
The Big Tesla Hack: A hacker gained control over the entire fleet - evo_9
https://electrek.co/2020/08/27/tesla-hack-control-over-entire-fleet/
======
bookshelf11
The pricing on these bug bounties always blows my mind.

If this hack had been exploited Tesla market capitalization would've taken a
multi-million if not billion dollar hit. And here they are, paying out
relative chump change to a guy that alerted them to it.

~~~
sellyme
> If this hack had been exploited

But that's the point. Who's out there that would exploit this because they
thought $50,000 wasn't worth it, but would change their minds for $1,000,000?

Realistically there's only two types of people who would maliciously exploit
something of this magnitude: the mentally unstable (people who just like to
cause chaos), and state-sponsored actors attempting to disrupt other nations.
Neither of those groups seem particularly likely to change their mind for an
extra zero or two.

The "pay more than the black market will" model works for smaller bugs, but
for ones like this that would immediately get every three letter agency on the
planet trying to find you, the $50,000 isn't a valuation of the worth of that
bug report, it's a gratuity. And for the average bug reporter, that's an
_extremely_ nice one.

Can they pay more? Yes, absolutely. Should they? Probably, yeah. Do they have
any reason to? No.

The solution to this is to have legal requirements for security, and extremely
heavy fines for having released dangerous software (some portion of this fine
financing a similar bug bounty program). Take the option of how much money to
hand out away from the companies, and they'll be incentivised to take security
much more seriously in the first place.

Of course, this requires lawmakers to have a basic understanding of
technology, so we're at least 20 years and 3 major catastrophes away from
getting anywhere near that actually occurring.

~~~
ssss11
Surely there’s more than 2 types. Another off the top of my head -
competitors.

~~~
warent
Agreed. Another could be solo blackhats who just want to make money, who have
no state sponsorship. Tangental, but I also hesitate to create such a massive
bucket for "mental instability" like that. It's easy to find when someone who
does something difficult to understand, or against what we would do ourselves,
and then just say "well they're mentally unstable." Definitely the case for
some, but it seems like a lazy dismissal with no attempt or interest at
understanding.

~~~
sellyme
I was using "maliciously exploit" here to describe what would basically be the
worst case scenario of such a bug (instructing every Tesla to deliberately
crash at high speed). I don't think it's in any way a stretch to characterise
someone who would do that as mentally unstable.

Of course there's many other ways you could exploit such a bug, but in the
context of a "multi-billion dollar" event, it's really only The Big One that's
in frame here.

~~~
dmurray
Someone could be sociopathic enough to cause the crashes, but still prefer the
money. It definitely seems like you could negotiate for more if you can play
the part of that sociopath and don't mind a little bit of extortion.

~~~
dash2
But then “offering more money to sociopaths” doesn’t seem like the right thing
to do, because it will only encourage more of them into the market.

------
yabones
This is what holds me back from 'smart' devices that have the potential to
cause real harm...

We've been making motors (electric or combustion) for over a hundred years,
and gotten pretty damn good at making them safe and reliable. Same thing with
stoves, HVAC equipment, small appliances, etc. These are all mature
technologies that we can practically trust our lives with.

Internet-connected smart vehicles aren't a mature technology. Not in the sense
of this being the win2k era of that tech, but that our assumptions about how
to build these systems might be fundamentally wrong. I don't know if it will
ever be safe enough to trust human lives to it.

Until then, I'll only want to buy cars made before 2010.

~~~
Jeriko
"Internet-connected smart vehicles aren't a mature technology. Not in the
sense of this being the win2k era of that tech, but that our assumptions about
how to build these systems might be fundamentally wrong. I don't know if it
will ever be safe enough to trust human lives to it."

I often hear this kind of thing and am really surprised by it. Specifically
for the tech in vehicles example, it seems like a real double standard. Around
37,000 people in the US die in car accidents every year[1]. That's 100 people
a DAY. There is a huge cost to not adopting new safety measures, even if it
depends on immature tech, and that needs to be factored against the potential
new unknown risks.

Driving to work is almost certainly the riskiest thing you do most days. I
find it plausible that people 50 years from now will think that the cars we
drove before 2010 were unconscionable death traps.

[1]
[https://en.wikipedia.org/wiki/Motor_vehicle_fatality_rate_in...](https://en.wikipedia.org/wiki/Motor_vehicle_fatality_rate_in_U.S._by_year)

~~~
angry_octet
You're comparing apples and oranges. It can both be true that security (and
overall software) quality is poor, and that automated buggy cars are better
than erratic people.

However, when you are considering system risk (e.g. that a bad actor could
crash 100k cars at the same time) the worst case outcome could be much worse
than the mean outcome.

