Slashdot Mirror
Tesla Model S Has Been Hacked
cartechboy writes: First, it was Chrysler last month with its Uconnect system being hacked while being driven down the road. Now, it's Tesla's turn. That's right, the Silicon Valley automaker's very own Model S electric car has been hacked by two white-hat hackers. The duo were able to manipulate the speedometer, lock and unlock the car, and at speeds of less than 5 mph they were able to make all the electronics go blank and shut down the car while engaging the emergency parking brake dragging the car to a stop. Tesla's already issued a software update that owners can download to path the security flaw. Welcome to the new world where cars can be hacked thanks to all their electronics.
IoT sucks! Welcome to the future.
What the summary fails to omit is that you first need physical access to the car and since they have the ability to do updates over-the-air, they don't need to recall more than a million vehicles to fix the issue.
All we need now is thermoptic camo, think tanks, and oculus to not suck, and we can live in a Ghost in the Shell future.
ners can download to path the security flaw.
I would love these idiot American drivers to pull the parking brake in an emergency. Whoever started calling the parking brake the "emergency brake" did the world a huge favour; you can easily know which fucking stupid car articles to skip over.
Some day there will be a market for a car with no on board computer or electronics. The intro to the first Fallout game features a television commercial for a car called the Corvega, with no electronics and no computer for only $199,999.99. In a world on the verge of nuclear war, or one on the verge of computer security catastrophe, sounds like a steal.
Didn't they have to physically "break" the car before they got access into it? Your post is clearly a scare tactic.
Nothing here... So... SHOOO!!!
My Tesla was patched last night. No such luck for my Dodge.
Probably auto-updated overnight.
"He can do ANTYHING!" said Slashdot
SJW's don't eliminate discrimination. They just expropriate it for themselves.
Obat Pembesar Penis , and at speeds of less than 5 mph they were able to make Vimax Asli Canada go blank and shut down the car while engaging the emergency parking brake dragging the car to a stop. Tesla's already issues a software update that owners can Pembesar Penis Permanen the security flaw. Welcome to the new world where cars can be hacked thanks to all their electronics.
I want my Cat connected to the IoT. Somebody please hack it so it stops leaving hairballs everywhere.
...To protect against nuclear EMP (since we were talking Fallout)? Not so much. Even 70s and 80s cars use coils and ECUs, and that would get fried...
Maybe... and maybe not. Old cars had thick metal hoods. Modern cars often use plastic for parts that don't need to be mechanically strong, but the old ones put the engines inside a pretty good Faraday cage.
http://www.geoffreylandis.com
Tesla's efforts still won't provide the level of electronic security from remote hacks that old Lucas equipment did.
Time to offend someone
as a college grad with more debt than a south american country, I can tell you I was worried about this bug. I came up with a handy countermeasure to avoid nefarious car hackers:
I work two jobs and drive a 2001 Ford crown victoria i bought for six hundred bucks at a police auction. It burns oil, and smells like parking citations and regret. On a hot day it stinks like hamburgers; I do not know why. The jiggle required to get the spare key to engage the ignition is nothing short of a shao-lin kung fu scene. This car still has a throttle cable, and practically came off the line with the check-engine light on. The upholstery is permanently stained with the detritus of an entire cities overweight, underpaid cops.
Hacking my brakes wont work, the pedal goes to the floor to try and stop this 2 and a quarter ton house on wheels so if anything it might be an improvement. randomly triggering the accellerator, assuming one can do this in a vehicle with a throttle cable, will result in a godless heavy metal grunt from the engine as this 210 horsepower v8 struggles to maintain basic lane positioning. The AC hasnt worked since the clinton era, and mysteriously burps up pieces of foam. The door locks are mysterious and random enough already, and functionless for the rear passenger.
Good people go to bed earlier.
From TFA: Green Car Reports reached out to Tesla Motors, which provided the following comment: ...
We've already developed an update for the vulnerabilities they surfaced which was made available to all Model S customers through an over-the-air update that has been to deployed to all vehicles.
Any car or computer can be hacked when you have physical access to the car. Furthermore Tesla has apparently already issued a patch making this pretty much a non-event.
When they get hacked remotely with no physical access (which is conceivable) then we should sit up and pay attention.
The only reason why this is happening is because the software developers are morons. In a mission critical system you never give write access from an entertainment module to critical system. The information system should not have the ability to make any changes in the engine software. The best way to enforce this is to use a hardware read only bus that sits between the entertainment system and engine system and only allow traffic to flow from the engine to the info system but not the other way around.
