Slashdot Mirror
Security Evaluation of the Tesla Model S
An anonymous reader writes: "Nitesh Dhanjani has written a paper outlining the security mechanisms surrounding the Tesla Model S, as well as its shortcomings, titled 'Cursory Evaluation of the Tesla Model S: We Can't Protect Our Cars Like We Protect Our Workstations.' Dhanjani says users are required to set up an account secured by a six-character password when they order the car. This password is used to unlock a mobile phone app and to gain access to the user's online Tesla account. The freely available mobile app can locate and unlock the car remotely, as well as control and monitor other functions.
The password is vulnerable to several kinds of attacks similar to those used to gain access to a computer or online account. An attacker might guess the password via a Tesla website, which Dhanjani says does not restrict the number of incorrect login attempts. Dhanjani said there is also evidence that Tesla support staff can unlock cars remotely, leaving car owners vulnerable to attackers impersonating them, and raising questions about the apparent power of such employees to locate and unlock any car with or without the owner's knowledge or permission. In his paper, Dhanjani also describes the issue of Tesla's REST APIs being used by third parties without Tesla's permission, causing Tesla owners' credentials to be sent to those third parties, who could misuse the information to locate and unlock cars."
The password is vulnerable to several kinds of attacks similar to those used to gain access to a computer or online account. An attacker might guess the password via a Tesla website, which Dhanjani says does not restrict the number of incorrect login attempts. Dhanjani said there is also evidence that Tesla support staff can unlock cars remotely, leaving car owners vulnerable to attackers impersonating them, and raising questions about the apparent power of such employees to locate and unlock any car with or without the owner's knowledge or permission. In his paper, Dhanjani also describes the issue of Tesla's REST APIs being used by third parties without Tesla's permission, causing Tesla owners' credentials to be sent to those third parties, who could misuse the information to locate and unlock cars."
"Pioneers get slaughtered, and the settlers prosper." - Daymond John
They had taken advantage of remote tech to disable the vehicle and engage the horn from a keyboard... in case of nonpayment for the former and sometimes aiding location efforts for the latter.
Poor chap was so disgruntled he killed vehicles and blew horns for most of a weekend before they deduced the antagonist. I am sure there are some repercussions for this kind of adventure, but hell, if there's even a chance you'll have a grandchild, do you want this story in your arsenal?
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
Has any hack of these 'vulnerabilities' ever been proven to have actually occurred yet?
How to steal car:
...
1. Guess username and password.
2. Log in to "https://portal.vn.teslamotors.com".
3. Send GET to "https://portal.vn.teslamotors.com/vehicles" to get list of vehicle IDs for that owner.
4. Send GET to "https://portal.vn.teslamotors.com/vehicles/{id}/command/drive_state" to get vehicle latitude and longitude.
5. Send GET to "https://portal.vn.teslamotors/vehicles//vehicles/{id}/command/door_unlock" to unlock doors.
6. Get in car and plug laptop into onboard Ethernet, where car internals are exposed, unencrypted.
And those guys think they're going to do automatic driving. Right.
Big car makers and the oil industry will hammer on these weaknesses to show people how untrustworthy the Tesla is. Hell, they'll probably try to make one rear end an old Corvair just for the lulz.
Trolling is a art,
...insightful. So tired of the continual Tesla astroturfing here...
Not limiting login attempts is not the end of the world, especially if they institute a delay between logins. If you screw up your password, it is going to take at least one second before you make your second attempt anyway, so why not enforce that one second delay on the server side? With a 6 digit password composed of numbers and letters, it would take 69 years to guarantee breaking a password. By them they will probably have a gen 2 Tesla that requires a 7 digit password.
I've never seen a login delay enforced in the wild, but it pretty much neuters any brute force attack. At least , if they are attacking the server, it does. If they get ahold of the encrypted passwords, then they can brute force it at their whim.
If you are not allowed to question your government then the government has answered your question.