------
bigiain
[https://medium.com/@mpesce/the-great-hack-part-one-
attack-70...](https://medium.com/@mpesce/the-great-hack-part-one-
attack-70c5f7b22f34)

"The first thing that happens is nothing. Your smartphone stays black while
you swipe at it and press the various buttons. Has the battery gone flat? You
could have sworn you left the house with a full charge. Now you start to
wonder how you’ll get your car out of the parking structure without a working
mobile. That thought hadn’t occurred to you before. It’s the least of your
worries. Still fussing with your smartphone, you gradually begin to realise
you’re not the only one having this problem. In fact, it would seem that
everyone waiting at the pick-up area is in various stages of agitation with
their own smartphones. Some are pressing odd combinations of buttons, trying
to reset the little beasties. Others, who have clearly had rough days now made
worse, start to swear at their dead screens, as if cursing might shock them
into life. It’s weird, and almost a bit funny. For a brief moment. The first
smashing can be felt more than heard, a subsonic strike something like a vast
drumhead being struck with a metre-wide mallet, but so quick, you barely even
notice it until it’s over. The second one, however, isn’t far behind, and it’s
a bit louder. That second thump gives away its location — whatever it was
seems to be happening quite close by — in the direction of the parking
structure. At just this moment a car cruises through the pick-up zone at full
speed, barreling along at least 100 kmh. It’s only because of some very fast
reactions that no one gets hurt as it passes by. As it zooms past, you notice
there’s no one behind the wheel. Before you have any time to process that,
another huge thump nearby causes a section of the barrier wall of an upper
floor of the concrete parking structure to shear off. A pile of rubble falls
to the ground not very far away from you."

~~~
philsnow
This reminds me strongly of Daniel Suarez' book Daemon,
[https://amzn.com/0451228731](https://amzn.com/0451228731)

~~~
bigiain
Yeah. That's a great read too.

------
burfog
Someday, all cars from a particular brand will be made to crash during rush
hour. The carnage will be immense. Emergency services will have to go off-road
to bypass the snarl. There won't be enough helicopters to meet the demand.

The brand that could cause the most damage is probably Bosch, a major
automotive component manufacturer.

~~~
abledon
the guys who make power drills are writing the software for Self-Driving
Cars[1]? Who is running that ship lol

[1] [https://www.bosch.com/stories/future-
vehicles/](https://www.bosch.com/stories/future-vehicles/)

~~~
filleduchaos
Perhaps due to knowing quite a few people whose careers were spent working
with Siemens and Bosch machines in heavy industry, it seems unfathomable and
mildly alarming to me that one can

\- know of the existence of Bosch,

\- be completely ignorant of the company being an absolute giant in the
engineering space, _and_

\- be confident enough that they're some tiny power drill manufacturer to mock
them publicly without pausing to look them up

It's like hearing someone say "the guys who make the Xbox are providing cloud
services for the Pentagon? Who is running that ship lol".

------
arkadiyt
Here's Jason Hughes' annotated vulnerability writeup, which the article is
about: [https://docs.google.com/document/d/1yXni1GoD93q8mX-
yom7JLBn0...](https://docs.google.com/document/d/1yXni1GoD93q8mX-
yom7JLBn0Q8tPOQz2A_y3m3LJi8o/edit)

~~~
forgotmypw17
[https://archive.is/rLJPU](https://archive.is/rLJPU)

------
chadlavi
Can y'all add "in 2017" to the title here?

~~~
Someone1234
This article is from three days ago (August 27th, 2020). I suspect the
underlying issue was under a 3 year NDA/agreement.

It would be misleading to label an article from three days ago from "2017,"
particularly as this is the first reporting about this ever.

~~~
judge2020
> (I will note, I was never barred from disclosing any of this publicly in any
> way. As a courtesy, I felt it would be the right thing to do to hold off on
> public disclosure for a while, potentially indefinitely. Years later, it
> seems worthwhile to disclose this information and highlight just how far
> things have come and how Tesla's software security has improved dramatically
> since then.)

From
[https://news.ycombinator.com/item?id=24327485](https://news.ycombinator.com/item?id=24327485),
so no NDA.

------
slimsag
Pretty misleading to omit ", but fortunately he’s a good guy" in the title

~~~
Tijdreiziger
Does it matter? Next time it might not be a good guy.

~~~
spsful
In the context of headlines, maybe. It seems a little more pessimistic with
this omission.

------
novok
Shit like this is why cars need to be functional without cellular / wifi
access, and updates impossible without the user pressing a button, along with
direct connection to the the car for features like summon.

Which is pretty much the opposite like Tesla operates.

------
tw04
I hope this serves as a reminder to everyone here that THIS is why you should
have a physical disconnect switch. I should be able to pull a breaker to
disable self driving on my Tesla when I’m not using it.

~~~
manquer
Unless there is regulation in no automaker is going to do it themselves.

