Hacker News new | past | comments | ask | show | jobs | submit login
Pwn2Own Vancouver 2019: Tesla, VMWare, Microsoft, and more (thezdi.com)
301 points by Down_n_Out 3 months ago | hide | past | web | favorite | 169 comments

As a Tesla owner, I think this is great, because as an Engineer, I fully expect that Tesla was get owned (literally) here. I have no problem with that - I want people trying to break the security, and I want Tesla to pay them, and to improve it.

The reality is that a Tesla is mostly really good software, really good engine, and really good battery, surrounded by a reasonable (but not excellent) rest of the car. That's more then worth it to me, and the Tesla Stretch is real, because the car is incredibly compelling. I would argue that the value is just as much a outcome of the software, and it needs to be hardened.

I agree. It is very clear that Tesla puts more effort into the software, electric motors, and battery tech compared to the "rest of the car".

While there are some fine details (like the suspension) that others pointed out, the body panel gaps and the unusual service experience leave a lot to be desired for some people. Now whether these issues go unaddressed due to Tesla not having the proper resources or due to a conflict in priorities, either reason makes you wonder why Tesla is choosing to do it this way...

I completely agree with the fact that Tesla is, at least IMHO, a software company first but on the body panel gaps I really think is a non-issue.

I mean, it obviously is something that has to be improved but, for example, I’ve seen panel gaps with a 85k € new Audi Q5 MY18.

It definitely wasn't an isolated issue since I’ve seen the same thing on at least other two same models around town but no one online or any media is shouting right and left about it...

This comment perfectly describes the Tesla Model 3.

Disclaimer: Model 3 owner

Agreed and agreed.

Concurred & concurred.

Yup, this has happened on the S a few times. They quietly put out a new OTA which took ~24 hours to roll out across the fleet and it was sorted.

Much different than Fiat/Jeep when they got owned via media console a ways back.

The fact they can "quietly put out a new OTA which took ~24 hours to roll out across the fleet" honestly scares the crap out of me.

Call me a luddite, but in my opinion there are no compelling-enough reasons a car needs to be wirelessly networked at all, and I won't buy a car with those "features".

It's not quiet, there's a notice of an update and the release notes mention that it was for a security fix. You have the option of ignoring it if you want.

Sure, but my malicious "two weeks from now, suddenly turn left if the car is traveling faster than 80kph" firmware will give the same message.

I'm just not a fan of OTA updates for cars. Needing to have physical access raises the bar.

Remote updates just increases the attack surface, and makes RCE possible - and RCE on an entire fleet of 2 ton vehicles that can go 200kph is a nightmare scenario.

They could even use the gps in the car to target specific locations!

I believe a state actor or motivated team would have the resources to make this possible, and it would kill more than 9/11. The poor country's cruise missile!

I'd be OK with doing updates via usb or direct connection however.

Honestly, it's a little worrying to me that a car would need updates so often.

Well, not sure how much I agree with "good software" having read this: https://twitter.com/atomicthumbs/status/1032939617404645376 With some googling, you can find the original thread in Something Awful forums too.

To say that I was surprised at some things doesn't even begin to do justice.

Just a nitpick but engine would mean internal combustion.

It's not that black and white; but Wikipedia does note:

""" In modern usage, the term engine typically describes devices, like steam engines and internal combustion engines, that burn or otherwise consume fuel """

Also, "electric motor" is definitely a lot more common than "electric engine":


ain't engine just something that converts energy to motion? We have jet/rocket engine which aren't internal combustion.

Jets and rockets are also internal combustion engines. An example of external combustion is a steam engine.

This reminds me of how the switch to SSDs meant that we could no longer talk about our computers having a “Hard Drive” since that specifically referred to drives with spinning platters.

I’ve heard the term “hard storage” being used more often. When using just “storage” lot of non-tech people get confused by ram or persistent storage.

From what I've read about Tesla's software this could be a bold move.

Between the infotainment system, onboard Linux computer, autopilot, self-driving hardware, OTA updates, mobile apps, and the amount they phone home, Tesla are probably doing some of the most advanced computing in any consumer car (some deconstructions have suggested they are miles ahead here, pardon the pun).

This is great, but it all comes with additional surface area for attacks, and software engineers have spoken out about the fast paced shipping that happens at Tesla and the corners that are cut as a result.

There was a previous discussion [1] around a former Tesla employee discussing some of the "wtf" aspects of the software on Tesla vehicles. I'm willing to bet that some critical flaws will be found, as "fast development" and "secure development" are hard to get together, and it's safe to assume that Tesla ticks the "fast development" checkbox.

[1] https://news.ycombinator.com/item?id=17835760

If even 30% of what that guy is claiming is true, the Model S has a huge attack surface. Hopefully things have improved since those claims were made.

> as "fast development" and "secure development" are hard to get together

This is just not true. Software that often goes unupdated is the most insecure software of all. If Teslas are more insecure than other vehicles it will simply be because their software is more complex than the competition.

> This is just not true. Software that often goes unupdated is the most insecure software of all.

You'll note that I never made comparisons on how secure Tesla software is in comparison to other vehicles, or that Tesla's software would be the "most insecure software of all".

What I said is that Tesla's development is fast-paced, and this is difficult to do whilst maintaining software security. I agree with you that outdated software is a huge security risk, but I don't see how that contradicts with my statement on Tesla's software.

You're both right in a way. Not having stuff up to date will definitely leave you vulnerable, but if the stories about Tesla's internals are valid, they are not expending the time necessary to ensure they don't write a boatload of security bugs in the first place.

yeah, except that in practice, alot of "fast development" happens on platforms where engineers ignore updates that aren't explicitly flagged as security because the want a stable environment, then when the security bug hits, they push back on deploying the security fix because of breaking functional and API changes in the dependency. I have worked in a broad range of orgs from start-ups with 4 people to government, fin-tech, and bay area tech companies and every single one has had the same stumbling block that has been a pain in my ass as a person responsible for assessing and helping engineers ship secure software.

