
Tesla Model 3 Vulnerability – Disable Autopilot Notifications, Speedometer, etc. - notRobot
https://safekeepsecurity.com/about/cve-2020-10558/
======
segfaultbuserr
The car's low-level control is still functional as normal, it's just the user
interface that crashes, disabling the main display, all readouts, and all
notifications. Rebooting the UI can fix the problem (it will reset itself
automatically after two minutes as well). So it's a security issue, but not
that serious as the title may suggest otherwise.

Still, apparently, a bad webpage with a loop of JavaScript that hangs the web
browser can lead to a complete failure of the entire user interface, even
disabling the speedometer, turn signal (only the notification, visual and
sound, not the actual signal), and AutoPilot status. Still a red flag and not
a sign of good engineering.

~~~
userbinator
It's been joked a few times that a Tesla is a computer with a car attached. I
guess things like this make that very obvious, and not in a good way.

~~~
NotSammyHagar
The maybe not obvious point is they have two computer systems, one that
manages the "edutainment", one for the drive train. The entertainment one is
the one they crashed. I want the web browser updated more than any other
single thing on the car. The web browser is separated from the drive train.
You can reboot the non-drive train even while driving.

~~~
stephenr
And apparently things like windscreen wipers and a speedo are considered
“entertainment”?

Why would anyone combine those key elements with the “second” system?

~~~
alasdair_
Because there is a screen that displays both the current speed and things like
turn by turn directions. If you somehow crash that screen, you lose both (for
a minute or two)

~~~
stephenr
So some genius somewhere thought having a single screen was more important
than keeping basic functionality like speedo and turn signals safe from
<checks notes> anything that the cars web browser might be exposed to.

I mean that sounds reasonable, it’s not like a web browser has ever been
compromised before.

------
nickodell
Here's the vulnerability:

    
    
        <html>
        <script>
            var total = "";
            for (var i = 0; i < 100000; i++) {
                total = total + i.toString();
                history.pushState(0, 0, total);
            }
        </script>
        </html>

~~~
mister_hn
Why do they allow JavaScript at all?

~~~
speedgoose
The car has a chromium based web browser. The web uses javascript.

~~~
mister_hn
but it isn't a must. Just block it from executing it on a car

------
etaioinshrdlu
The Tesla dashboard should be predominantly a real time system. (It appears
not to be.)

Different features of the dashboard should be implemented as different
services, ideally on different processors or different virtual processors.
They should have fixed time sliced allocation. Limit the impact of one process
interacting with another.

The different processes should all send and receive visual/touch IO to a
master display server. The master display server should be a hard real time
system.

I think we all know this is really how it should be done, it's just comical
that Tesla says NO! and does it their own unsafe way.

They don't treat the dashboard as safety critical. Despite that is where all
essential warnings show up, in addition to the speedometer. You can easily
lose access to all those while driving. I have multiple times witnessed the
dashboard reboot for a few minutes while driving.

I think the long term outcome is that Tesla mostly gets away with this, other
car manufacturers attempt to copy their system with extremely poor results,
dangerous failures result, and regulations are created.

(Disclosure: M3 owner, grumpy engineer.)

~~~
bumby
It would be interesting to see how they categorize their systems as safety
critical (or not).

In my line of work, if it displays real time information to make safety
critical decisions, it’s safety critical software

~~~
URSpider94
My interpretation is that they do not consider the infotainment display or
associated processor to be safety-critical. All of the safety-critical stuff
is in one or more separate processors that stay running if the dash computer
crashes.

~~~
bumby
I can see that perspective as long as the processors are segregated and the
display doesn’t display any info necessary to mitigate a hazard.

The problem with a lot of software on embedded systems is that it’s easy to go
down the rabbit hole and be one or two degrees away from declaring it
critical. If everything is critical then nothing is

------
jka
Quote highlight for any Tesla owners (and friends of Tesla owners) who may be
concerned about this.

"This issue is fixed in any release >= 2020.4.10."

It looks like this release started rolling out mid-February 2020[0].

[0] -
[https://teslascope.com/teslapedia/software/2020.4.10](https://teslascope.com/teslapedia/software/2020.4.10)

~~~
natch
Yes good to highlight that. Most of us are on 2020.10 or 2020.12 by now.

~~~
chrisweekly
Those version numbers look way too similar to dates!!

~~~
natch
What (user) invisible said. year.week or year.week.patch if there has been a
patch. And there's a build number after that. We're on 4fbcc4b942a8, probably
the prefix of a git hash I'm guessing. But then there's kind of a marketing
version number as well, for which we are currently on v10.0 or v10. something:

[https://www.teslarati.com/tesla-v10-wide-release-mobile-
app-...](https://www.teslarati.com/tesla-v10-wide-release-mobile-app-update/)

Those versions are more like the true major release versions, whereas the date
versions are inside of that and are minor releases.

~~~
chrisweekly
Thanks all, but I wasn't asking for help parsing it, rather critiquing it as a
poor version formatting choice bc of its ambiguity.

~~~
natch
Yes that’s a valid critique, and one I agree with. I added my comment more as
an elaboration for anyone else interested in more.

