
Tesla Model S Can Be Hacked, and Fixed (Which Is the Real News) - evo_9
http://www.npr.org/sections/alltechconsidered/2015/08/06/429907506/tesla-model-s-can-be-hacked-and-fixed-which-is-the-real-news
======
cmiller1
>Here's how Rogers explained the hack: Tesla cars have a cable inside, which
maintenance people can access to fix things. That cable is hidden, in a secret
panel, either to the left of the driver or under the touchscreen.

>Pop it open, find the cable and plug into it.

So you need physical access to the inside of the car to do this? That doesn't
sound like a security problem at all. If someone malicious has physical access
to a normal car they could cut the brake lines or drain the oil, without even
needing to unlock the car.

------
creshal
> Every three months or so, every car gets a free software upgrade. No need to
> go to the mechanic for it.

Next step: Hacking the update mechanism.

------
mtgx
I'd rather the safety critical systems were not connected to Tesla's central
servers so a hack is radically less likely in the first place.

If however somehow something gets through, then I'd rather go to the mechanic
for the update instead of receive an OTA update, and hopefully the mechanic is
getting the update on a very secure machine.

If the NSA is targeting me for assassination in a "smart car" because I'm
about to leak some info about their programs, I'm probably not going to care
much that the bug will be fixed in an OTA update next month - am I?!

Or what happens when Tesla enters in a zero-day/cyber-threat sharing program
with the DHS and NSA, like Apple and Microsoft did?

The OTA "fix" seems more like a much bigger convenience for the car vendor
than it is for the car buyer, with most of the risk being handled by the car
buyer.

I also worry such systems would _trivialize_ the digital security of cars,
like it has already happened on the Internet and in the PC world. "You should
expect to get hacked" shouldn't become a way of thinking in the auto-industry.
An OTA system that fixes critical safety bugs de-incentivizes companies to
build strong security from the beginning - "We can always fix it later with
the push of a button" vs "Fuck - not another recall!"