If the OTA updates are compromised or some other remote vulnerability is found I'd consider that a major flaw. However, some of the Tesla "hacks" I've seen show up in the past involve plugging a laptop into the inside of the car. If you've got physical access to the inside of ANY car you can do some serious damage. Doesn't take a "l33t hax0r" to cut some brake lines or undo an oil pan plug.

I'd argue those aren't quite equivalent. If I was the passenger in a Tesla taxi I might be able to plug something in to add tracking software or who knows what to the car without the driver knowing. As autopilot improves I might be able to tell the car to up and drive over to my house in the middle of the night. Not exactly the same as cutting brake lines.

The compute module is under the back seat in the Model 3 I believe. That's all of the major components, might be tricky but someone who doesn't care about damaging the seat may well be able to get in unnoticed while riding in a Tesla taxi.

It's in the dash. You have to remove the glovebox and several pieces of the dash. For some reason I think the taxi driver would notice you disassembling his car.

It is behind the glovebox

Is access to it lockable? Would be useful for a taxi usecase

In the model 3, the only way to access the glovebox is to press the button on the console. I'm sure this would be disabled when in self-driving taxi mode.

FWIW, the Tesla model 3 has an internal camera (probably more than one) that Tesla probably plans to use to observe the occupants when in self-driving taxi mode. I think the camera would deter most high tech vandals.

Just remeber when you’re recording your dummy loop to play back while you pwn, make sure no flies land on the camera lens!

Sorry, but you can't do anything with german cars (BMW, Audi and Mercedes) - everything is end-to-end encrypted. This is not the case for almost all other vendors that usually use unencrypted CAN bus.

This is simply not true. Here's a recent set of fixes - now because they don't have over the air updates or free ones, how many people will ever get their cars updated: "Researchers said they were able to combine the 14 flaws to escalate their access to the car's inner CAN bus".


My bad, i thought that BMW is almost the same as Mercedes, it turns that it is not. Mercedes doesn't have such flaws by design - there are no writable connections from media and can bus to steering, engine, gearbox etc. And everything is encrypted there (unlike CAN). I expected that BMW is same as Mercedes (since they use same flexray chips), but it seems that BMW screwed up their setup.

Surprisingly little on VW AG CANbus is encrypted, I'm not sure where you're getting this idea. I haven't worked with BMW and Mercedes since around 2010 but I doubt they're much different.

I have written my own ECU flashing tool for Simos18 as well as a message injection system for the VW/Audi MQB platform (similar to the commercially available PolarFIS product). Really the only protection at all is that ECU flash files are encrypted in transit (on dealer DVDs) and over the wire, but with a fixed AES key and IV which is present in plaintext on the flash once the file is written. The CAN gateway messages are generally not encrypted, both over the infotainment CANbus and the powertrain CANbus.

Almost all cars are nearly completely insecure once you have interior physical access - which, IMO, is mostly OK as long as the bus wiring is in a reasonable location inaccessible to someone like a taxi passenger.

What is more interesting is the prevalence of head units with wireless or remote access - over 3G, Bluetooth, and WiFi. Compromising these hosts (and then finding a pivot or escalation between the infotainment bus and the powertrain bus via the gateway) is an interesting attack vector.

I tried to hack my Mercedes, but CAN bus is really useless as it doesn't have anything usable and everything is encrypted over FlexRay and there are not easy way to hack essential parts of the car (unlike CAN bus in say Ford).

May be i was wrong, but there are nothing on the CAN bus in latest generations of Mercedes.

I didn't know that FlexRay had made such inroads and I do apologize - I balked at your mention of Audi because I have personal experience there but it turns out I was just familiar with the one German place FlexRay hasn't reached yet!

It does seem like most commodity FlexRay systems are still hackable although it's certainly harder than CAN where you can just attach a node and start spewing garbage from whichever address you'd like: https://brage.bibsys.no/xmlui/bitstream/handle/11250/2453093... (I'd expect all modern BMWs to be similar or identical to this MINI for cost reasons, although as evidenced I may be surprised!).

I still haven't found a robust use of end to end encryption anywhere in an automotive application - even the "most protected" routines like ECU flashing seem to be protected by weak XOR/known-secret seed/key security in tandem with symmetric cryptography using fixed key material.

I tried to find anything how to decrypt FlexRay paper your provided, but found only very limited observable information.

Looks like it is AES-CBC with static IV, not very good, but not that bad. Still very very far from hackable. Even if you will be able to guess AES key (somehow) there are no way to hack asymmetric keys. Sure you can leak them during delivery of firmware, but i really feel that this is not the case for Mercedes. Also that's how they make money (and provide security) - lock down access to everything.

At AUTOSAR encryption docs there are RSA and ED25519, that is very good encryption obviously. (https://www.autosar.org/fileadmin/user_upload/standards/clas...)

<rant/ramble on>

OTA is great but my experience with my TM3 is clouded by one issue, I want blue tooth audio support to be enhanced so I do not have to use my phone to select tracks, playlists, artists, and such. Instead what was the big update of near the holiday season, fart humor, holiday fireplace like a screen saver, and the old Atari pole position game.

Seriously? Yeah I know they also updated auto pilot, put in a new animation for setting vents, and such, but I really don't need the easter eggs when there are so many programmable features this car should already have and audio support including the mentioned blue tooth support is all easily a decade behind what other cars have. hell our energy meter is a joke, it won't break out power used to move from that to maintain the pack, doesn't want to count when I am not moving, and blends in the HVAC. Auto hi beams that are spastic and auto wipers that are just, well odd.

Sorry for the ramble but the security stunt is one thing but non essential crap like easter eggs is just more things to break or be exploited. bring the cars customer facing electronics up to date before farting around more.

love my car, have serious doubts about their priorities.

Do you believe programmers are fungible? That the ones who wrote the easter eggs could easily be reassigned to work on a specific feature you want? Have you considered that maybe only a handful of employees have expertise in bluetooth, were working on the feature you want, while others were making the easter egg?