Don't have a need for a vehicle with a password, or connected in any way to the net... Keep it simple stupid. If I want connectivity, I'll add it myself.
Is it even possible to buy a Tesla without all that online, password-protected, cellphone-enabled stuff?
Get free satoshi (Bitcoin) and Dogecoins
Oh look, another Tesla article. It must be a day ending in Y
How exactly is the dishonest support staff bit different from the other automotive remote assist technologies ?
With Remote Door Unlock1, OnStar can have your door opened quickly.
Call 1.888.4.ONSTAR (1.888.466.7827).
Verify your account information.
A remote signal is sent to your vehicle that usually unlocks the doors.
It’s available anytime, day or night, with no limits on how often you can call for help.
Put your OnStar sticker in your window — or program the number into your cell phone — so you’ll have easy access if you need it.
It goes without saying we'll both lie to the customer.
We'll just plain be honest with each other.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
-1Troll - Bad speller
Tesla S is a leading edge tech product in the rising EV automotive sector, and this particular article is about the car's security issues involving computer accounts and passwords. That's EXACTLY the kind of topic that constitutes good technical material for nerds.
What do you suggest Slashdot should cover instead?
never a better time to consider ourselves in relation to one another & our spiritual connection with our universe, momkind http://www.youtube.com/results?search_query=moms+against+population+abuse&sm=12 too much religion can kill us?
Wrong on both counts
...trusted sources reported today that if a Tesla vehicle is dropped from orbit, the impact would be devastating. The NTSB is looking into this, and Fox News reports that Obama is responsible. Scientists confirm using actual math that the outcome is all but inevitable.
[camera shows stock shots of meteor crater in Arizona]
Tesla has not responded to our requests to comment, except to say that SpaceX cargo capacity is a privileged corporate information.
In financial news, Aluminium foil prices are up.
I've fallen off your lawn, and I can't get up.
This was a red flag immediately for me when we took delivery of our Model S recently, that all I needed was our Tesla account and password to have full access to location, climate controls, unlock doors. I immediately set a very strong password on the account. I really wish they would make this a two factor config: I log in to the Tesla mobile app, then must authorize the mobile device via the touchscreen in the car. Or perhaps it will allow access if the mobile device has been paired to Bluetooth. Either way, I agree that I'm a bit uneasy about just user/pass access to that kind of data on our car.
I know service can unlock your car remotely, since I have one (model S) and they did it for me.
The interesting thing is Elon made his fortune at PayPal. You think he'd know better.
David Whatley
1: Hold gun, knife or pipewrench in "I'm going to use it" position, threaten owner, drive away with car, possibly with the owner as well.
Tools required: One. (may substitute inexpensive gun replica if low budget operation)
Number of attempts required for success: One
Technical knowhow required: Zero.
Additional opportunities inherent in operation: Ransom money, rape subject, opportunistic beatings, petty theft, direct access to bank accounts.
I've fallen off your lawn, and I can't get up.
Just coat it with dead meat and bring about a golden eagle. Then you can have eagle wings on either side of it, while it looks for your little 1" worm.
How does one steal these cars? Is anybody even trying and succeeding at stealing them yet?
Ok, so you take the quite likely insured car... How do you get away? Drive like mad for... 300 miles then wait for many many hours to recharge? (NO, instant battery swap requires ID, quickcharger stations talk to the computer probably ID the car too, slow charging is the probably the only secure way and that takes TIME.) Naturally all this is after you rip out wherever their cell modem's antennae is.
They don't need much service, Tesla does it cheap if you do. The parts are custom to the car and not really usable outside Tesla, so what market is there for parting it out from a chop shop?
The cars are loaded with tracking and IDs that all need to be removed. securely. How would you sell a hot Tesla? Do they even have used Tesla being sold at dealerships? oh, yeah, the dealerships HATE Tesla and are working to ban them state by state. How do you sell it? Some ignorant pawn shop owner?
