
Warning after security experts hack Tesla car - jgrahamc
http://www.bbc.co.uk/news/technology-33802344
======
chambo622
Sounds like Tesla worked with these guys to patch this for all owners before
it was disclosed. And they hired Chris Evans from Chrome/Project Zero to lead
security. To me those are signals that they take this seriously.

~~~
teacup50
If they took this seriously, they wouldn't have their _cars_ connect to
_anything_ , or at the very least, the connected parts would be fully air-
gapped.

How is it that we can be repeating _the exact same mistakes_ made in software
over the past 40 years, without anyone questioning whether the dangers of
cloud-enabling _cars_ is remotely justified by the features provided?

~~~
chambo622
What makes you think that nobody is questioning it? I'm sure some people are,
but the fact that informed consumers are purchasing these cars speaks for
itself.

~~~
teacup50
What does that fact speak for?

~~~
chambo622
It indicates that "the dangers of cloud-enabling cars" are in fact "justified
by the features provided" for a nontrivial number of people.

~~~
teacup50
That's a nonsensically trivial analysis:

1) The features provided by Tesla extend far beyond those provided by "cloud-
enablement"; the fact that "informed consumers" are buying the cars does not
indicate that their purchasing decision came down to isolating cloud-
enablement relative to cloud-features.

2) Your hypothetical informed consumers don't really exist, unless the only
people buying cloud-enabled cars are computer scientists.

~~~
chambo622
1) Sure - it's one factor among many in the purchasing decision. Never said
otherwise. It would also be incorrect to assume that this was not a factor at
all.

2) Ever looked at a tech company parking lot in South Bay? A lot of people
with CS background are buying the Model S. Not all buyers are computer
scientists but informed buyers most definitely do exist.

------
breser
There's a much better article on Wired that goes into more details:
[http://www.wired.com/2015/08/researchers-hacked-model-s-
tesl...](http://www.wired.com/2015/08/researchers-hacked-model-s-teslas-
already/)

It's also worth noting that Tesla pushed a patch to all of their cars for this
yesterday.

~~~
ChuckMcM
Fiat/Chrysler - recalled 1.4M cars, estimate 80+% will get fixed.

Tesla - pushed an OTA update, done.

That pretty much paints the future of "smart software" in cars.

That said, every science fiction book I've ever read where vehicles could be
patched over the air, has been been used as a plot device and gone badly for
the hero of the story. Interesting times indeed.

~~~
bentcorner
Has there been an incident where an OTA mechanism resulted in something bad?
(E.g., MITM attack pushes down evil bits)

It could be argued that the _existence_ of an OTA mechanism incentivizes lower
quality (RTM patches); I'd counter that it might do so in the short term only,
although I have no data.

~~~
wodzu
I would rather worry about bad guys pushing a harmful update to all the Tesla
cars.

Rather than hacking all the individual cars, hack the Tesla server and push
the updates. Happened few times to open source software.

~~~
breser
If you read the Wired article I linked earlier you'll see that this is indeed
a concern since the updates aren't signed. Tesla is relying on the two way
verification of their VPN that is used to communicate between the car and
Tesla to validate the software.

~~~
snuxoll
This at least prevents a MITM or a malicious actor from hijacking DNS, etc -
since the car effectively ensures it's at least talking _WITH_ Tesla. This
doesn't prevent a malicious employee from gaining access to the update server
and pushing out an update, but you're going to have to worry about that
regardless.

~~~
Silhouette
_This doesn 't prevent a malicious employee from gaining access to the update
server and pushing out an update, but you're going to have to worry about that
regardless._

I'm pretty sure that if your car isn't connected in the first place, so that
its essential control systems can't be updated remotely by a single malicious
actor like that, then this isn't a significant concern.

------
mshenfield
Tesla seems much better prepared to deal with this than most car
manufacturers. A downloadable update is a world away from the recall Chrysler
had to issue.

~~~
joosters
True. However, Tesla owners have to accept an 'always on' car, sharing who-
know-what with Tesla over its cellular connection. Is there any way to just
get OTA updates without giving away personal data (like location) to the
company?

~~~
angersock
How would you know?

EDIT:

I meant that seriously--any functionality which can update the firmware can,
by definition, remove your ability to tell that it's doing other things, too.
See also "Reflections on Trusting Trust".

EDIT2:

And another downvote. Some people are absurd and clearly don't understand what
is a completely reasonable comment about the nature of the security here.

It's not, "How would you (somebody unskilled in these things, snarf snarf,
mere mortal compared to angersock) know (anything about this)?".

It's, "How would you (consumer without access to the source code being
deployed) know (given that the machine can be made to fake output to whatever
is most likely to make you think it's behaving normally)?"

Jesus.

~~~
DEinspanjer
I thought about downvoting you. The comment was brief and offered no insight
or context into what you were thinking or saying.

If you would have started out with the variant at the bottom, I never would
have thought about downvoting you.

~~~
angersock
Funny quirk of the English language--had I written instead "How would one
know?", I think it would have avoided the ambiguity that ruffled feathers.

------
cmiller1
I posted about this in another thread about this Tesla "hack", but they
required physical access to the INSIDE of the vehicle. An access port in the
driver-side footwell.

How is this a security problem? If someone malicious has physical access to a
normal car they could cut the brake lines or drain the oil, without even
needing to unlock the car.

If I'm inside a car I own I think I'd PREFER it to know I can hack into the
car's systems rather than it being totally locked down.

~~~
jlg23
From the wired article:

But they also found that the car’s infotainment system was using an out-of-
date browser, which contained a four-year-old Apple WebKit vulnerability that
could potentially let an attacker conduct a fully remote hack to start the car
or cut the motor. Theoretically, an attacker could make a malicious web page,
and if someone in a Tesla car visited the site, could gain access to the
infotainment system. “From that point, you’d be able to use a privilege
escalation vulnerability to gain additional access and do the other stuff that
we described,” Rogers says.

~~~
cmiller1
> Theoretically

Well, when they show, in practice, that such an attack is possible, then we
can have news headlines about it.

By presenting it like this so Tesla had to patch it to save face, I'm sure
they just closed the loophole that would allow consenting car owners to modify
their car's software. As a gear-head and life-long tinkerer, I WANT to be able
to mess with my car.

------
hoopism
Can we generalize this a bit in light of all the recent car hacks?

"Experts Reveal Connected Devices Are Vulnerable to Hacking"

------
danbruc
Off-topic - when did sentences and paragraphs become the same thing? I noticed
this several times during the last months but may have overlooked it before.
Is there something behind that?

~~~
dangoor
I wonder if there's a difference for people writing for TV (this article is on
the BBC website) and people writing for "print". It's hard to imagine the NYT
publishing an article where each paragraph consists of a single sentence,
short of that being the point of the article.

------
legulere
The situation with security vulnerabilities in software maybe should be a
warning to not use (network-connected) computers to control everything. The
internet of everything will probably mean that everything will become
hackable.

------
jcadam
This is what you get for buying modern vehicles. Just you try hacking my rusty
'86 Pontiac.

... I can't even get the radio to play anything other than a faint static hum.

~~~
johnward
This required physical access. I'm sure I could do some damage with physical
access to any vehicle.

------
baseballmerpeak
Better than Chrysler's approach of making the owner download the patch, copy
it on to a _blank_ flash drive, and load it via the in-dash USB.

~~~
jakeogh
Some of us don't want wirelessly connected cars.

