Tesla Model S Hacking Prize Claimed

← Back to Stories (view on slashdot.org)

Tesla Model S Hacking Prize Claimed

Posted by Soulskill on Friday July 18, 2014 @09:15AM from the to-the-victors-go-the-electric-spoils dept.

savuporo sends word that a $10,000 bounty placed on hacking a Tesla Model S has been claimed by a team from Zhejiang University in China. The bounty itself was not issued by Tesla, but by Qihoo 360, a Chinese security company. "[The researchers] were able to gain remote control of the car's door locks, headlights, wipers, sunroof, and horn, Qihoo 360 said on its social networking Sina Weibo account. The security firm declined to reveal details at this point about how the hack was accomplished, although one report indicated that the hackers cracked the six-digit code for the Model S's mobile app.

59 comments

Min score:

Reason:

Sort:

Not how this is supposed to work... by iluvcapra · 2014-07-18 09:19 · Score: 3, Interesting

The security firm declined to reveal details at this point about how the hack was accomplished
So it could be a hoax, but more likely they're black-hatting in public view.

--
Don't blame me, I voted for Baltar.
1. Re:Not how this is supposed to work... by Anonymous Coward · 2014-07-18 09:33 · Score: 0
  
  Only if they don't tell Tesla. In fact until they tell Tesla and give them some time to get a fix, they probably shouldn't tell the general public.
2. Re:Not how this is supposed to work... by Anonymous Coward · 2014-07-18 09:34 · Score: 0
  
  Chinese company hosts prize to hack western company. Chinese group claims prize using secret methods which i'm sure are totally legit and prove how advanced they are. Just like in engineering and construction; look at all these bridges they're building!
3. Re:Not how this is supposed to work... by Anonymous Coward · 2014-07-18 09:50 · Score: 0
  
  They didn't follow the LEGO instructions in the bridge kit.
4. Re:Not how this is supposed to work... by Anonymous Coward · 2014-07-18 09:58 · Score: 1
  
  Because no bridges collapse anywhere else...
  http://en.wikipedia.org/wiki/I...
  http://en.wikipedia.org/wiki/L...
  I count 16 bridge collapses on that list alone in the US since 2000.
5. Re:Not how this is supposed to work... by Anonymous Coward · 2014-07-18 10:31 · Score: 0
  
  Likely the 6 digit pin is derived from the VIN number off the car which in turn with a little mathematical guess work allows anyone to break the app which controls your car.
6. Re:Not how this is supposed to work... by iluvcapra · 2014-07-18 12:01 · Score: 1
  
  In fact until they tell Tesla and give them some time to get a fix, they probably shouldn't tell the general public.
  The hell you say! O_O
  
  --
  Don't blame me, I voted for Baltar.
7. Re:Not how this is supposed to work... by Anonymous Coward · 2014-07-18 13:21 · Score: 0
  
  And all the US bridge collapses of the last 60 years were old and under maintained.
  OTOH, those Chinese bridges were relatively new. Each was less than 5 years old, and all but 1 were operated within specs: IOW, they failed due to poor engineering or construction.
8. Re:Not how this is supposed to work... by Ol+Olsoc · 2014-07-18 13:32 · Score: 4, Funny
  
  Only if they don't tell Tesla. In fact until they tell Tesla and give them some time to get a fix, they probably shouldn't tell the general public.
  Oh my fucking God!
  Do you mean to tell me that someone might be able to gain control of a car now!
  Those Fuckers at Tesla will cause the downfall of civilization!
  We have had cars for well over a hundred years now, and it looks like Tesla is the only company that has cars that can be stolen!. Shit! First fires, now stolen vehicles.This electrical car thing isn't going to work at all.
  Umm, Thanks, Obama!
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
9. Re:Not how this is supposed to work... by Noah+Haders · 2014-07-19 05:21 · Score: 1
  
  people have been getting carjacked for some time, but it would suck if all tesla cars across the nation were carjacked at 70mPH on the freeway
10. Re:Not how this is supposed to work... by Anonymous Coward · 2014-07-19 07:10 · Score: 0
  