It's because of entitled comments like this that companies don't develop easter eggs. They know that someone who doesn't understand how software development works will ask this very question - "why easter eggs? Why not that one feature I want?"

That's not why companies don't develop Easter eggs. It's because: 1) Easter eggs are features. 2) Features cost time and money. 3) Features almost always also add bugs. 4) Easter eggs usually aren't in the test plan.

What you get is something that costs money and has the chance to decrease the quality of your software.

Now there are intangibles that make Easter eggs worth it. Mostly, you have to keep the developers happy. But don't act like they have zero cost.

Full disclosure, I shipped an easter egg in the Sun x86 service processor about 11 years ago.

I'd argue that the Tesla stuff here isn't really Easter eggs as traditionally understood; which are stuff put in by devs having fun; and then it's either not spotted or ignored by management. Easter eggs are usually somewhat hidden, and require some degree of intelligence to appreciate. The Tesla stuff is lame "fart apps" that were clearly put there under instructions by some PR guys or Musk himself. No developers were kept happy in this process.

The apps are part of a marketing plan, and I personally doubt that devs didn’t have fun building them.

My kids gleefully get to “drive” my Tesla using the steering wheel to play Pole Position. They snicker when we goof around with the whoopie cushion.

It’s hard not to be positively influenced by something that gives your children joy. I appreciate that there are these bits in the software which are whimsical that my family can play with.

I’m glad you acknowledge they shipped a major autopilot update at the same time.

Navigate on Autopilot (Beta) suggests lane changes but does not proceed without confirmation. But autonomous lane changing is live in Tesla internal test vehicles and will roll out after more testing. Getting on and off the highway and changing lanes is a step up, so they are shipping real features.

They enhanced the cruise to be more aware of sharp curves (will adapt speed, even below your set point, in advance of a curve).

They also added blind spot monitoring showing vehicles behind and to the sides which had not been displayed on the guidance system previously. They also distinguish betweeen the type of cars with different icons for trucks, buses, and SUVs. They also added rudimentary pedestrian detection and a very goofy pedestrian icon on the guidance display.

And also dash cam support which had been much requested.

I agree with you that the media control from the phone is lacking. The good thing is I’m confident an update will come along one day and make it better. More than I can say for any other car!

Lastly, the humorous apps have a purpose. My 6 year old son is absolutely in love with the Tesla and now begs to take my car instead of moms Mercedes. He asks me at least once a week about when I’m going to get the Roadster with the rocket boosters. (As if!) It’s genius marketing even if it is a bit silly.

Almost all the features you mention (navigate on autopilot, blind spot monitoring, dash cam) shipped in October, not in the Christmas release.

Yes, a major version upgrade two months prior. 8 weeks later, over Holiday season, you are expecting... what exactly?!

A fireplace video and new game is exactly what I would expect as a bit of fun to wrap up the year.

OP claimed Tesla has their priorities wrong. I strenuously disagree and provided ample evidence to back my assertion.

The dashcam feature is completely broken for me. It stops working after a few days without fail then I have to reformat the drive. I would prefer that someone fix this issue than work on easter eggs.

The lack of visible, public progress on an issue is not indicative of a lack of people working on it. And assigning more cooks to the kitchen probably won't speed things up.

You make good points, but from my own experience the times easter eggs get added to software are often related to underlying tech changes.

Consider that the fireplace screen saver might not just be about having a fireplace, but perhaps a test of streaming video over the air, or maybe it's rendered with OpenGL, or maybe it's testing a new app deployment mechanism, etc. Easter eggs are a great way to test new tech that could be very important, on a low-impact area of the system.

Or the fart mode could just be fart mode.

Can you elaborate on selecting tracks, playlists, artists over Bluetooth, and how Tesla is "easily a decade behind"?

On my 3, track name and album art (if available) is displayed, and I can control via the touchscreen or steering wheel controls - same as on my 2016 VW Golf R.

It's more-or-less exactly what I need and want, but of course more features are more compelling. I've never seen another vehicle from any marque offer any more options over Bluetooth. If you can select playlists, can you do the same with (say) Spotify, or only with in-phone playlists of local music? iOS? Android? Both?

I wish we had the option to have Spotify instead of Slacker radio as they do in Europe, as I actually pay for Spotify, but to be honest, I don't get a whole lot of value from browsing through playlists on my in-dash screen. I used Carplay precisely twice in my Golf for this very reason. Frankly, the phone controls are more familiar and easier to use with minimal diversion of attention.

But, I'd love to hear more about what Bluetooth supports and which cars support those advanced features.

I echo your comments on the easer eggs. I give precisely zero shits about them, and IMO, they're not even easter eggs when you practically click a menu that says EASTER EGGS. When I was 14, they were fun, when passed around via word of mouth. I've never opened any of them on my 3, I just don't care. For some reason, my (retired) dad really loves them, but I guess he's got plenty of time to sit around in the car in the garage playing games :P

I want the ability to browse my phone's library on the big screen so that I don't have to pick it up from the wireless dock. Also when you search for songs you just get random radio stations...

Search would be nice -- I just wish parent would elaborate because I'm not aware of this existing in any other BT device. I'm not sure how it would work, but I don't know the BT spec/featureset.

On the plus side, Tesla seems to be aware of those risks, and also has a cyber security team that is miles ahead of other automakers. For example, there are no master passwords that service personnel can use, instead they use public key cryptography which generates a rotating password. Most Tesla "hacks" have required physical access as a result (i.e. pulling out the screen and finding an Ethernet jack), although a few researchers have managed remote attacks.

On the plus side, other automakers do not have remote access as such. All the other automakers "hacks" have required physical access as a result, although a few researchers (2 teams only) have managed remote attacks.

Unfortunately most other manufacturers also still heavily rely on the woefully outdated and insecure CAN bus. Which means remotely hacking the poorly secured infotainment system can give you access to critical systems. Random example [0]. Your thought shouldn't be a comforting one.

[0] https://www.wired.com/2016/08/jeep-hackers-return-high-speed...

