Slashdot Mirror
Security Evaluation of the Tesla Model S
An anonymous reader writes: "Nitesh Dhanjani has written a paper outlining the security mechanisms surrounding the Tesla Model S, as well as its shortcomings, titled 'Cursory Evaluation of the Tesla Model S: We Can't Protect Our Cars Like We Protect Our Workstations.' Dhanjani says users are required to set up an account secured by a six-character password when they order the car. This password is used to unlock a mobile phone app and to gain access to the user's online Tesla account. The freely available mobile app can locate and unlock the car remotely, as well as control and monitor other functions.
The password is vulnerable to several kinds of attacks similar to those used to gain access to a computer or online account. An attacker might guess the password via a Tesla website, which Dhanjani says does not restrict the number of incorrect login attempts. Dhanjani said there is also evidence that Tesla support staff can unlock cars remotely, leaving car owners vulnerable to attackers impersonating them, and raising questions about the apparent power of such employees to locate and unlock any car with or without the owner's knowledge or permission. In his paper, Dhanjani also describes the issue of Tesla's REST APIs being used by third parties without Tesla's permission, causing Tesla owners' credentials to be sent to those third parties, who could misuse the information to locate and unlock cars."
The password is vulnerable to several kinds of attacks similar to those used to gain access to a computer or online account. An attacker might guess the password via a Tesla website, which Dhanjani says does not restrict the number of incorrect login attempts. Dhanjani said there is also evidence that Tesla support staff can unlock cars remotely, leaving car owners vulnerable to attackers impersonating them, and raising questions about the apparent power of such employees to locate and unlock any car with or without the owner's knowledge or permission. In his paper, Dhanjani also describes the issue of Tesla's REST APIs being used by third parties without Tesla's permission, causing Tesla owners' credentials to be sent to those third parties, who could misuse the information to locate and unlock cars."
"Pioneers get slaughtered, and the settlers prosper." - Daymond John
They had taken advantage of remote tech to disable the vehicle and engage the horn from a keyboard... in case of nonpayment for the former and sometimes aiding location efforts for the latter.
Poor chap was so disgruntled he killed vehicles and blew horns for most of a weekend before they deduced the antagonist. I am sure there are some repercussions for this kind of adventure, but hell, if there's even a chance you'll have a grandchild, do you want this story in your arsenal?
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
How to steal car:
...
1. Guess username and password.
2. Log in to "https://portal.vn.teslamotors.com".
3. Send GET to "https://portal.vn.teslamotors.com/vehicles" to get list of vehicle IDs for that owner.
4. Send GET to "https://portal.vn.teslamotors.com/vehicles/{id}/command/drive_state" to get vehicle latitude and longitude.
5. Send GET to "https://portal.vn.teslamotors/vehicles//vehicles/{id}/command/door_unlock" to unlock doors.
6. Get in car and plug laptop into onboard Ethernet, where car internals are exposed, unencrypted.
And those guys think they're going to do automatic driving. Right.
Not limiting login attempts is not the end of the world, especially if they institute a delay between logins. If you screw up your password, it is going to take at least one second before you make your second attempt anyway, so why not enforce that one second delay on the server side? With a 6 digit password composed of numbers and letters, it would take 69 years to guarantee breaking a password. By them they will probably have a gen 2 Tesla that requires a 7 digit password.
I've never seen a login delay enforced in the wild, but it pretty much neuters any brute force attack. At least , if they are attacking the server, it does. If they get ahold of the encrypted passwords, then they can brute force it at their whim.
If you are not allowed to question your government then the government has answered your question.
Is it even possible to buy a Tesla without all that online, password-protected, cellphone-enabled stuff?
Get free satoshi (Bitcoin) and Dogecoins
It is not like it is difficult to unlock almost any car.
Help stamp out iliturcy.
It goes without saying we'll both lie to the customer.
We'll just plain be honest with each other.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
...trusted sources reported today that if a Tesla vehicle is dropped from orbit, the impact would be devastating. The NTSB is looking into this, and Fox News reports that Obama is responsible. Scientists confirm using actual math that the outcome is all but inevitable.
[camera shows stock shots of meteor crater in Arizona]
Tesla has not responded to our requests to comment, except to say that SpaceX cargo capacity is a privileged corporate information.
In financial news, Aluminium foil prices are up.
I've fallen off your lawn, and I can't get up.
I know service can unlock your car remotely, since I have one (model S) and they did it for me.
The interesting thing is Elon made his fortune at PayPal. You think he'd know better.
David Whatley
1: Hold gun, knife or pipewrench in "I'm going to use it" position, threaten owner, drive away with car, possibly with the owner as well.
Tools required: One. (may substitute inexpensive gun replica if low budget operation)
Number of attempts required for success: One
Technical knowhow required: Zero.
Additional opportunities inherent in operation: Ransom money, rape subject, opportunistic beatings, petty theft, direct access to bank accounts.