  No self respecting Sinophobe in Northern California would use the Made in China SF-Oakland Bay Bridge
11. Re:Not how this is supposed to work... by Ol+Olsoc · 2014-07-19 08:15 · Score: 1
  
  people have been getting carjacked for some time, but it would suck if all tesla cars across the nation were carjacked at 70mPH on the freeway
  Don't read the news? The Internetz is a-coming to all cars, not just the evil spawn of Satan Teslas. Perhaps the Internal combustion cars will be immune?
  You know, this was a way for Tesla to improve their vehicles. They have a slightly different paradigm. Find the problem, and fix it. Somewhat Different than GM's approach to their deadly ignition switch problem.
  http://www.nytimes.com/2014/06...
  But hey - it was an internal combustion engine, so it's just fine - right?
  This isn't aimed specifically at you, but to all the asshats who get a raging boner every time Tesla gets a scratch in a paint job or has a flat tire.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
12. Re:Not how this is supposed to work... by kwbauer · 2014-07-19 08:22 · Score: 1
  
  Or a 6-digit pin only has one million combinations to try so they just brute forced it.
13. Re: Not how this is supposed to work... by garompeta · 2014-07-19 18:09 · Score: 1
  
  Or the Vin IS the password lol
A six digit code? by Anonymous Coward · 2014-07-18 09:23 · Score: 0

Wouldn't it be better to use something with more.. kick? Key based authentication with a stronger than 6 digit password by default?
So by bswarm · 2014-07-18 09:24 · Score: 2

Basically they guessed the password to gain control of the accessories you can operate with an android app? Some hacking job there, lol.
1. Re:So by ShanghaiBill · 2014-07-18 09:52 · Score: 3, Interesting
  
  Basically they guessed the password to gain control of the accessories you can operate with an android app? Some hacking job there, lol.
  If that is what they did (and we don't know that) then that is a security flaw. Tesla should not have allowed the PIN to be brute forced. The PIN should be stored by the car, not by the app, and it should have a 30 second lock-out after 3 wrong attempts, and then double the lock-out time for each additional wrong attempt. This is Security 101.
2. Re:So by Anonymous Coward · 2014-07-18 09:55 · Score: 0
  
  They didn't say there wasn't a flaw. But brite forcing is not "hacking". That is unless you're a mouth breather.
3. Re:So by savuporo · 2014-07-18 10:09 · Score: 1
  
  PIN probably shouldnt be stored in the car, store a salted hash.
  By the way, my old 91 Camaro used to have a start "security feature", where they had a basic resistor embedded in the ignition key. If the resistance was off or didnt start and blocked further tries after 3 attempts or something for 15 minutes.
  Awesome when the contacts got slightly oxidized : )
  
  --
  http://validator.w3.org/check?uri=http%3A%2F%2Fwww.slashdot.org Errors found while checking this document as HTML5!
4. Re:So by unrtst · 2014-07-18 10:12 · Score: 3, Insightful
  
  Tesla should not have allowed the PIN to be brute forced. The PIN should be stored by the car, not by the app, and it should have a 30 second lock-out after 3 wrong attempts, and then double the lock-out time for each additional wrong attempt. This is Security 101.
  At which point, anyone in the world could very very easily DOS your car.
  There are ways around that, but the naive and very very common implementation you describe is trivial to DOS. I'd hope that the users key could still get them in and get an override, but the app should use much stronger auth to avoid DOS issues (ex. challenge response with something that requires largish compute time for the client in order to register and calculate a very large shared key - ie. this would be a one time registration per client app; then use the lock out on a per-registered-client basis; thus is would be costly to generate more client ids, and the lock out would make each only worth a few bad tries before forcing re-handshake). PIN would still be used on top of that (adds another factor, and something easily set/changed on the car side).
5. Re:So by ShanghaiBill · 2014-07-18 10:18 · Score: 2
  
  At which point, anyone in the world could very very easily DOS your car.
  Nope. The car should only accept PIN attempts from pre-registered devices. So in order to DOS your car, the DOSer would have to first steal your cell phone.
6. Re:So by Marc_Hawke · 2014-07-18 10:25 · Score: 1
  
  Do Tesla's have keys? I think it would be pretty awesome to back up the security with a physical item. So, when you lock your car after too many failures, the smart-phone remote access is just completely disabled until you use the physical key to unlock the door.
  I suppose you could do the same thing with the key-fob and it wouldn't be any less secure than the key-fob already is.
  That would be quite strong defense against brute forcing the PIN, and I don't think it would be that annoying since....how often do you remote-access your car anyway?
  
