Tesla Model S Hacking Prize Claimed

← Back to Stories (view on slashdot.org)

Tesla Model S Hacking Prize Claimed

Posted by Soulskill on Friday July 18, 2014 @09:15AM from the to-the-victors-go-the-electric-spoils dept.

savuporo sends word that a $10,000 bounty placed on hacking a Tesla Model S has been claimed by a team from Zhejiang University in China. The bounty itself was not issued by Tesla, but by Qihoo 360, a Chinese security company. "[The researchers] were able to gain remote control of the car's door locks, headlights, wipers, sunroof, and horn, Qihoo 360 said on its social networking Sina Weibo account. The security firm declined to reveal details at this point about how the hack was accomplished, although one report indicated that the hackers cracked the six-digit code for the Model S's mobile app.

26 of 59 comments (clear)

Min score:

Reason:

Sort:

Not how this is supposed to work... by iluvcapra · 2014-07-18 09:19 · Score: 3, Interesting

The security firm declined to reveal details at this point about how the hack was accomplished
So it could be a hoax, but more likely they're black-hatting in public view.

--
Don't blame me, I voted for Baltar.
1. Re:Not how this is supposed to work... by Anonymous Coward · 2014-07-18 09:58 · Score: 1
  
  Because no bridges collapse anywhere else...
  http://en.wikipedia.org/wiki/I...
  http://en.wikipedia.org/wiki/L...
  I count 16 bridge collapses on that list alone in the US since 2000.
2. Re:Not how this is supposed to work... by iluvcapra · 2014-07-18 12:01 · Score: 1
  
  In fact until they tell Tesla and give them some time to get a fix, they probably shouldn't tell the general public.
  The hell you say! O_O
  
  --
  Don't blame me, I voted for Baltar.
3. Re:Not how this is supposed to work... by Ol+Olsoc · 2014-07-18 13:32 · Score: 4, Funny
  
  Only if they don't tell Tesla. In fact until they tell Tesla and give them some time to get a fix, they probably shouldn't tell the general public.
  Oh my fucking God!
  Do you mean to tell me that someone might be able to gain control of a car now!
  Those Fuckers at Tesla will cause the downfall of civilization!
  We have had cars for well over a hundred years now, and it looks like Tesla is the only company that has cars that can be stolen!. Shit! First fires, now stolen vehicles.This electrical car thing isn't going to work at all.
  Umm, Thanks, Obama!
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
4. Re:Not how this is supposed to work... by Noah+Haders · 2014-07-19 05:21 · Score: 1
  
  people have been getting carjacked for some time, but it would suck if all tesla cars across the nation were carjacked at 70mPH on the freeway
5. Re:Not how this is supposed to work... by Ol+Olsoc · 2014-07-19 08:15 · Score: 1
  
  people have been getting carjacked for some time, but it would suck if all tesla cars across the nation were carjacked at 70mPH on the freeway
  Don't read the news? The Internetz is a-coming to all cars, not just the evil spawn of Satan Teslas. Perhaps the Internal combustion cars will be immune?
  You know, this was a way for Tesla to improve their vehicles. They have a slightly different paradigm. Find the problem, and fix it. Somewhat Different than GM's approach to their deadly ignition switch problem.
  http://www.nytimes.com/2014/06...
  But hey - it was an internal combustion engine, so it's just fine - right?
  This isn't aimed specifically at you, but to all the asshats who get a raging boner every time Tesla gets a scratch in a paint job or has a flat tire.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
6. Re:Not how this is supposed to work... by kwbauer · 2014-07-19 08:22 · Score: 1
  
  Or a 6-digit pin only has one million combinations to try so they just brute forced it.
7. Re: Not how this is supposed to work... by garompeta · 2014-07-19 18:09 · Score: 1
  
  Or the Vin IS the password lol
So by bswarm · 2014-07-18 09:24 · Score: 2

Basically they guessed the password to gain control of the accessories you can operate with an android app? Some hacking job there, lol.
1. Re:So by ShanghaiBill · 2014-07-18 09:52 · Score: 3, Interesting
  
  Basically they guessed the password to gain control of the accessories you can operate with an android app? Some hacking job there, lol.
  If that is what they did (and we don't know that) then that is a security flaw. Tesla should not have allowed the PIN to be brute forced. The PIN should be stored by the car, not by the app, and it should have a 30 second lock-out after 3 wrong attempts, and then double the lock-out time for each additional wrong attempt. This is Security 101.
2. Re:So by savuporo · 2014-07-18 10:09 · Score: 1
  
  PIN probably shouldnt be stored in the car, store a salted hash.
  By the way, my old 91 Camaro used to have a start "security feature", where they had a basic resistor embedded in the ignition key. If the resistance was off or didnt start and blocked further tries after 3 attempts or something for 15 minutes.
  Awesome when the contacts got slightly oxidized : )
  
  --
  http://validator.w3.org/check?uri=http%3A%2F%2Fwww.slashdot.org Errors found while checking this document as HTML5!
3. Re:So by unrtst · 2014-07-18 10:12 · Score: 3, Insightful
  