I've fallen off your lawn, and I can't get up.
How does one steal these cars? Is anybody even trying and succeeding at stealing them yet?
Ok, so you take the quite likely insured car... How do you get away? Drive like mad for... 300 miles then wait for many many hours to recharge? (NO, instant battery swap requires ID, quickcharger stations talk to the computer probably ID the car too, slow charging is the probably the only secure way and that takes TIME.) Naturally all this is after you rip out wherever their cell modem's antennae is.
They don't need much service, Tesla does it cheap if you do. The parts are custom to the car and not really usable outside Tesla, so what market is there for parting it out from a chop shop?
The cars are loaded with tracking and IDs that all need to be removed. securely. How would you sell a hot Tesla? Do they even have used Tesla being sold at dealerships? oh, yeah, the dealerships HATE Tesla and are working to ban them state by state. How do you sell it? Some ignorant pawn shop owner?
How about running the battery DEAD remotely and damage the car? Oh, Tesla gets informed and a tech stops bye and saves the car for you... which has been reported as happening already (not from a hacker but from it getting too close to dead.)
Democracy Now! - uncensored, anti-establishment news
Ohter vendors (at least one german one, though I dont remember which) can remote-unlock your car as well and noone complains.
Is there a market for used or stolen Tesla cars or parts?
It wouldn't 100% shock me (though it'd have to be an export job, 'notable and uncommon', 'aggressively interacts with the vendor', and 'stolen' are not attributes that work well together); but it's probably not on the top of the list of cars that flip or chop easily.
On the other hand, its materials/recycle value is probably above average for vehicles of its size.
If you have a botnet, you can have tens of thousands of computers do a log on attempt almost simultaneously. It'd take just a few days at full speed (tesla would notice) and a few weeks at moderate speed to get a significant amount of Tesla car accounts cracked. Once you have that, you can use the account details to find the exact location of those cars. At those numbers, the chance of finding one near you is actually high enough for thieves to be able to drive to one near by so they can unlock it and get it in their trailer. Once they have the car in their possession, they would probably find a way to hack it and give it a new identity or at least make it drivable.
The big limiting factor for this happening is the fact that Tesla is in control of the entire food chain for Tesla parts, maintenance and they have tracking data for every car at every moment in time. Cars that aren't in their system or that are reported stolen will simply not get serviced and their VIN and such will be in a database that will make it extremely hard for people to get those cars insured or get license plates.
The only market for stolen Tesla cars I can think of would be scrap metal and resale of the very expensive battery packs for other use, or countries where they don't really care about maintenance with stolen parts on stolen cars. You'd have to steal a bunch of cars, sell a few and take the rest apart as a parts donor for the stolen cars in order to make that business model work.
This limits the usefulness of hacking into Tesla cars at this moment, but once Teslas are found on every street corner and the thieves/hackers have found ways to fool the computers in the Tesla to believe stolen parts are genuine, you'll see a market for stolen cars and parts emerge and people will swap car identities and parts identities to make the vehicles and parts stolen legit again.
Tesla is learning the hard way themselves and obviously haven't had security people help design their "smart" network and web part. I think it's time they start working on designing version 2.0 for their whole system and do a design with security built in, starting from scratch. With the current user base and their total control of the sales and repair of the cars, they can get away with the current flaws in the system, but that will not last very long.
I was promised a flying car. Where is my flying car?
Silicon is not made from oil.
There is this magic thing called a Z-bar that can be used to open almost any car without breaking the windows. But brute force does still work and is quick.
Help stamp out iliturcy.
I believe the GP was referring to the plastic portions of laptops, which are largely synthesized from oil and natural gas, not silicon.
Write failed: Broken pipe
Plastic is not computer-specific, and is not required at all for a computer. Some popular laptops are even made of aluminium.
Please cite a source for any laptop which does not contain plastic.
Write failed: Broken pipe
* Can the owner switch off the remote control/access to their car ?
* Can the owner switch off the remote control/access to their car by Tesla as well as the owner ?
* 6 character password. Is that the minimum length or the length it must be (Ie can't set a longer one) ?
* It mentions an iPhone app. What if I don't have (or want) an iPhone ?
* What cars made by companies other than Tesla have similar systems ?
The article is a bit misleading. The Tesla account requires a MINIMUM of 6 characters for the password. You can use a much longer one. The password also allows special character. You're not brute-forcing mine this side of the end of the universe. It's a generated password, very long and all kinds of special characters.
His major mistake is not comparing the electronic security to current security.
He complains about static, short complexity passwords, but does not recognize that most of the time longer, more complex passwords decrease security.
Many current car locks can be picked by by a guy with a bump key. The electronic security he lists is in fact far more secure than the standard key lock/ignition. More importantly, cars have side windows that can all be easily broken.
Locating and breaking into cars is not and has never been that difficult, and Tesla's methods are not significantly less secure than methods used by other people.
