Tesla cars 'hackable' says Dell engineer Slack authentication in Tesla's Model S REST API exposes the electric car to a variety of non-safety but non-trivial attacks, according to a Dell engineer and Tesla owner. In this post over at O'Reilly, Dell senior distinguished engineer and executive director of cloud computing George Reese says the “flawed” authentication …
This post has been deleted by its author
[Posted by the author on behalf of someone who's run into a Bad Internets Day]
Why would you cancel an order for the most technically advanced and awesome device on the planet at the moment? Because one headline-grabbing techie identified a flaw that could be fixed in minutes by any-old-coder?
I suspect it will be fixed quickly.
Oh, and apparently I'm a "coward" for not wrangling with the authentication things here. Meh.
How do you think Michael Hastings was murdered? Hint: Start with the source code for all of the car's electronic systems, including the brakes, accelerators, GPS controls, wireless network, and of course the airbags, windows, and door locks. Make the evidence go away? Just run the hack from volatile memory so it disappears as soon as the power is lost. Chain of command to trace? Sorry, it was just an independent contractor operating on his own initiative. No orders given, none received, no reports filed. Just a wink and a nudge, and probably a bonus for unspecified special services on behalf of "national security". Nothing to see here.
Remember, he was not drunk or chemically impaired. He was a cautious driver. And his leg was fractured from stomping on the brake pedal very hard. Obviously to no effect. Can't you just wait for the self-driving cars?
Me? No thanks.
That conspiracy story is getting a bit tired now, I thought you would realise how stupid it makes you look when I pointed out the obvious flaw last time.
Do you really believe that car manufacturers specify to their software engineers that the API has a 'disable brakes' instruction built in?
Even if that were possible (which it is not due to safety regulations mandating a mechanical connection in steering and braking systems), why would they?
you wrote: "Do you really believe that car manufacturers specify to their software engineers that the API has a 'disable brakes' instruction built in?"
You obviously weren't at Defcon this year. Disable brake. Violently turn steering wheel with a servo (so it can parallel park, since you don't know how). Yank the seatbelt tight and startle the heck out of the driver... They didn't mention finding the accelerate API, but they were such nice boys they probably wouldn't. OnStar can tell my wife's car to slow to a crawl if it's reported stolen, so the "turn it down" call is there in her relatively non-techy 2011 Chevy Cruze.
That said, I hadn't heard of this conspiracy since I don't get out of my cave often. Get the Reader's Digest version from google by searching: car-hacking-code-released-at-defcon
It's adorable when people believe machines are trustworthy, safe, and unhackable.
I seriously doubt that.
Attention has been brought to it, so something will have to be done. But this system, with the flaw of the 3-month token, was brainstormed, approved, designed and implemented as is.
I'm not sure it will be easy to change, nor am I convinced that it is a priority job for Tesla.
Of course, it is not good for the company image to have a "security breach", but Tesla can very well downplay the issues, obfuscate the consequences and play for time. It's not like they're selling the thing by the millions anyway.
Since you know where the car is, and can unlock the doors (and even honk the horn if you need help finding it in the parking lot you know it's in)... if you get this security token for any tesla, you can use it to find the car and pilfer it's contents - and since the owner can afford a Tesla, they're rich, so there's gotta be something worth stealing in it too.
Ha funny you should say that, first thing I thought when I read the article title and hated it straight away...
"Everything is crackable, if you can write software to be secure, you can write more software to defeat it!"
Extra layers of IT security just make it harder, bit like, oh what's a good analogy here... lol Car Alarms, Immobolizer's the lot.
They are only ever deterrants, if someone wants to rob the White House given the right resources it could be done, just as the Titanic wasn't un-sickable, nothing is unbreachable.
This may be the most technologically advanced vehicle on the face of the planet, but allowing any access through the Web looks completely silly to me. What functionality would be compelling enough to a car owner to trump the concern that there will inevitably be security problems once the air gap is eliminated? Why would anyone ever want to start a browser to unlock his/her car or open the sun roof?
This is what happens when IT types develop a car. They're used to tracking you on the Web, so they put the same functionality into the car. Presumably Tesla could sell pattern of life information on to advertisers?
This all sounds like it's more useful to Tesla than it is to a user. Afterall the owner already knows where their car is and what can be seen out the windscreen; they're either driving it or have parked it somewhere.
And if it's stolen what exactly are they going to do? Chase after it on foot? It won't get far anyway before running out of juice. And any serious car crim these days has probably heard of GPS tracking and has also heard of GPS jamming and black PVC tape (to obscure the camera).
So it's a gimmick at best, a money maker for Tesla, and a liability at worst.
It's worse than having a durable login cookie. If the documentation is correct, HTTP GET is used to initiate significant changes to the car rather than the proper POST method. GET must be idempotent - safe to make or not make at any time. Resources with GET allow clients to pre-fetch it, cache it, asynchronously revalidate the cache, or attempt to fetch the resource in segments. This API is begging for massive malfunctions and the designer never should have passed a hiring interview.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