How about running the battery DEAD remotely and damage the car? Oh, Tesla gets informed and a tech stops bye and saves the car for you... which has been reported as happening already (not from a hacker but from it getting too close to dead.)
Democracy Now! - uncensored, anti-establishment news
How exactly is a 6 character (number + letter) password secure in the absence of a delay?
Statistically, by brute forcing, you'll run into the answer at (1/2) * (36^6) / 31,536,000 seconds = about 34.5 years, assuming 1 try per second.
Now, let's say I can use a botnet with 100 bots with an average per connection time of 0.5 seconds. That's (1/2) * (36^6) / (100*2*31,536,000 seconds) = about .17 years (or about 63 days, a little over 2 months).
If I have a botnet with 1000 bots that take 1 second each, that's 6.3 days.
How much would it take to unlock a Tesla in 15 minutes (900 seconds)? If we assume our botnet averages a delay of 1 second, and there aren't any network admins doing their jobs or any automated traffic monitoring, that's 900 seconds = (1/2) * (36^6) / X. X = (1/2) * (36^6) / 900 seconds = about 1,209,324 bots.
If a bot costs $1 to rent for 1 second, it wouldn't be profitable to unlock Teslas in 15 minutes. A Tesla's base price is $59,900, so with 29,950 bots, one could unlock a car of double the value in 10 hours.
Ohter vendors (at least one german one, though I dont remember which) can remote-unlock your car as well and noone complains.
Is there a market for used or stolen Tesla cars or parts?
It wouldn't 100% shock me (though it'd have to be an export job, 'notable and uncommon', 'aggressively interacts with the vendor', and 'stolen' are not attributes that work well together); but it's probably not on the top of the list of cars that flip or chop easily.
On the other hand, its materials/recycle value is probably above average for vehicles of its size.
If you have a botnet, you can have tens of thousands of computers do a log on attempt almost simultaneously. It'd take just a few days at full speed (tesla would notice) and a few weeks at moderate speed to get a significant amount of Tesla car accounts cracked. Once you have that, you can use the account details to find the exact location of those cars. At those numbers, the chance of finding one near you is actually high enough for thieves to be able to drive to one near by so they can unlock it and get it in their trailer. Once they have the car in their possession, they would probably find a way to hack it and give it a new identity or at least make it drivable.
The big limiting factor for this happening is the fact that Tesla is in control of the entire food chain for Tesla parts, maintenance and they have tracking data for every car at every moment in time. Cars that aren't in their system or that are reported stolen will simply not get serviced and their VIN and such will be in a database that will make it extremely hard for people to get those cars insured or get license plates.
The only market for stolen Tesla cars I can think of would be scrap metal and resale of the very expensive battery packs for other use, or countries where they don't really care about maintenance with stolen parts on stolen cars. You'd have to steal a bunch of cars, sell a few and take the rest apart as a parts donor for the stolen cars in order to make that business model work.
This limits the usefulness of hacking into Tesla cars at this moment, but once Teslas are found on every street corner and the thieves/hackers have found ways to fool the computers in the Tesla to believe stolen parts are genuine, you'll see a market for stolen cars and parts emerge and people will swap car identities and parts identities to make the vehicles and parts stolen legit again.
Tesla is learning the hard way themselves and obviously haven't had security people help design their "smart" network and web part. I think it's time they start working on designing version 2.0 for their whole system and do a design with security built in, starting from scratch. With the current user base and their total control of the sales and repair of the cars, they can get away with the current flaws in the system, but that will not last very long.
I was promised a flying car. Where is my flying car?