  --
  --Welcome to the Realm of the Hawke--
7. Re:So by unrtst · 2014-07-18 11:18 · Score: 1
  
  At which point, anyone in the world could very very easily DOS your car.
  Nope. The car should only accept PIN attempts from pre-registered devices. So in order to DOS your car, the DOSer would have to first steal your cell phone.
  Which is basically what I described immediately following that. As long as the registration is something that is not trivial to spam (thus my suggestion for a challenge response akin to DH), then that'd do fine.
  But what is the protocol on the wire? One doesn't *have* to go through the app. If the protocol only has a pin in it, then it doesn't matter what app requirements they make. The client must be uniquely and securely identifiable before that 3 strikes and your locked out stuff goes into place, and it has to have some level of complexity to register a client. These are solved problems in public cryptography but, from the sounds of their "hack", I doubt the existing protocol has space for these extra features.
8. Re:So by Anonymous Coward · 2014-07-18 11:42 · Score: 0
  
  one of the guys at work had the phone app. he played with it for the first few days and like just about everything else the novelty wore off. There's not a lot you would want to do since you have limited battery - like cooling or heating for a while before you head out to the car. Yes, it has a fob that activates when you get near the car. there are no traditional keys. The door handles don't even pop out until you get near the car with the fob.
9. Re:So by Anonymous Coward · 2014-07-18 11:48 · Score: 0
  
  The opposite is done in many cars. If you unlock the door with the physical key and the remote isn't within range, it sets off the alarm.
  Because locks can be picked.
10. Re:So by mspohr · 2014-07-18 12:51 · Score: 1
  
  I'll be so dangerous driving down the road with my headlights flashing, wipers on, sunroof open and doors locked!
  Now, if they could do the turn signals, they would really have something there.
  
  --
  I don't read your sig. Why are you reading mine?
11. Re: So by Anonymous Coward · 2014-07-18 15:13 · Score: 0
  
  I have a Tesla. The fancy automatic wipers aren't very smart, wiping too little or too much. But now I can hire a Chinese kid to operate them for me! Yay!
12. Re:So by MrL0G1C · 2014-07-18 19:45 · Score: 1
  
  At which point, anyone in the world could very very easily DOS your car.
  That could be done with a jammer, no amount of fancy security would stop that... except you know, a car door key.
  
  --
  Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
13. Re:So by Anonymous Coward · 2014-07-18 20:37 · Score: 0
  
  Tesla should not have allowed the PIN to be brute forced. The PIN should be stored by the car, not by the app, and it should have a 30 second lock-out after 3 wrong attempts, and then double the lock-out time for each additional wrong attempt. This is Security 101.
  At which point, anyone in the world could very very easily DOS your car.
  There are ways around that, but the naive and very very common implementation you describe is trivial to DOS. I'd hope that the users key could still get them in and get an override, but the app should use much stronger auth to avoid DOS issues (ex. challenge response with something that requires largish compute time for the client in order to register and calculate a very large shared key - ie. this would be a one time registration per client app; then use the lock out on a per-registered-client basis; thus is would be costly to generate more client ids, and the lock out would make each only worth a few bad tries before forcing re-handshake). PIN would still be used on top of that (adds another factor, and something easily set/changed on the car side).
  They neither hacked the car nor they are able to DOS it. They 'hacked' into an account that is a little better than a guest account. They can't even steal it because they have access to the doors and sunroof and despite being able to enter it they can't use the ignotion. Unless they can also change the PIN all they can do is to annoy people.
14. Re:So by JasonGoatcher · 2014-07-19 00:57 · Score: 0
  
  I've never understood the mouth-breathing insult. How does my having an odd nasal passage affect my intelligence?
15. Re:So by michelcolman · 2014-07-19 03:50 · Score: 1
  
  They can't even steal it because they have access to the doors and sunroof and despite being able to enter it they can't use the ignition. Unless they can also change the PIN all they can do is to annoy people.
  I'm certainly relieved that they couldn't use the ignition: imagine the mayhem the hackers could cause if they figured out how to ignite those batteries!
16. Re:So by michelcolman · 2014-07-19 03:55 · Score: 1
  
  Yes, it has a "key fob" to allow anyone to steal your car as long as you are in range with the fob when they drive off (for example if you are standing next to the car). When they get out of range, the car will complain about the missing fob but will still continue to drive until you turn it off (or run out of battery). But you can use the remote control on your phone to honk the horn, lower the windows etcetera while they are driving, hopefully attracting attention to them.
  (Note: this is how it worked a while ago, they might have issued an update to fix that particular issue)
Six digits? by jgotts · 2014-07-18 09:27 · Score: 1