'Path' is not a verb. WTF? "to path the security flaw"? Who talks like that?
Oh, wait... AMERICANS. Fucking idiots.
But it won't require as much replacement wiring smoke as the Lucas electronics did. http://www3.telus.net/bc_trium...
There is no God, and Dirac is his prophet.
Old cars can be hacked with a hammer, saw, screwdriver etc. The only difference is that once hacked you have remote control of some of the functions.
Can we stop calling you guys 'editors', and just get on with 'clowns who post story submissions'.
Because it's quite clear you don't actually, you know, edit.
Lost at C:>. Found at C.
Having been in several situations with complete loss of oil (one on the road, others in the shop), I can assure you that complete loss of oil pressure does not lead to engine stopping in any reasonable time. Permanent engine damage, yes. Not able to restart, yes. Stops when dropping to idle throttle. But it happily keeps running (and starts making the most unusual noises), especially if the throttle is open.
There are lots of stories of people coming into gas stations/shops/etc with "I noticed this red light on the dash that says OIL" (or equivalent), and when the dipstick is pulled, it's dry.
There are also lots of cases of "oil change but forgot to put the drain plug in, or forgot to refill with oil, because we got distracted". An amazing number will run for a while (causing bearing damage, and needing expensive repairs).
Ditto for coolant loss.
A friend used to work in a commercial vehicle establishment, doing lots of engine rebuilds/replacements. A standard amusement was to cut the radiator hoses off, drain the oil, start the engine, put a brick on the pedal, and see how long it would run, before pulling the engine for the rebuild. After seeing this a couple times, I realized that there is great durability in modern cast iron engines. Sure, the main bearings are shot, but that's about it. Whether an aluminum block, aluminum head engine would be rebuildable, I don't know. The temperature extremes in the bearing areas might alter the metal and warp it beyond rebuildability.
Sorry Sam.... the second to last sentence is one for the record books.
Tesla's already issues a software update that owners can download to path the security flaw.
!=
Tesla HAS already ISSUED a software update that owners can download to PATCH the security flaw.
OK, so there's a security patch available. So what? "We regret that you crashed at 85mph yesterday - please download our latest patch?" The problem is not the software per se, but the mere fact that there's external access at all. Because there's simply no such thing as "flawless" code. And the internet's been around long enough to show us that, if there's any legitimate way in, people who want to abuse the system will get in as well, and find a way to subvert it. And right now all we're seeing are "white hat" attacks; just wait until the black hat guys start getting creative.
As opposed to the old world where a car that didn't have any sophisticated electronics was trivial for someone to steal?
File under 'M' for 'Manic ranting'
There's a typo in the post.
Why not just have a standard, open and documented interface that allows owners and users to do all of this.
For example, when everyone has easy access to know how to activate the parking brake from a computer or chip plugged into the car then it's not a huge deal that someone "hacked" it.
At that point everyone realizes that these things work like that and that you have to have cable access to make a change.
For the paranoid worried about someone changing the code (making the parking brake not work with the normal lever), give them the ability to reflash the code on the car.
It's the same thing as someone being able to disconnect the cable for a cable operated parking brake because they have the knowledge of how to do it and the owner or driver does not and does not take the time to check things like that.
We should be for knowledge over ignorance and closing the software (or creating an enigma machine for pulling a cable) doesn't work.
Making a big deal out of it is not the way to go.
I remember Kristin Paget (quite a marvel of self-promotion IMO) beating her own drum when she recently moved from a security role at Apple to Tesla. I think at Tesla (and previously at Apple) her title was something like "Hacker Princess".
Guess she either doesn't really know her stuff, or didn't have much of an impact at Tesla.
I went to check her Twitter account (https://twitter.com/KristinPaget), curious to see what her response to this news is, only to see that she's already moved on to SalesForce (again as a "Hacker Princess" per her business card). After calling the Tesla position a dream job, this seems like a very odd move in such a short time. Maybe she's better at talking than performing.
NOTE: Even though she is transgender, this comment has nothing to do with that. In fact, I respect her courage for being herself. But I always thought she was a little too impressed with herself.
I remember being laughed at and ridiculed on this site when I said this would be a problem and turning over your driving to a computer would just make this issue worse. *flicks bird*
Such sensational headlines. Really.