It is really worrying after the news of NSA hacking into techinolgy systems and leaving back doers not only for access by NSA but hackers. It is bad enough that NSA will be able to track you, listen to conversation in cars but they can now kill you by causing malfunction to seems like an accident. This way not be due to some kind of National Security reason but to harm and destroy Tesla if they are seem as a threat to the big political donors such as car dealer lobby group or to Michigan auto makers as they have done to many auto starts up. Tesla rise is because the Deteoit mob was weaken by the 2008 financial crisis. The worst is some will do it as a political point as we remember Mitt Rommney is gear to destroy Tesla, which definitely will not be around if he became President. This is not some far out ideas as there has been many cases in the pass and is still going on.
"Is there a market for used or stolen Tesla cars or parts?"
Not very likely. Even the radio is dangerous for the ears, since the volume goes up to 11.
http://en.wikipedia.org/wiki/U...
* Can the owner switch off the remote control/access to their car ?
* Can the owner switch off the remote control/access to their car by Tesla as well as the owner ?
* 6 character password. Is that the minimum length or the length it must be (Ie can't set a longer one) ?
* It mentions an iPhone app. What if I don't have (or want) an iPhone ?
* What cars made by companies other than Tesla have similar systems ?
The article is a bit misleading. The Tesla account requires a MINIMUM of 6 characters for the password. You can use a much longer one. The password also allows special character. You're not brute-forcing mine this side of the end of the universe. It's a generated password, very long and all kinds of special characters.
His major mistake is not comparing the electronic security to current security.
He complains about static, short complexity passwords, but does not recognize that most of the time longer, more complex passwords decrease security.
Many current car locks can be picked by by a guy with a bump key. The electronic security he lists is in fact far more secure than the standard key lock/ignition. More importantly, cars have side windows that can all be easily broken.
Locating and breaking into cars is not and has never been that difficult, and Tesla's methods are not significantly less secure than methods used by other people.
Particularly because the real owner can always tell where the car is.
In fact, I would suggest you remove the lock entirely, and simply put a camera viewing the driver seat.
Someone takes your car, track down the GPS location, check the video on who stole it, and arrest them.
Won't stop joyriding fools, or vandalism, but unless you lock the car up in manned garage everywhere you go, you can't do that anyway.
excitingthingstodo.blogspot.com
Now they know when you meet your friend to discuss clandestine ways to protest the crimes of the MIC.
Get yourself a cellphone jammer or build one.
Is there a market for used or stolen Tesla cars or parts?
It wouldn't 100% shock me (though it'd have to be an export job, 'notable and uncommon', 'aggressively interacts with the vendor', and 'stolen' are not attributes that work well together); but it's probably not on the top of the list of cars that flip or chop easily.
On the other hand, its materials/recycle value is probably above average for vehicles of its size.
I know /. is very US centric, but in Europe driving a stolen car over a border is trivial and a Tesla will fetch a good price even in Eastern Europe.
Calling someone a "hater" only means you can not rationally rebut their argument.
By the same token, though, I'd have to imagine that European law enforcement types have(formally or informally) had to adapt to the fact that "Eh, just report the details to border control and call it a day" doesn't work anywhere in the Schengen Area anymore. Most of Europe also has suitably compatible cellular operations, so I'd feel about as safe across a European 'national' border as I would across a US 'state' one.
Either way, once you get 'outside the country' whether literally (US) or figuratively(the parts of Europe that actually play nicely with each other) and strip the phone-home features, you probably do have a saleable product; but definitely a shady one. Tesla has never been secretive about (indeed, they consider it part of their customer service) the fact that vehicles phone home to report issues, assist in necessary maintenance, etc. so selling a suitably de-fanged Tesla would probably be more like selling enterprise network gear that mysteriously lacks any warranty entitlements, valid serial numbers, etc. than it would be like selling an ordinary 'used car of dubious provenance'.
For the moment, I'd imagine that the better money is either something mundane but trivially flippable/partable that you can do in relative volume with limited expertise, or bespoke hits on very high value stuff. Now, give it another few years, maybe a decade, and you'll have a number of legitimate Tesla buyers who no longer have warranty coverage and are looking for a good deal on a new battery/other part. That could change the equation.
https://xkcd.com/538/