Six digits? What is this, the mid-1980's?
Re:Larf, dumbass engineers write software by Anonymous Coward · 2014-07-18 09:30 · Score: 0

And I've been cuckolding your dad for 20+ years as well!
Remote controlled cars by AbhishekDeyDas · 2014-07-18 09:31 · Score: 1

And that is how we got remote controlled cars.
Not hacking by Anonymous Coward · 2014-07-18 09:35 · Score: 1

So by "hacking" they mean brute forced a weak pin. Lame.
1. Re:Not hacking by Anonymous Coward · 2014-07-18 10:29 · Score: 0
  
  That's why the reward is only $10k!
2. Re:Not hacking by SpeedBump0619 · 2014-07-18 10:29 · Score: 1
  
  Yeah, hacking. You know, that thing you do to underbrush with a machete. And about that subtle from the sounds of it.
3. Re:Not hacking by Anonymous Coward · 2014-07-18 11:12 · Score: 0
  
  No, I'd call it brute forcing the PIN since I am not a mouth breather.
  Also, I don't own overpriced Tesla shit.
4. Re:Not hacking by Anonymous Coward · 2014-07-18 12:01 · Score: 0
  
  Whatever liar. You're a bullshitter. Go die.
5. Re:Not hacking by Anonymous Coward · 2014-07-18 12:45 · Score: 0
  
  Yeah I'm going to be a moron and spend $80k for a car that has less mile range than a golf cart. Or not.
6. Re:Not hacking by Anonymous Coward · 2014-07-18 13:51 · Score: 0
  
  It's called cracking. You would think slashdot would know this.
China Helps China by Anonymous Coward · 2014-07-18 09:40 · Score: 1

Simply put this was faked. The only thing this does it market and promote china and Chinese companies. I wouldn't be surprised if the same people where in control of both groups, or knew each other very well.
BF != Hacking by Anonymous Coward · 2014-07-18 09:46 · Score: 0

But oh well. You just gave them ten grand anyway.
The plan is perfect! by Anonymous Coward · 2014-07-18 09:47 · Score: 0

With control of horns and headlights we can cause a plague of road rage across the world!
Re:Larf, dumbass engineers write software by Anonymous Coward · 2014-07-18 12:23 · Score: 0

and software designers cant make anything that works without turning it into a year long project, fear of being exposed for worthless I guess, but dont worry there's plenty of PHP websites you can fix
BF != Hacking by Anonymous Coward · 2014-07-18 13:06 · Score: 0

What if they had to make a custom radio so they could reverse-engineer the protocol with packet sniffers and whatnot, then implemented their own client in assembly code -- no, no, in hex -- to do the brute-forcing? At that point is it 1337 enough to be called "hacking"? (captcha is 'posers'...)
Re:Larf, dumbass engineers write software by Anonymous Coward · 2014-07-18 14:21 · Score: 0

We all know, and it breaks his heart.
My dad has been gay for 25 years, and you've been doing his boyfriend all that time.
Re:Larf, dumbass engineers write software by Anonymous Coward · 2014-07-18 15:24 · Score: 0

Your mom is ugly but it's pretty rude to claim she's a man.
Hacking a car by Anonymous Coward · 2014-07-18 15:41 · Score: 0

Hacking a car, same as breaking into a car physically? There's a will.. Theres a way for mechanical or electronic
Poor password selection by wchin · 2014-07-19 02:14 · Score: 1

This "hack" sounds like they brute forced a weak password on the service that that provides access to the Model S mobile apps. That password is shared with the "My Tesla" owner's website. It is possible to set that password to a far longer and complex password, certainly far longer than 6 characters. I suspect this contest was rigged and someone set the password to "111111" or something like that.
The car itself talks to Tesla using an OpenVPN session over 3G or Wifi.
1. Re:Poor password selection by aviators99 · 2014-07-19 17:46 · Score: 1
  
  Yes, thank you for correcting the inaccuracies. There is no "PIN" for accessing a Tesla. There is a password, with complexity requirements.
  You cannot honk the horn or control the windows from the app while the car is moving.
  The "hack" was likely a set-up. Could potentially be done with a MitM/replay attack, but that would still lead me to believe it was a set-up.