Oh thank God. I have no idea why everyone doesn't do this wirelessly - cuz on the air updates are perfectly secure.
Unless someone has physical access to the car they should be very secure as long as the encryption algorithms used are secure. Key distribution isn't a problem because Tesla can load up the car with a cryptographic key during manufacturing. Hell they could even put in a stack of one time pads if they wanted. Key distribution is usually the big problem but it's not (or shouldn't be) an issue here.
While they could always make an error somewhere along the way, it should be reasonably straightforward to make the OTA updates very secure under most circumstances.
While true that this is a lot less worrisome than a remote attack, the fact that someone with an ethernet cable can bollix up the car it still attention worthy.
If a bad guy has physical access to my car, what they can do with an ethernet cable is frankly the least of my concerns.
Adblock, Better Privacy and NoScript is coming out for cars - to be released later this year.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Not going to happen, both the EPA and the CAFE standards have seen to that. There is ZERO chance you can meet the emission and mileage standards for any vehicle which doesn't include some kind of engine and drive train control electronics.
Those only apply to new cars. Old cars are still on the road and probably always will be. Plus you are able to build vehicles yourself that do not meet emissions standards. Not exactly difficult to source an engine and a chassis.
The only way we are safe from the Cylons is to not network all the systems in the ship together.
Can we stop calling you guys 'editors', and just get on with 'clowns who post story submissions'.
Because it's quite clear you don't actually, you know, edit.
They edit, meaning that they modify the text. The thing is that they generally make it worse, not better.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Car hacking is the most ridiculous thing i've ever heard of!
Seriously, why do we need computers in cars? EFI I can understand; some digital sensors, maybe, a and quartz tuned radio with digital display, sure.
But all of this other crap is just asking for trouble. The fact that someone could remotely access, monitor, and even control your vehicle is downright scary.
Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
The last time my 80s era roadster was patched was when it rolled off the production line. 30+ years on the long-term stable release! Beat that with your Tesla.
That's like bragging that you haven't patched your 486DX computer in 25 years. It's an obsolete POS and nobody is really impressed. Do you still use a Motorola MicroTAC phone or an Apple IIe too?
Why do we need to connect cars to the internet again?
Because you can do interesting and useful things by connecting to the internet. Up to date weather, traffic, and map data. Streaming media, OTA updates, OTA patches, inter-vehicle communications, and much more. Seriously you can't think of any use for internet connectivity in a vehicle?
enough said.
Isn't the emergency/parking brake required to be mechanical? How can you hack a mechanical cable-pulley system?
And this is why it's called an emergency brake here. Unlike the hydraulic braking system, it's supposed to be able to work no matter what. It's also only connected to the rear wheels, so there's less of a chance the idiot who slams it on will lose control.
--- Keep the choice with the user..
Because people are trusting their life to a system that has consistently proven that it is not secure
You know what else I'm trusting my life to? You not turning your steering wheel a quarter turn left when we pass each other on the road. I'm trusting that you will actually stop at a stop sign. I'm trusting that my airbag will not malfunction. I'm trusting the ignition to actually work. I'm trusting that you are capable of driving competently unimpaired by alcohol. We trust our lives to a lot of things that have consistently proven to not be secure and this bit of hacking is no where near the top of the danger list. Sure, let's be concerned about it but let's not blow it out of proportion either.
Seriously.
AUTOMATIC LEAD TOOLS IS BEST FOR BUSINESS If you are exhausted of the struggle and just want to make real money from the comfort of your home look no further because that is exactly what you will be doing once you get started with Automatic Lead Tools. Do you want a Home Based business that is growing every day? I’m looking for people that want to earn an extra income using Automatic Lead Tools, Automatic Lead tools provides products that every marketer and business owner could really benefit from. Learn to be profitable in whatever you do in life. Staying positive and staying away from the negativity will help you in your business & life. Take inbound calls from home. Earn $400 Per Sale Instantly if interested please do call me on (888) 780-9464 or (310) 299-2807 Or visit our website www.LeadToolsGlobal.net
Don't connect cars to the internet. Don't make their electronics accessible OTA.
We'll be presenting how to do this at DEFCON this year.
We're honored to be recognized with the 2015 People's Award for Self Restraint, Circumspection and Common Sense.
See you there.
Is this a true remote hack or does this require malware or direct access to the car to install a usb device like most others? Yes, I didn't read the article, because I expect slashdot to summarize it for me.