Absolutely no idea why you're being downvoted here when this is in fact the truth. Virtually all automotive computers use the CAN bus in literally ever modern car in existence.

It might be because Tesla also uses CAN bus, whereas the parent post implies that only "other automakers" do it.

Plus, CAN bus is just layer 2/3, you could build secure extensions on top of it, but I agree it is insecure by default.

That's wasn't what I intended to imply. Rather that it's not like other manufacturers found the secret recipe and we should somehow feel safer in their cars. Added an "also" for clarity.

Hence "virtually all". You're absolutely correct

Absolutely no idea why you're being downvoted here when this is in fact the truth.

Because some people value the pro-Tesla narrative more than the truth. This is too bad, because one can value the pro-Tesla narrative and the truth at the same time. (Putting the truth first, of course.)

CAN is as insecure as Ethernet as both are layer 2 protocols.

So its like the smart home.

Perfectly correct. This is why IoT is a big deal, anyone hacking your poorly secured IoT device has access to the network it's in.

Two major differences though:

1) There are accessible ways for you to secure your home network, not so much when it comes to the car network.

2) Someone taking control of your car poses a more immediate risk to your life and the lives of others on the road around you than having your home network hacked.

as others are saying - you are correct - CAN is a shared bus so inherently insecure and physical access becomes a lot easier.

There's no doubt someone's getting a free car.

That's the goal isn't it ?

Finding critical flaws in a super complex system you built for years and sell to the entire world. For just the price of a car.

Or, miracle occurs, nobody finds anything and you get some killer PR.

That's a very good deal.

You don't think they could ask their own salaried engineers and get a nice long list of secured-by-obscurity vulnerabilities?

If they want the best security, they should have a bounty program both internally and externally. Of course, one would expect the Tesla engineers to find bugs first, as they have earlier and closer access to the system. Such bug/exploit finding should be appropriately rewarded. But the closer you are working with a product, the more obvious things one might miss. I often miss bugs in my own code, while I am great at finding them in my coworkers code :). So external bounty programs attrackt a wide variety of clever people with an idependant mindset.

We are talking about a company that made electrical vehicules economically realistic in a oil-addidcted world.

I think it's safe to think they have considered that already :)

Would you say it's unlikely they just maxed out what they can do internally and want new eyes to work on it ?

> We are talking about a company that made electrical vehicules economically realistic in a oil-addidcted world.

When did that occur? They're still selling $40K+ cars while their competitors are selling cars in the $20K range; Tesla cars continue not to make financial sense, they're a luxury good.

Dollar per dollar the best bang for your buck is still likely hybrid vehicles followed by the cheapest electric vehicle you can find.

It wasn't very long ago that electric cars were considered nothing more than an elaborate joke which would never command equal consideration with gasoline-powered cars.

The Roadster definitely challenged a lot of those assumptions. Tesla proved they could make an electric car people wanted, rather than one they hated but tolerated out of a sense of moral obligation.

You're arguing a completely different point than the one I responded to.

> made electrical vehicules economically realistic

I don't think I am - consumer acceptance is a critical part of economic viability. A product which nobody wants to buy isn't a viable alternative, regardless of price point.

To cast some perspective, Nissan has sold about 380k Leafs - the most popular electric car in the world - worldwide over the past 8 years. Tesla has shipped over 160k Model 3s in the US alone over the past 14 months (and currently continues to sell another 20k or so per month).

The vehicle market is huge, and Tesla has by no means conquered it, but they've put a much larger dent in it than any other electric vehicle manufacturer, and have been instrumental in changing public opinion on EVs.

Tesla has made an inconsequential dent in the automotive market. Their cars really don't exist in any statistical sense.

Volkswagen, post diesel fiasco, is best situated to hard-pivot to electric. Nissan is alreday succeeding. Others will follow suit as soon as it's economically viable, and mostly this depends on battery tech improving a little bit more.

Tesla is not the leader: https://www.forbes.com/sites/bertelschmitt/2017/05/01/who-is...

Certainly they haven't conquered the auto market - it's huge. I don't think anyone has made that argument, though.

Your article is nearly two years old, though; 2018 was a very different year for EVs because of the Model 3. Here's some actual sales data for you: https://insideevs.com/monthly-plug-in-sales-scorecard/

The Model 3 accounted for 38% of all EV or hybrid vehicles sold in the US in 2018 and 60% of all BEV vehicles. Tesla's 3 vehicles accounted for over 50% of all EV/hybrid sales, and 82% of all BEV sales in the US in 2018. How you can look at that and conclude that they aren't the leader in that space is beyond me.

I get it, you hold $TSLA and you're hoping it goes to the moon.

The US market is not the world market, and world-wide Tesla is inconsequential. Even in the US it's highly localized, and in those areas it's still inconsequential.

The Model 3 has suffered from ridiculous levels of mismanagement and process problems. They are so far behind on targets it's amazing their entire management team hasn't been sacked and replaced with people who know what they're doing.

One day a company that's competent, like Toyota, will brush Tesla aside without even trying. Until then Tesla has a fraction of a fraction of the sales in the US.

Heh, I have one share of TSLA, and that's just a symbolic statement of my desire to see them succeed in their mission. Guess that makes me a shill. I'll enjoy my 4.3 seconds of retirement on the proceeds. Is this the part where I accuse you of being one of those eeeeevil shorts in response?

The US (well, North American) market comparison is apt because that's the only market that Tesla is manufacturing and selling in in any appreciable quantity right now. It's somewhat difficult to quantify demand response in markets where supply isn't available.

Toyota may well come from behind and eclipse Tesla. I'm not particularly concerned if they do or not, but I do think it's ignorant to look at the EV landscape and not conclude that Tesla has created demand and interest in a market previously marked by tepid apathy. You're arguing global auto markets, I'm talking about impact on consumer sentiment towards EVs. Two totally different discussions (and frankly, a rather clumsy strawman on your part).