  Tesla should not have allowed the PIN to be brute forced. The PIN should be stored by the car, not by the app, and it should have a 30 second lock-out after 3 wrong attempts, and then double the lock-out time for each additional wrong attempt. This is Security 101.
  At which point, anyone in the world could very very easily DOS your car.
  There are ways around that, but the naive and very very common implementation you describe is trivial to DOS. I'd hope that the users key could still get them in and get an override, but the app should use much stronger auth to avoid DOS issues (ex. challenge response with something that requires largish compute time for the client in order to register and calculate a very large shared key - ie. this would be a one time registration per client app; then use the lock out on a per-registered-client basis; thus is would be costly to generate more client ids, and the lock out would make each only worth a few bad tries before forcing re-handshake). PIN would still be used on top of that (adds another factor, and something easily set/changed on the car side).
4. Re:So by ShanghaiBill · 2014-07-18 10:18 · Score: 2
  
  At which point, anyone in the world could very very easily DOS your car.
  Nope. The car should only accept PIN attempts from pre-registered devices. So in order to DOS your car, the DOSer would have to first steal your cell phone.
5. Re:So by Marc_Hawke · 2014-07-18 10:25 · Score: 1
  
  Do Tesla's have keys? I think it would be pretty awesome to back up the security with a physical item. So, when you lock your car after too many failures, the smart-phone remote access is just completely disabled until you use the physical key to unlock the door.
  I suppose you could do the same thing with the key-fob and it wouldn't be any less secure than the key-fob already is.
  That would be quite strong defense against brute forcing the PIN, and I don't think it would be that annoying since....how often do you remote-access your car anyway?
  
  --
  --Welcome to the Realm of the Hawke--
6. Re:So by unrtst · 2014-07-18 11:18 · Score: 1
  
  At which point, anyone in the world could very very easily DOS your car.
  Nope. The car should only accept PIN attempts from pre-registered devices. So in order to DOS your car, the DOSer would have to first steal your cell phone.
  Which is basically what I described immediately following that. As long as the registration is something that is not trivial to spam (thus my suggestion for a challenge response akin to DH), then that'd do fine.
  But what is the protocol on the wire? One doesn't *have* to go through the app. If the protocol only has a pin in it, then it doesn't matter what app requirements they make. The client must be uniquely and securely identifiable before that 3 strikes and your locked out stuff goes into place, and it has to have some level of complexity to register a client. These are solved problems in public cryptography but, from the sounds of their "hack", I doubt the existing protocol has space for these extra features.
7. Re:So by mspohr · 2014-07-18 12:51 · Score: 1
  
  I'll be so dangerous driving down the road with my headlights flashing, wipers on, sunroof open and doors locked!
  Now, if they could do the turn signals, they would really have something there.
  
  --
  I don't read your sig. Why are you reading mine?
8. Re:So by MrL0G1C · 2014-07-18 19:45 · Score: 1
  
  At which point, anyone in the world could very very easily DOS your car.
  That could be done with a jammer, no amount of fancy security would stop that... except you know, a car door key.
  
  --
  Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
9. Re:So by michelcolman · 2014-07-19 03:50 · Score: 1
  
  They can't even steal it because they have access to the doors and sunroof and despite being able to enter it they can't use the ignition. Unless they can also change the PIN all they can do is to annoy people.
  I'm certainly relieved that they couldn't use the ignition: imagine the mayhem the hackers could cause if they figured out how to ignite those batteries!
10. Re:So by michelcolman · 2014-07-19 03:55 · Score: 1
  
  Yes, it has a "key fob" to allow anyone to steal your car as long as you are in range with the fob when they drive off (for example if you are standing next to the car). When they get out of range, the car will complain about the missing fob but will still continue to drive until you turn it off (or run out of battery). But you can use the remote control on your phone to honk the horn, lower the windows etcetera while they are driving, hopefully attracting attention to them.
  (Note: this is how it worked a while ago, they might have issued an update to fix that particular issue)
Six digits? by jgotts · 2014-07-18 09:27 · Score: 1

Six digits? What is this, the mid-1980's?
Remote controlled cars by AbhishekDeyDas · 2014-07-18 09:31 · Score: 1

And that is how we got remote controlled cars.
Not hacking by Anonymous Coward · 2014-07-18 09:35 · Score: 1

So by "hacking" they mean brute forced a weak pin. Lame.
1. Re:Not hacking by SpeedBump0619 · 2014-07-18 10:29 · Score: 1
  
  Yeah, hacking. You know, that thing you do to underbrush with a machete. And about that subtle from the sounds of it.
China Helps China by Anonymous Coward · 2014-07-18 09:40 · Score: 1

Simply put this was faked. The only thing this does it market and promote china and Chinese companies. I wouldn't be surprised if the same people where in control of both groups, or knew each other very well.
Poor password selection by wchin · 2014-07-19 02:14 · Score: 1

This "hack" sounds like they brute forced a weak password on the service that that provides access to the Model S mobile apps. That password is shared with the "My Tesla" owner's website. It is possible to set that password to a far longer and complex password, certainly far longer than 6 characters. I suspect this contest was rigged and someone set the password to "111111" or something like that.
The car itself talks to Tesla using an OpenVPN session over 3G or Wifi.
1. Re:Poor password selection by aviators99 · 2014-07-19 17:46 · Score: 1
  
  Yes, thank you for correcting the inaccuracies. There is no "PIN" for accessing a Tesla. There is a password, with complexity requirements.
  You cannot honk the horn or control the windows from the app while the car is moving.
  The "hack" was likely a set-up. Could potentially be done with a MitM/replay attack, but that would still lead me to believe it was a set-up.