------
FriedPickles
I don't believe that autopilot stopped functioning. In my experience autopilot
functions fine even if the MCU crashes or reboots. And there's clearly an
autopilot disengagement chime after the MCU freezes, probably caused by him
manually disengaging autopilot.

~~~
aloknnikhil
I think he corrects himself in the disclosure.

> Important Note: I stated in the video that this disables the autopilot
> functionality, but that is incorrect. This will only disable the
> notification to place pressure on the wheel. If you keep pressure on the
> wheel, AP will continue to function.

~~~
FriedPickles
Thanks, makes sense. Almost all autopilot functionality is preserved during
MCU problems. The attention warning indicator (pressure on steering wheel
needed) being one notable exception, but that's pretty benign.

~~~
Klathmon
Not only is autopilot functionality preserved, but there is a seperate speaker
for alerts (like the "take over immediately" sound) as well for if the display
MCU crashes.

------
tyingq
I'm surprised browsing the web isn't a separate, isolated process from the
car's general ui.

~~~
Someone1234
Some vehicle systems use a VNC compatible client for this. Essentially put the
"web parts" into their own system entirely, even physically, and then project
the results into a window on the "safe part" UI. If something bad happens the
VNC server might crash and client lose connection, but that's the limit of the
danger.

I know around the time Carplay became popular several auto manufacturers were
pushing this idea as a Carplay/Android Auto alternative implementation:
glorified VNC. But I guess the data wasn't "rich" enough for some parties.

~~~
NotSammyHagar
There is a separate computer system. On the S the separate computer system for
the drive train has its own screen (in front of the driver). On the 3 they use
one display. you can separately reboot the non-drivetrain one.

------
joeblau
The MCU on my Model X has frozen a few times without visiting a website. I've
had to forcefully restart my MCU at a stop sign twice since having it.

~~~
tyfon
I've had the FSD computer (HW3) freeze in my X once. The autopilot/TACC, gps
location and even the wipersn which are controlled by this even if you're not
using auto-wipers (deep rain), stopped working. I had to stop and power off
the car for a few minutes to make it work again.

Everything else was fine though so I think they have isolated the driving
itself quite well.

I've also had the MCU crash 2-3 times but the two finger salute always fixes
it.

My car is 8 months old so these events are quite rare.

~~~
boojums
I drive an old car that is missing a nice, modern infotainment systems, so my
experience is out of date, but several crashes in 8 months seems pretty
frequent? My expectation is that it would not happen at all.

~~~
userbinator
I have a car which doesn't require any computer to drive, and the instruments
definitely don't malfunction anywhere that frequently --- and when they do,
it's not all of them at once. I think the only things that I've had to replace
in over a decade were an indicator bulb and a speedometer drive gear.

8 months between failures definitely sounds unacceptable to me.

~~~
inferiorhuman
It's not 8 months between failures, the claim was (if I read it correctly) 2-3
failures in 8 months. That's… not good.

------
keiferski
I've often wondered if Tesla 'bit off more than it can chew' by focusing on
software, autopilot, and other things outside of the strict 'electric car'
concept. Cool UIs and self-driving cars really have nothing to do with
reducing emissions from fossil fuels.

Personally, I would be more willing to buy a Tesla if it _didn 't_ have all of
these software integrations and was simply a mechanical car with an electric
engine.

~~~
gok
A lot of what makes Tesla models more practical electric cars comes from the
software. The UI whines at you when you charge the battery too much, which
extends cell life. The navigation system prevents you from forgetting to
charge along the route, mitigating range anxiety. The artificial throttle is
also calibrated to improve efficiency.

------
aaomidi
Meh, the UI can also just crash on its own.

You can restart the car (in the middle of the road, even) by holding the two
on-wheel buttons.

I've had to do that once before.

~~~
natch
Yes I think you know this but you made it sound pretty scary. For anyone
reading, the car drives as normal, can still smoke pretty much any... let's
not mention brands here, but suffice it to say, there's nothing to prove, and
everything continues to work just fine. The UI comes back in a few seconds.

~~~
aaomidi
Well, it is pretty scary. The UI crashing and you not knowing how to restart
it is a big deal.

It's not even like a traditional car where you can "restart" the electronics
by turning it off and on again. It's a very specific sequence detailed in the
manual...which most people aren't going to memorize.

~~~
natch
It sounds like you haven't had experience with doing a soft reboot.

And yet, apparently you have, from your parent of parent comment... bizarre.

You make it sound like some elaborate easter egg that's hard to remember and
is only buried deep in the manual as a crazy special detailed long sequence of
steps.

It's neither some very mysterious sequence, nor hard to memorize, nor hard to
learn about. And you don't even need to know it.

As you well know it's just holding down two buttons which are right on the
steering wheel basically where your thumbs are already resting as you drive.
So why are you spreading FUD?

You don't even need to take your eyes off the road. Not even for one second.
The buttons are right there where you can feel them.

And no, it's not something you could or would ever do accidentally unless you
were trying odd stuff just to see what would happen. And if you did, it would
be no big deal, and the car would continue driving just fine, and the UI would
come back _by itself_ after a few seconds. But again, this wouldn't happen.

>It's a very specific sequence detailed in the manual...

That is overly dramatic. Like, to the point where you should win an award. And
the manual is not the only source for this "vErY sPeCiFiC sEqUEncE."

It's one step: hold the two buttons for a few seconds. As you said yourself.

In the unlikely even that A) a person driving the car doesn't know about this,
B) they are running software that most cars don't have any more, C) they are
using their web browser while driving, and D) they loaded a strange site that
contained a hack, then they could just pull over and call for advice from
service.

Service would tell them to press the buttons for a few seconds, and they could
be on their way in under a minute including the time for the phone call.