It happened when we shifted from "electrical cars are hippie nonsense" to "we think there is a strong possibility in a not so distance future they will replace most oil based cars". They enabled that thinking. It just didn't exist before their first roadster.

You said "You're arguing a completely different point than the one I responded to" to another commenter, but so are you. The initial debate is wether given Tesla size and expertise, it's logical to expect them to indeed have done their homework and now chose another approach to find bugs.

The Model 3 is the best selling luxury car in the US. Outselling tons of SUVs, in a US auto climate where the biggest automakers are ditching cars altogether in favor of SUVs.

I'd say that counts as "economically realistic", even if it doesn't meet your further-back goalpost of "best bang for the buck". If the Model 3 isn't economically realistic, someone should tell that to Audi and BMW and Cadillac and Mercedes-Benz.


We're talking about a company that spent more than a billion dollars to build an assembly line they discovered after the fact wouldn't work...

It's not safe to say anything about Tesla's capabilities or competencies at this point.

UBS hired professionals to tear down a model 3 and they think the raw tech is way ahead of the competition. Read the report yourself: https://www.dropbox.com/s/3wfof8kfw02cbbf/Teardown%206.pdf?d...

Munroe's teardown also had some interesting findings (both good and bad, but that was the goal):


A suspension worthy of formula one was quite a compliment. I'd say there are some things that Tesla does uniquely well. Safety is another one. Remember that time the NTHSA literallyu broke their testing machine when testing the Model S for crash safety? No? Here are some videos:


>UBS hired professionals to tear down a model 3 and they think the raw tech is way ahead of the competition. Read the report yourself: https://www.dropbox.com/s/3wfof8kfw02cbbf/Teardown%206.pdf?d....

That reads like an ad paid for by Tesla

Multiple separate automobile teardown companies have reported the same thing, basically, we don't believe it can be this good then afterwards, wow, this is more sophisticated than they believed anyone would do now. Such as https://electrek.co/2018/07/26/tesla-model-3-teardown-electr...

Literally my point! Tesla can't do that! hires professionals to reverse engineer a Tesla Oh , Tesla did that! What shall we do today Pinky?

Read the report yourself. It stands on its own.

There's two parts to engineering: Making something good, and making something you can manufacture inexpensively. These two are in complete contradiction most of the time.

You can "engineer" the hell out of something and still do a terrible job as an engineer. Tesla's infatuation with novel, clever things often gets in the way of shipping. Their fiasco with the model X gull-wing doors is just one example of a billion.

It's easy to make your car better when you can charge vastly more and you've got tons of VC money you can blow through in pursuit of some distant goal. Established car companies have no such luxury.

This is not to say Tesla hasn't had some wins, but on the whole they're losing.

Arguably Tesla is the Juicero of cars.

>It's easy to make your car better when you can charge vastly more and you've got tons of VC money you can blow through in pursuit of some distant goal. Established car companies have no such luxury.

Isn't that called "disruption" and is the entire reason Silicon Valley exists?

You can "disrupt" without being in the Valley, plus a lot of companies that claim they're disrupting are just cherry-picking customers and barely moving the needle in terms of net-new technology.

It's easy to make a billion dollar start-up if you get two billion in cash you can blow on acquisitions. It's hard to make that company survive more than ten years.

When Tesla runs out of VC money, which they will, things are going to turn ugly in a hurry. All this money they've blown on door hinges and sending cars into space will be gone and they'll have to turn a profit. I'm not sure they can without massively cutting back and radically simplifying their product.

Any people in this thread capable of creating revolutionary vehicules, mass building them, and selling them for years, raise your hand.

Toyota and Nissan have their hands raised, and have had their hands raised for decades.

The market for clean vehicles exists because Toyota and Nissan showed there was demand for it. Tesla came in and made better-looking cars (from a distance, they're quite shoddy looking up close), but they're competitively only because Toyota and Nissan have chosen to stick with their distinctive designs rather than put their EV tech into mainstream vehicles.

And Tesla's big problem is that the rest of the industry is finally getting around to putting their EV technologies into mainstream vehicles, almost all of which are better made and far more reliable.

What does that have to do with what he said about Tesla? Are you going to debate with him or are you going to make another non-contributing comment?

Rebuttals of the "Oh yeah? Well, what world changing things have YOU done?" variety are common if someone brings up anything remotely negative about Tesla.

Well, for myself, I've changed the law in several countries in ways that have greatly improved the lives of the people affected by them.

I feel pretty confident in my right to criticize Tesla for it's presumptive and poorly executed overreach.

What about Nissan?

That aside, i don't trust any car maker to make good software. Especially infotainment. Especially if it has bluetooth/wifi. And especially if there's internet involved. Let's just say i'm holding back words here.

Grand majority of software development is not very strict on best security practices. But a two ton object that can easily move at speeds over 100kmh demands insane security measures. That's my opinion, at least. I know people will sooner buy a car with spotify. And i know people won't just hack other peoples cars and make them crash. But still, it weights two tons and moves at two hundred kilometers per hour.

As a side note; someone else wrote how Teslas are advanced in terms of computer technology then other cars and how many computers they have in their cars. Lots of other cars have a ton of computers in them. It's nothing new.

The comment was answering "You don't think they could ask their own salaried engineers and get a nice long list of secured-by-obscurity vulnerabilities?" by saying that since Tesla is a leading player in the electrical car industry, it's fair to assume they did that already and is why they are now seaking experience from outside.

Since I'm not giving any evualation in any way about the quality of the software resulting in those actions, is your comment stating that I'm wrong, in a way I couldn't understand ?

I was reading the LKML(linux kernel mailing list) back when some.. people were pushing DBus (a message transport protocol) into the kernel (in a slightly different form, as kdbus). Main reasons were performance (dbus sucks there) and.. i think security or something. Many comments in and the main reasoning for the performance improvement (of moving it into the kernel) was context switching (going from a userspace program into the kernel and/or back). At least two senior RedHat engineers, the top kernel maintainer, and a bunch of other engineers. Out of all of them NOBODY bothered to check out why dbus is slow. Until Linus himself ran a simple test and found that the user-space dbus daemon is not optimized at all. Context switches were something like 1% of the actual performance cost. Well.. saying that nobody bothered to check is just my wishful thinking, thinking that it is incompetence or just them just being jaded by fancy technology rather then malice (there's more to the story).

