: http://www.wired.com/2015/08/researchers-hacked-model-s-teslas-already/

Also gave kudos to Tesla for architecture, fail safe if something happened, and ability to delivery updates OTA.

Thanks for the Wired article Bonnie!

Unless I am mistaken they actually had to dismantle the Tesla and get the VPN keys and install software to do this right? This is an order of a magnitude more difficult than what happened with the Jeep. It seems this hack was possible because they were able to get physical access to the car and have the time to dismantle the electronics, which is a much higher bar.

 

[FlasherZ]

Some additional discussion here:
Security in the Connected Car era... Jeep remotely victimized - Page 2

Overall, having some experience in the security field, I'm pretty pleased with the results and response. These guys are the cream-of-the-crop when it comes to hitting these cars hard and finding exploits, and the car stood up really well. They required physical access to inject it, although I'm surprised as the ethernet hacking thread here suggested that Tesla released a software update that turned off the ethernet port in the car unless a Tesla service laptop woke it up.

- - - Updated - - -

Unless I am mistaken they actually had to dismantle the Tesla and get the VPN keys and install software to do this right? This is an order of a magnitude more difficult than what happened with the Jeep. It seems this hack was possible because they were able to get physical access to the car and have the time to dismantle the electronics, which is a much higher bar.

No, they didn't compromise any of that - they basically gained user access, and then superuser (root) on the Linux subsystem - which gave them the ability to do anything that Tesla exposes to the user through the touchscreen. The "shut the car off < 5 mph" in the original article comes from the big red "power off" button on the touchscreen.

They do point at more nefarious things they could do - they noted that Tesla properly built in a gateway to do some validation - although they saw how they might work around it. It was clear that a lack of understanding of CAN bus messages and structure are hampering them from doing what they do best - CANbus injection to control subsystems. Like I mentioned in the thread I posted above, I think Tesla will have to do a lot of structural work to protect firmware upgrades a bit better, so they really hamper the ability for compromise via that vector.

 

[jaguar36]

Its a shame that despite this actually being pretty positive, all of the headlines are just going to be "Hackers can disable your Tesla!!!"

 

[Jaff]

Why does this fact seem to "escape" so many reporters?

It's very hard not to cast a cynical eye to this issue...often looks like (verbal) malfeasance as opposed to nonfeasance ...

This is key.

 

[FlasherZ]

Why does this fact seem to "escape" so many reporters?

It's very hard not to cast a cynical eye to this issue...often looks like (verbal) malfeasance as opposed to nonfeasance ...

Go to the average newspaper or TV station website. Look for the ads, see what they are. They're local car dealers - they're going to push the networks to help their advertisers.

The technical blogs are getting it right.

 

[dsm363]

The wired article at the end:

Regardless of the issues found with the Model S, he still considers it “the most secure car that we’ve seen.”

Sounds like Tesla has done most of the things they needed to do right but can always make things more secure. Good to know they are working on the flaws uncovered by these researchers as well.

 

[AC123]

I am just so glad that the hack was laughably difficult. Defcon usually is not to be laughed at, but this gives me the warm fuzzies about being in a Tesla.

 

[ItsNotAboutTheMoney]

Why does this fact seem to "escape" so many reporters?

It's very hard not to cast a cynical eye to this issue...often looks like (verbal) malfeasance as opposed to nonfeasance ...

As the saying goes "Never let the facts get in the way of a good story."

I credit reporters with some intelligence and say that it doesn't escape them, but they don't care because in order to get paid, they have to get eyeballs, and "If you give people access to your car, people can do unpleasant things to it and you" is not going to get eyeballs. To put it a different way: people who write deceptive articles, and most particularly headline writers, are sufficiently comfortable with deception for personal gain that they continue to do that job. They are essentially con artists and should not be trusted.

 

[jbcarioca]

"Cybersecurity researchers were able to take control of a Tesla Model S car ..."

Tesla Model S hacked, shut off while driving - National | Globalnews.ca

This really should not have been the news. Here is the correct headline:
DEFCON DEMONSTRATION FROM CYBERSECURITY RESEARCHERS SHOWS TESLA MODEL S CAN BE STOLEN THEN USED IN BANK ROBBERIES AND MULTIPLE HOMICIDES. THE THIEVES NEED ONLY THE CAR KEY AND A FULLY CHARGED TESLA MODEL S

 

[bonnie]

This really should not have been the news. Here is the correct headline:
DEFCON DEMONSTRATION FROM CYBERSECURITY RESEARCHERS SHOWS TESLA MODEL S CAN BE STOLEN THEN USED IN BANK ROBBERIES AND MULTIPLE HOMICIDES. THE THIEVES NEED ONLY THE CAR KEY AND A FULLY CHARGED TESLA MODEL S

Hah! Exactly. What's wrong with these people???

 

[tga]

Have Mahaffey and Rogers release detailed info yet, or do we need to wait for the Defcon presentation? I didn't find anything on a quick search (just more content-free "Oh no! Your Tesla can be hacked!" articles).

 

[FlasherZ]

Have Mahaffey and Rogers release detailed info yet, or do we need to wait for the Defcon presentation? I didn't find anything on a quick search (just more content-free "Oh no! Your Tesla can be hacked!" articles).

I thought I read somewhere that the presentation was tomorrow morning.

- - - Updated - - -

I thought I read somewhere that the presentation was tomorrow morning.

EDIT: Blog post from Mahaffey:
The new assembly line: 3 best practices for building (secure) connected cars

 

[Gizmotoy]

EDIT: Blog post from Mahaffey:
The new assembly line: 3 best practices for building (secure) connected cars

Was just about to post that. Best to get our information directly from the source. Sensationalist headlines are sure to come, but it sounds like they were actually pretty impressed with the existing security of the vehicle, and also that the exploits that used are already patched and on the way out to our vehicles. I guess that's why I got a software update notification last night.

 

[tga]

EDIT: Blog post from Mahaffey:
The new assembly line: 3 best practices for building (secure) connected cars

Thanks for posting. I trolled around CloudFlare a bit, but didn't find anything. Got distracted before I could head over to Lookout.

 

[CliffG]

I thought I read somewhere that the presentation was tomorrow morning.

According to the schedule, 2PM Friday

EDIT: Blog post from Mahaffey:
The new assembly line: 3 best practices for building (secure) connected cars

Too bad the Press won't quote this line from the blog:

"Overall, I feel more secure driving in a Tesla Model S than any other connected car on the road."
and as noted elsewhere, physical access to the ethernet port was required first.

 

[liuping]

At least one positive article for Tesla about the hack:
Teslas Wireless Updates Offer Big Advantage Over Jeep After hack