~~~
aaomidi
Jesus Christ.

This issue can come up on you while you're in the middle of the highway.

If you don't have experience with it before it's extremely scary.

You don't know if your blinkers are working (they are), but you have no idea.

You don't know if your braking lights are working. You don't know what speed
you're going.

One slight criticism and you send me an essay about spreading FUD.

~~~
natch
Well the scary for a newbie part I can agree with! So that one slight
criticism didn’t lead to that essay.

It’s was the other stuff: “very specific sequence detailed in the manual”
which got me, because the wording is so amped up and over dramatized. I mean I
almost mentioned “JFC” myself before you did, but explained it instead. You
can’t please everyone though.

I think it’s interesting how Tesla has addressed all the different UX
challenges of the car. Fascinating really. I know UX people and they have my
utmost respect because they often solve problems like this one in such
effective ways.

------
gnachman
I feel completely safe from this because the web browser literally doesn't
work at all.

------
bumby
There is some real debate as to whether the “Tesla screen model” is
appropriate for SpaceX’s Dragon capsule

[https://www.thedrive.com/news/22887/the-spacex-dragon-
capsul...](https://www.thedrive.com/news/22887/the-spacex-dragon-capsule-has-
controls-like-a-tesla)

------
aloknnikhil
So how does the rollout for Tesla updates work? Are there specific updates
that are marked mandatory before you can drive the car? Wondering how these
disclosures are avoided from being exploited when not all of the cars have the
patch.

~~~
natch
Cars get eligibility for updates depending on when they were purchased, what
hardware they have (including incremental revs that happen with newer versions
of a model), what features they have that relate to the update, whether they
have purchased the (future) full self driving add on, whether they are in the
Early Access Program, and whether the customer has complained to service about
a related issue that the update covers... those are the ones I know about.

On top of this (or maybe under it) they have a layer with rollout tiers for
Tesla owned cars, cars of employees who opt in for early updates, and customer
cars. Probably more than just this. And then with all that they roll it out
over time, so we're not all getting the update the same hour, but generally it
starts with a trickle the first week and then becomes a flood of users getting
a given update over the course of the following week or two.

If you're not on WiFi you might get the "Update Available" notice in the UI
first, and then when you get to WiFi it downloads it. But it doesn't wait, if
you don't see that notice and it has WiFi, it just downloads it.

Also Tesla says that if conditions warrant, it will download the update even
when there is no WiFi. But I think it waits a while to try to
opportunistically get on WiFi if it can, to reduce load on the LTE network it
uses. If your car never connects to WiFi (which is up to you to do) then it
will download, if it can, over LTE if the update is high enough priority.

There are probably silent updates as well as another commenter indicated.
Don't know about those but it makes sense.

~~~
imabluedabbad
I always wanted DLC for my vehicle!!!

------
knzhou
This is the turning point, where I go from a technology lover to a nutcase who
wraps everything in aluminum foil. At the minimum, anything that can browse
the web but isn't a standard computer needs to be wrapped up.

~~~
sliken
Shrug, it's really no big deal. I have a Tesla Model 3 and never visited a
website, nor plan to.

It's a car, has games, maps, music, nav, etc. Can't think of a reason to visit
a website. Sure you dig in and use the screen to type in a URL, pretty
painful. There's no RSS Feed, news of the day, etc to tempt you into web
viewing.

------
fortran77
I'm surprised the budget "3" has this issue, and not the flagship model "S".
You'd think the software would be nearly identical.

~~~
rsynnott
You have an extremely odd definition of the word 'budget'.

------
steeve
Why is the speedometer and basic control UI not sandboxed from the rest of the
GUI? Particularly the web browser?

------
smfendereski
so dangerous for electric car future development

------
alasdair_
I once managed to get my Tesla to slow down dangerously while on autopilot by
having a friend hold a copy of a fake speed limit sign by the side of the
road.

I'd like to name this act "Tesla swatting".

Next task: can I make the Tesla following me slow down or speed up by
attaching a fake speed sign to the back of my car?

------
castratikron
Okay. But remember when the infotainment system on Jeeps didn't have a
firewall turned on and people could cut the brakes by spoofing a cell tower?

[https://www.theverge.com/2015/7/21/9009213/chrysler-
uconnect...](https://www.theverge.com/2015/7/21/9009213/chrysler-uconnect-
vulnerability-car-hijack)