Anyway. One of the mails was an infotainment engineer at some car company. Before that I, for some reason, thought that such a big and serious industry is very serious when it comes to software. But right then it clicked that car software makers are just as any other software writers (maybe a bit more serious). This was before two hackers hacked a Toyota. And later a Range Rover (or something) over bluetooth. Bout those companies are much older and much more serious then Tesla, and probably have plenty of world class coders at their disposal.

As for the first part of what I wrote above (that i forgot by now). Teslas are not the first commercially viable electric car. They may be among the first to have nice range (over 300km). And Teslas are not the most affordable, that goes to the Nissan Leaf (2017 and above). Granted the Nissan is not a big car, closer to a Clio.

On another though, they could just hire a security company to do a deep audit. Maybe they have. Maybe that's why they are incentivizing crackers. I do not and probably can not know.

edited for readability

EDIT: I'd maybe trust Rolls Royce. But i don't have money for that so it doesn't matter.

Can't reply to gens comment, so I'll do it here:

I see that you had many experiences with failing engineering, and so have I. What's more, car manufacturers have been involved in more and more scandals, and this does include code quality. As a matter of fact, I did meet people with direct experience on car systems code that reported deep quality problems.

It's then logical to say there is a possibility Tesla screw up.

However, electrical cars have been holding computers since day one. Tesla demonstrated the ability to create, build and sell at scale complex electronic systems with generally well considered performance. Also their will to allow outsiders to attack it can be interpretted as a desire to improve the system, and hence it makes sense to think this desire existed before, and they that did their homework (which is the original topic of this thread).

We are discussing ability to setup a process, not to succeed in it.

You need to wait a bit.

Anyway. I'm sorry. I forgot for a second that I don't want to take part in these kinds of discussions. Tesla, in this case. You can have your faith.

There's a zero percent chance that this car is not pwned. Those that have spoken out about Tesla's technical practices have described a situation so wildly out of control it's amazing their entire fleet hasn't been remote bricked.

They've already been through rounds of attacks and fixes. They've paid people and publically discussed the vulunerabilities that were discovered. They have separate computing systems for the ui (which must have endless attack surfaces since it's an old webkit browser, please find a lot of problems so they will update it) and the drivetrain. If you don't have a tesla it's very interesting how it works. The ui system can be rebooted while the car is on and driving, it's completely separate.

One of the interesting things I've read about Tesla's OTA updates, is that for common sense "holy shit that was not supposed to happen" type reasons, they push updates to discrete batches of cars at a time, wait to make sure that owners are not reporting weirdness at a rate any higher than the normal background noise, probably do some analysis on the self-reported telemetry, and then proceed with pushing updates to additional VIN numbers.

It's definitely not a "push to all cars" type thing.

That's just how my smart TV manufacturer does it too.

If they can push to batches of cars then they can push to all cars if they want to.

Even beyond all that, I assume what will be missing from this contest is someone hacking Tesla's servers to send malicious updates to the cars.

I don't think something like this would be allowed in the contest, which is a shame, because it's probably what most of those who want to "hack Teslas" in the real world will attempt to do.

The infotainment system, "autopilot" (or rather, driving assistant systems), OTA ability for all software, and apps in most recent high-end cars are actually very similar in scope to what Tesla provides, just very differently constructed (with a much larger focus on security in competing cars).

The interesting part is Tesla shipping this in the 45'000$ Model 3 while competitors at the moment are only shipping this in much more expensive models.

I actually wouldn't be suprised, that 1 or multiple days before the contest an OTA is send out. Which would leave a lot of entrants frustrated.

That's what i would do in Tesla's case, just to make sure that a lot is fixed. ( if it's possible ofc.)

if I won this one, I think I'd take the cash equivalent, thank you very much...

This will be interesting. A Jeep Cherokee was hacked a couple years ago. The results are pretty bad. It cost Chrysler a lot of money in recalls to fix the issue.[1]


There is a big difference between Chrystler (or any other car manufacturer) and Tesla in terms if impact.

Tesla's are designed to receive software updates on a regular basis using a cellular connection, whereas with every other car brand you'll need to bring the car to a certified dealership to have a mechanic (!= computer engineer) install the new firmware.

So: a nasty bug in a 'regular' car means the manufacturer must consider a recall of all affected cars, where Tesla will simply push an update to all cars in the field. This also means that Tesla can run the update before the vuln is disclosed.

Musk said he regards Tesla as a software company, their software just so happens to have a car attached to it. I highly doubt other car manufacturers see it that way, they probably see the software development as an expense.

> So: a nasty bug in a 'regular' car means the manufacturer must consider a recall of all affected cars, where Tesla will simply push an update to all cars in the field. This also means that Tesla can run the update before the vuln is disclosed.

Maybe, but that sounds optimistic. What if the hack turns that off? What if the hack bricks a piece of hardware? Should remote updates be trusted if the car's been infected with malware?

> Musk said he regards Tesla as a software company, their software just so happens to have a car attached to it. I highly doubt other car manufacturers see it that way, they probably see the software development as an expense.

Software companies write most of the software bugs, so that doesn't make me feel any better...

I have a Grand Cherokee that receives OTA updates and has an LTE connection as do the new Wranglers. I can even use it for a hotspot. My parents Lexus can also receive OTA updates.

Your statement is untrue about OTA updates. Tesla might have been the first to do it in 2012 but most companies are doing it already or plan to.

GM and Ford plan it for 2020 and Mercedes and BMW have announced it in the past year. The Japanese makers are usually more reluctant to adopt new tech.

The software updates in Tesla generally only happen over Wifi, not cellular. I had to lay conduit from my home to my garage, drill through the masonry, run some more conduit inside the garage, pull CAT6 through from my basement through the conduit to my garage... Then fish the cable through the ceiling and mount a Unifi AC Pro access point in my garage because I wanted the latest autopilot update. Yeah...