Flame away
How about posting a summary with actual information instead of directing me to off slash questionable sites. That would be great.
and also maybe turn on spell / grammar check because some of these posts are getting pretty unreadable. This one isn't that bad though
Don't look to Tesla to change the OTA acccess their building into their cars any time soon. I'll tell you why.
There's a frightening amount of electricity generated by their cars and mechanics who don't know what they're doing are quite likely to eletrocute themselves.
Then the headline will be:
Another Mechanic Killed By Tesla Car.
To prevent that headline from ever materializing and destroying their market share, they reserve the right and aiblity to remotely brick the car.
If the car is in an accident, it gets bricked and the only result of trying to start the car is a message on the instrument panel which reads (approx) : "Take car to Tesla service station for service".
Mechanics CAN'T work on Tesla cars.
Unfortunately, when you connect a car to the internet or otherwise make it accessible OTA you dramatically increase the attack surface area.
Here's a few characterisitics of the new attack vectors:
*A criminal can effect many cars at once. Previously, a 1:1:1 ratio existed between criminals, cars and some discrete unit of time.
*A criminal can make a criminal event imitate an accident. Previously, if the car blew up Mafiosa-style or was stolen, the criminal event was clearly recognizable as a criminal event. Even cutting the brake lines left tell-tale signs. Obviously, a surreptitious way to access the car's electronics is, well, surreptitious .
*The attack vectors have mutiplied to as many zero-day exploits in as many electronic parts as could be effected by zero day exploits. Previously, even if there was a theoretical way to access the computer that controlled critical systems, it was still a head-under-hood affair involving that system.
*Zero day exploits aren't going away. There is no "recall" that is going to "fix" the problem because the problem is now a changing target. Previously, just as criminals and car thefts (or other crime) were 1:1, so also were defects and defective components. Recalls could fix the componnt and return the car to service. Now the subsystem is known to be fundamentally unfixable.
If we could stop people from exploiting critical computer systems, we would have done it. A car is not going to be special in this regard.
Hastings was a large adversary for the military industrial complex. When his BMW sped out of control and crashed a couple years ago , most who mentioned auto hacking were labelled conspiracy theorists. How's that looking now? not that whatever technique was used there had to be very high tech.. he even expressed concerns that his car had been tampered with.
With physical access to the car, I can literally take control of ANY car and then run it remotely. I can put plastic explosives under the dash and hook it up to the ignition wire. For the last 100 years. How is it a hack once you've had physical access? There are James Bond movies from the 60s with this as a plot point.
Peter predicted that you would "deliberately forget" creation 2000 years ago...
Ah yes good ol' Lucas..
As my dear old dad who's been a mechanic for almost 50 years likes to complain:
"Lucas lighting systems must have been the first company to ever patent Darkness "
The article says that Tesla has "already issued a software update that owners can download..." The update is automatically delivered over the air directly to the car. The owner doesn't need to request anything.
From TFA: "Mahaffey and Rogers acknowledged that they first had to gain physical access to the Tesla in order to accomplish their hack, requiring a physical connection via Ethernet cable that then allowed them to access the Model S remotely."
In the olden days this was called "hot wiring"...
The point is: all bets are off when one has physical access. Even if they don't "hack" it, they can set it on fire or do anything else.
Bring it.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
"Tesla's already issues a software update that owners can download to path the security flaw."
Tesla already issueD or Tesla already offers. And patCh the security flaw.
Mechanics CAN'T work on Tesla cars.
I would say that today's mechanics SHOULDN'T work on Tesla cars.
Today's competent mechanics are trained to work on today's cars. They normally focus on the combusion, ignition, lubrication and exhast systems. None of those exists in a Tesla. Getting a general mechanic to repair a Tesla is like getting a plumber to rewire you house.
Maybe in a decade when electic drive trains are common, mechanics will be trained to work on them, it will be a different story.
If I turn my steering wheel the wrong way, or if I run a stop sign, or even if I'm driving drunk - If i plow into your trusting kester, I might just kill myself as well. I have a really really good reason not to do any of that stuff because I have skin in that game. So that's nota reall good argument except in the case of a suicidal driver.
The fact that you have skin in the game means little. There are over 30,000 deaths each year in the US in automobiles and I assure you that most of them are far from suicidal.
The idea that you trust your ignition key to start the car is just silly.
Really? Ask GM whether we should worry about about trusting our lives to ignition switches.