------
sneak
> _Also, Tesla owners will supposedly soon get two-factor authentication for
> their Tesla account._

This was the biggest line in the story, for me. You can spend $100k+ on a
vehicle and you can’t even have security to protect it that was standard FIVE
YEARS AGO.

Lack of 2FA is a showstopper for services an order of magnitude less expensive
than a vehicle. Tesla simply must not care about security very much, a fact
reflected in their low bug bounty prices.

------
eganist
> The hacker shared the data on the Tesla Motors Club forum, and the automaker
> seemingly wasn’t happy about it.

> Someone who appeared to be working at Tesla posted anonymously about how
> they didn’t want the data out there.

> Hughes responded that he would be happy to discuss it with them.

> 20 minutes later, he was on a conference call with the head of the
> Supercharger network and the head of software security at Tesla.

> They kindly explained to him that they would prefer for him not to share the
> data, which was technically accessible through the vehicles. Hughes then
> agreed to stop scraping and sharing the Supercharger data.

> After reporting his server exploit through Tesla’s bug reporting service, he
> received a $5,000 reward for exposing the vulnerability.

What's the difference between this and what Uber's former Security Chief was
charged with?

~~~
GhostVII
The hack you are talking about is unrelated to the one that let him control
the Tesla network. In that one it sounds like he just put together a custom
client that requested supercharger data from Tesla, which I wouldn't really
consider hacking.

------
cnst
Now imagine someone takes over your Neuralink...

And that's how we get the Zombie Apocalypse, kids!

~~~
bolasanibk
The Feed
([https://en.m.wikipedia.org/wiki/The_Feed_(British_TV_series)](https://en.m.wikipedia.org/wiki/The_Feed_\(British_TV_series\)))
is based on this premise.

------
driverdan
This is another reason why I think it's incredibly foolish to own a vehicle
with an internet connection. Even if the vehicle doesn't support remote
control like Tesla there may be a chain of bugs that could be used to do just
that or cause other problems.

That's not even considering the major privacy issues that come with such
vehicles.

~~~
perl4ever
I remember a long time ago reading about the updates to mandated car
electronics and thinking I never wanted to own a car newer than...1996 maybe?
And now I can't even remember what I was thinking and why. It might have been
OBD-II.

Even a hard core luddite gets worn down.

~~~
driverdan
There's a difference between local computer control and remote control. I
prefer an ECU to all mechanical engines. I'm not a luddite.

I understand the security and privacy implications of always on internet
connected GPS tracking and remote control.

~~~
perl4ever
Sure, but ECUs existed before OBD-II. Obviously even OBD existed prior. Those
standards are about communication and control.

------
tempsy
Take anything from Electrek with a big grain of salt - they are the
publication of choice for controlled leaks from Tesla.

------
jayd16
So how do vulnerabilities like this happen these days? I just work in games
and everyone still knows having an API that takes a user ID (in this case the
VIN) is asking to get abused. Is the description just a gross
oversimplification of the hack or was Tesla security really that bad?

~~~
csours
It seems like a classic case of mistaking (or not taking seriously enough) the
difference between authentication and authorization. He accessed the server
through the car's VPN, so there was an authenticated and authorized connection
to the server.

However, an authorized connection to the server is not authorization to make
any arbitrary request on the server.

It happens for the same reason that many games get MAX_INT high scores at
launch.

------
0xFFC
Yeap, pretty accurate. I can predict it is going to get bad. It is always
fascinating to me that companies invest billions in everything aesthetic
related. But when it comes to security and system software, no money!

------
maxkwallace
This was discussed/predicted a while back:
[https://news.ycombinator.com/item?id=16258336](https://news.ycombinator.com/item?id=16258336)

------
jaimex2
You can really see how government intelligence agencies just go around hacking
and dumping repositories of other governments and companies keeping what they
find in their back pocket.

------
altdatathrow
Having a fleet of cars you can manage with a single ansible script isn’t the
norm for $400B companies?

~~~
jgalt212
It's funny you say that, and there are shops that are very careful with this
sort of stuff. Unfortunately, I fear that when the big cloud hack comes, it's
going to hurt everyone (i.e. those with and without publicly addressable S3
buckets).

------
femto
Isn't a "fleet-wide hack of autonomous vehicles" an oxymoron? They clearly
aren't autonomous if they are controlled by an outside force that can be
hacked.

Maybe it depends on perspective, with the manufacturer seeing owners as
outside forces, from which their vehicles are autonomous? Rolled up with the
liability question is the question of who does control the vehicles and who
they are autonomous from.

~~~
judge2020
The vehicles are autonomous when asked, such as if you click "summon" in the
app. If they gained access to Mothership after summon was introduced (they
accessed it in 2017, but summon came out in 2019[0]), it could have meant
accessing a car and summoning it to attacker.

0: [https://youtu.be/nlCQG2rg4sw](https://youtu.be/nlCQG2rg4sw)