You definitely didn't need to do that.

There are much cheaper APs than a Unifi AC Pro.

Which tells me you probably could've saved money in some other ways as well.

He should have parked within range of his house wifi and updated while sipping a beverage.

I had the AC Pro in my home, and had just bought an AC HD to upgrade it. So I had a "spare" AC Pro just laying around, as you do when you computer for a living.

"had to"

Interesting that a range extender wasn't sufficient.

with every other car brand you'll need to bring the car to a certified dealership to have a mechanic (!= computer engineer) install the new firmware.

This is not true. Some FiatChrysler vehicles have OTA updates. And if FCA is doing it, others are, too.

Seems like Tesla could fix security holes remotely. Chrysler could not.

assuming it's a remote exploit then you can't trust the update code that's on board, because that could be compromised and just pretending to run the update.

when a system is breached with methods that don't leave a signature a clean reinstall from scratch is the only option. once one to all your system are potentially breached by remote exploits it's recall time.

local exploit that require access to the car innards could potentially be patched over the air if the method allows the owner to know if the car was breached into. then it'd be update for safe car and recall for breached cars.

My car, the Grand Cherokee, can get OTA updates. Not sure if the 2014 Cherokee is able to get them. According to autoweek Cherokee owners could download the update themselves and install from a USB stick.[1] Chrysler issued the TSB to try and force people to come in and get an update who couldn’t or wouldn’t do it themselves.


The ability to remotely patch a car seems like a double edged sword. Hasn't Tesla already had at least one example of introducing a bug through OTA updates?

I consider that an issue with the software quality, not with the update mechanism. The bug would still have been introduced even if it required a trip to the dealer to plug in a programming cable.

At least, when it's updated by a dealer and a cable, you know when to expect changed behavior. With OTA, the vehicle's driving behavior could (and has) quite literally change overnight.

I'm pretty sure you still need manual confirmation in the car, and it shows you patch notes when you next get in, so you should have reason to expect changed behavior.

The only problem I can see with the OTA updates is that they remove the need for physical access to the car. This is very convenient and allows for fast updates but it does slightly decrease the security and lowers the bar for successfully hacking the car remotely.

That same bug could have been introduced whether or not the update was OTA. At least they could fix it OTA as well...!

Assuming the attacker doesn't devise some malware that silently blocks subsequent OTA updates.

All it would take would be for Tesla to send out a verification check to get software signatures from all running that have phoned home anytime in the last 6 months. If something doesn't match, Tesla calls you up and tells you your car is fucked and to come get it serviced. If your car doesn't phone home yet still is pulling data from the internet, Tesla would know and suspect it's compromised.

And what prevents the compromised Tesla system from lying about its software signatures? When you have a compromised system, literally everything that system tells you or is capable of telling you is suspect.

Well, you could fill all of the unused storage space on the system with random noise specified by you, then ask the system to regurgitate that noise to you (or more practically, tell you a function calculated from some set of bytes you specify). That would require that an attacker physically alter the hardware to defeat your verification process.

You can maybe come up with a version of this that uses a HSM, or simply some part of the firmware that is read-only.

You can't fake cryptographic signatures.

Cryptography is not a magic bullet. The assertion of a signature is that "Private Key Bar says Hash(plaintext) = Foo." But who is the private key; who is actually computing the hash of the plaintext? Note that practically every cryptographic system in existence has been broken at one time or another, and most of those breaks are not in the mathematical primitives of cryptography but in the wider ecosystem of the procedures of how these primitives are combined into a full system.

In the threat model I describe, the attacker who controls the car's system can lie to the server about what is on its system. It also has access to anything that's distributed to the car itself (such as a per-car private key!), and presumably it has oracle knowledge in the form of what the server expects the correct hash to be. A compromised car can freely lie about the hashes of anything on its own system as necessary; it can freely sign any attestation with a per-car private key; it can parrot the expected hashes of files distributed to other cars. Even if you sent watermarked files to cars, the compromised car could remember the hashes of those watermarks to parrot them back later.

So, pray tell, where do you imagine the cryptographic signature actually adds value? As in, how can you pick the owner of the private key and the owner of the hashing process such that a near-omnipotent compromised car cannot fool the server?

The private key would need to be stored in some read only media like a smartcard or a PROM chip. A boot environment that can only be externally programmed would need to be the first thing to start up and check the integrity of the filesystem. It would hash it, timestamp it, and send it to an HSM to sign it with a secured private key, then transmit the signed hash out and hand off the rest of the startup to the main OS. Tesla gets the hash, verifies the signature so they can check whether or not the OS is compromised. Because the bootloader chip sits outside the control of the main OS, you can ensure that as long as someone doesn't rip out the ECU, the filesystem check is legit. Another step would be to allow the HSM to cycle in new keys using a KEK. The HSM would have a master private key that is only used for KEK updates and a lesser private key that it uses for signing hashes.

It's super hard to ensure something with 100% confidence, but it doesn't mean there shouldn't be at least some basic integrity checks.

How so? Telsa would most likely communicate with an API on the car and not directly running file hashes remotely.

What prevents an attacker from overriding some validateFile("path","hash") call to always return 0 ?

Because you could ask for a checksum of the firmware and if it doesn't return the right hash you know something isn't right.

You also never store the hash, so once a user has gained access to the car it's impossible to get the right hash (as you would've had to modify the firmware/filesystem/etc in some way to gain entry).

You would also need to include a timestamp/car serial in the hash so that you couldn't reuse an old hash from before your entry (that you had MITM'd) or use a hash from a different car that still had its integrity.

Not at all a Tech/software/hardware guy, but based on my experience with OTA firmware updates with my Netgear router, I'd be cautious.

Teslas get regular OTA updates. They sometimes fail, but they've been remotely patching their vehicles for years.