Particularly because the real owner can always tell where the car is.
In fact, I would suggest you remove the lock entirely, and simply put a camera viewing the driver seat.
Someone takes your car, track down the GPS location, check the video on who stole it, and arrest them.
Won't stop joyriding fools, or vandalism, but unless you lock the car up in manned garage everywhere you go, you can't do that anyway.
excitingthingstodo.blogspot.com
My wife's family owns my towns only Locksmith company.
I spent some time working there, and let me tell you the best tool for breaking into cars is the correct tool for that vehicle. We had toolboxes of roughly 15 tools for various vehicles. Knowing which tool to use and how to use it is a skill I think everyone should learn.
My favourite was the slimjim. I even made my own because I wasn't fond of the one included in the kit. Its so versatile.
As an aside: We worked with CAA (Canadian version of AAA) and once every month or so we'd get a fax to unlock a vehicle (usually a Ford for some reason) who's keyless entry fob's battery had died. We would arrive and they are holding their key in their hand, pressing the button to unlock it and they are getting frustrated the vehicle isn't unlocking. I would calmly ask to see their key, walk up to the door and stick it in the door's keyway and turn it. The look on their face was always priceless. I even had one lady confess she didn't know that was even possible.
Is there a market for used or stolen Tesla cars or parts?
It wouldn't 100% shock me (though it'd have to be an export job, 'notable and uncommon', 'aggressively interacts with the vendor', and 'stolen' are not attributes that work well together); but it's probably not on the top of the list of cars that flip or chop easily.
On the other hand, its materials/recycle value is probably above average for vehicles of its size.
I know /. is very US centric, but in Europe driving a stolen car over a border is trivial and a Tesla will fetch a good price even in Eastern Europe.
Calling someone a "hater" only means you can not rationally rebut their argument.
By the same token, though, I'd have to imagine that European law enforcement types have(formally or informally) had to adapt to the fact that "Eh, just report the details to border control and call it a day" doesn't work anywhere in the Schengen Area anymore. Most of Europe also has suitably compatible cellular operations, so I'd feel about as safe across a European 'national' border as I would across a US 'state' one.
Either way, once you get 'outside the country' whether literally (US) or figuratively(the parts of Europe that actually play nicely with each other) and strip the phone-home features, you probably do have a saleable product; but definitely a shady one. Tesla has never been secretive about (indeed, they consider it part of their customer service) the fact that vehicles phone home to report issues, assist in necessary maintenance, etc. so selling a suitably de-fanged Tesla would probably be more like selling enterprise network gear that mysteriously lacks any warranty entitlements, valid serial numbers, etc. than it would be like selling an ordinary 'used car of dubious provenance'.
For the moment, I'd imagine that the better money is either something mundane but trivially flippable/partable that you can do in relative volume with limited expertise, or bespoke hits on very high value stuff. Now, give it another few years, maybe a decade, and you'll have a number of legitimate Tesla buyers who no longer have warranty coverage and are looking for a good deal on a new battery/other part. That could change the equation.
As an aside: We worked with CAA (Canadian version of AAA) and once every month or so we'd get a fax to unlock a vehicle (usually a Ford for some reason) who's keyless entry fob's battery had died. We would arrive and they are holding their key in their hand, pressing the button to unlock it and they are getting frustrated the vehicle isn't unlocking. I would calmly ask to see their key, walk up to the door and stick it in the door's keyway and turn it. The look on their face was always priceless. I even had one lady confess she didn't know that was even possible.
But if the car has an alarm system and it's active, this doesn't help much. If I unlock my car with a physical key, there's a three-step process I need to do in order to disable the alarm and engine kill. If your owners didn't realize their keys would work, what's the likelihood they'd then remember everything else required before driving away?
https://xkcd.com/538/
But if the car has an alarm system and it's active, this doesn't help much. If I unlock my car with a physical key, there's a three-step process I need to do in order to disable the alarm and engine kill. If your owners didn't realize their keys would work, what's the likelihood they'd then remember everything else required before driving away?
The alarm will also go off if I open it with a tool to bypass the lock... It's not my responsibility to know how to turn the alarm off. The point I was trying to make was these people did not know they could unlock their car, and gain access to their belongings, without their keyfob.
Of the three calls I handled in this in the situation I described, they were factory keys with the remote unlock buttons on the key itself.
I even had one case, where the passenger window was rolled down half way, allowing me to reach in effortlessly and unlock the vehicle.
and is not required at all for a computer
You must have missed my earlier reply. As the GGP comment contained the excerpt "like your computer", I'm still eagerly awaiting a citation regarding a computer which contains no plastic components, presumably one available for purchase under the implicit assumption that you are in possession of such a machine. I'm looking forward to the opportunity to purchase this wonderful device for my own use, so please don't keep me waiting too long.
Write failed: Broken pipe