Regardless, how good/bad Tesla software will fair with the security contest, this is the best possible way to improve product security within a short amount of time, just like the cat-and-mouse game Apple play with the Jailbreaking community.

> just like the cat-and-mouse game Apple play with the Jailbreaking community.

That cat-and-mouse game discourages people from reporting vulnerabilities. Why you think that it improves security?

> Entries against “Key Fobs or Phone-as-Key” target must achieve code execution, arbitrary vehicle unlock, or arbitrary vehicle start using protocol-related weaknesses. Entries related to Key Fob relay or “rolljam” attacks are not allowed

Does that mean that they think that such attacks are too easy? If they use rolling codes, will they classify any attack with jamming as "rolljam"? If they don't, why specify this?

Was just at RWC 2019. The Tesla Model S keyfob has been successfully hacked. Here are the slides for the same talk (CHES 2018):


This is from mid 2017. "First notified Tesla on 31/08/2017 .. Tesla vehicles produced from June onwards use a new key fob". Not sure if the new fob is significantly better as the presentation is not clear there.

And the "fix" for people who bought the car before then was adding an option to disable the automatic unlock (so you have to press a button) and/or require entering a PIN to actually drive the car.

If my understanding of the pwn2own event is correct, it's not a CTF event and the exploits are typically developed in advance, and then demonstrated during the event? If there are 2 or more exploits which all work reliably, who is determined to be the "winner"?

I found the tesla rules: you need to exploit as many systems as possible as hard as possible: https://static1.squarespace.com/static/5894c269e4fcb5e65a1ed...

via https://www.zerodayinitiative.com/blog/2019/1/14/pwn2own-van...

As per the full contest rules (https://www.zerodayinitiative.com/Pwn2Own2019Rules.html):

> If more than one contestant registers for a given category, the order of the contestants will be drawn at random. Based on the contestant order, the first contestant will be given an opportunity to attempt to compromise the selected target. If unsuccessful, the next randomly drawn contestant will be given an opportunity. This will continue until a contestant successfully compromises the target. The first contestant to successfully compromise a selected target will win the prize money for that target in that category. After a target has been compromised, the contest for that category is over and no other contestants will participate in the contest for that category (unless Sponsor has offered an additional winner option, which would be announced at the conference if applicable).

This is some seriously good marketing. Tesla is in a unique position to offer their car up as a prize and target. Other manufacturers could do this but because it is hard to update their firmware they don't do it.

What prize do you get for pwning it sufficiently to make it drive off on its own? Sounds like that would be the ultimate hacking competition: you get the car if you make it drive to your own home.

250k USD as stated in the article. You can get several Teslas for that money :D

You also win a Model 3.

But do you win the Model 3 you hacked, or do you first need to buy one to hack, and then you win another one?

On some level, winning the thing you hacked doesn't sound like the best kind of prize.

Well, you broke it. It's yours now.

> you get the car if you make it drive to your own home

I don't think that would be a very good premise for a contest. For example, what if it crashes into another car?

Undergrads at various universities regularly pwn vehicle systems and write reports about it for academic credit. The M3 has a lot more surface area than the typical car most people are hacking. My prediction is that the M3 is gonna get chewed up and spit out. This isn't a "will it get pwned" competition it's a "who will pwn it best/fastest" competition.

Do you get physical access to the inside of the car first? Or does the hacking have to happen from the outside of the car?

It looks like Tesla doesn't update many parts of its OS; https://www.reddit.com/r/teslamotors/comments/ag6r2f/please_...

This is a great contest. The value of winning a Tesla will be more than the value of the Model3 up for grabs.

And it's relatively cheap for Tesla to pay out to get these vulnerabilities found and addressed.

I give it 67 seconds

edit: there is nothing stopping someone from leasing a tesla, finding an exploit and shooting it within the first 10 seconds, no? In general, how does this work at pwn2own?

Anyway they have bitquark for security. Who can find vulnerability in the Tesla products ?

> And the first successful researcher can also drive off in their own brand new Model 3 after the competition ends

If you've successfully hacked a car and shared your method would you then get in said car and drive it away? I'd like a patch or at least a factory reset first....

Whoever pwns the Telsa probably doesn't even live in Vancouver, so no, they're not going to drive off in the target vehicle. Telsa would have to arrange to provide one where they live, and yeah, I think it's safe to say that one would already be patched!

Nice marketing stunt, but how many security researchers already have a Model 3 or are going to buy one to do this?

Guessing just already-successful firms / personalities that want to win Tesla pen-testing contracts in the future?

Or has Tesla released binary blobs of their firmware systems online?

Given enough time, we may find out. Does Pwn2Own have any stipulations against 'gaming' their events?

Exploits are already developed prior to the event. It's not a CTF where one can reasonably be expected to find and develop an exploit during the contest. Players get limited time to tweak what they've got in case it doesn't work, but that's it.

Well, my understanding is that there's a submission then various teams are apprised and given x hours to complete, where x would obviously be greater than twenty-four, and not necessarily handled in one setting, such that there'd be a 'reveal' disclosing successful contestants. So it looks like I wasn't mistaken there.

But that still does not address the matter of rigging and whether Pwn2Own has clear rules against it. I don't know, which is why I asked.

Not really, it works like this:

Prior to the "contest" beginning everyone participating has to disclose what they have 0day for. In cases where more than 1 person brings 0day for a particular target then they will attack it in turn. The order they get to go in is random. When it's someone's turn they get like 5 minutes to exploit the target. If they can't do it then it's the next person's turn. Whoever exploits it first wins. So if you have 2 people each with a reliable exploit for the same vuln in the same target then who wins is really decided by the coin toss. But let's not forget what this really is: vulnerability sales. So if there's 2 different vulns in the same target then probably the sponsor is going to want to buy them both anyway.

What is it that you mean by rigging? The main point of the event is that sellers feel safe exposing their warez. The rules are clear, they're going to get paid if they have what they say that have. The sponsors get to buy the 0day and know it's real and they're not getting ripped off. And it's all in the open and everyone gets good press.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact