back to article Hackers hijack Tesla Model S from afar, while the cars are moving

Chinese hackers have attacked Tesla electric cars from afar, using exploits that can activate brakes, unlock doors, and fold mirrors from up to 20 kilometres (12 miles) away while the cars are in motion. Keen Security Lab senior researchers Sen Nie, Ling Liu, and Wen Lu, along with director Samuel Lv, demonstrated the hacks …

  1. allthecoolshortnamesweretaken

    "Director Lv says the type of research is important as cars become more automated and tech-dependent."

    I'd like to nominate this for the "Understatement of the Year" awards.

    1. bazza Silver badge

      I'll say, but the obviousness of it say say lot able the car industry.

      Marketing: "I know, we'll add a remote connection and Internet to the cars, that'll make them sell better!"

      Engineering: "Er....."

      Marketing: "Remote control, mobile apps, live streaming!!!"

      Engineering: "Er this is going to be really hard..."

      Marketing: "Don't care do it or be sacked with vigour"

      Engineering: "(brown trouser) Er, Okay I guess"

      The long term strategic consequences for a car manufacturer of putting any kind of long range radio data connection (eg 3G network, or WiFi) has been wildly underestimated by the auto industry.

      For example, there's already 3G in some cars as part of an automatic emergency services alerting system for when the car crashes. Fine, but 3G won't be in use in 10 years time. Are they going to recall and upgrade all those cars to 4G? Or silently let the system fall into disuse? Both are expensive...

      1. Neil 44

        2G/3G/4G/5G/....

        2G is going to be around for a long time because lots of the so called "Smart Meters" are using it to communicate...

        1. Peter2 Silver badge

          Re: 2G/3G/4G/5G/....

          My ~2000 era car is designed with commendable paranoia.

          The In Car Entertainment stuff uses dedicated wiring that is only used for this purpose, and so regardless of what you plug into your radio you can't screw with the rest of the car. The controls on the wheel are hardwired to the plug for the stereo unit not just network addresses on the car network.

          The engine control unit is only acessible via the ODBII port, and while it is possible to read data from this at any time for diagnostics (or running one of those little HUD things from ebay, etc) the cars software is write locked when the engine is running, which neatly prevents pretty much any malicious activity.

          The only time you can write to it is when the keys are in the ignition, the ignition is turned on, but the engine is turned off. This writes off a huge majority of attacks that can be launched,from the "try to kill the driver" sort of issues covered in the article to the modern celebrated "sit outside the car with a dealer laptop, open the doors, start the engine and drive away without needing the keys" features that must have been requested by organised crime gangs to steal expensive, but badly designed cars.

          Now, if a reasonable set of security measures could be devised ~twenty years ago to prevent these sort of obviously forseeable problems why are we having these problems today...?

    2. Anonymous Coward
      Anonymous Coward

      Carmageddon - With real cars, I'd pay for that shit and I'd even pay extra for the live in-car video feed.

  2. bazza Silver badge

    Poor old Elon

    He's not having a good month, is he?

    This should be a warning to all manufacturers putting remote connectivity into their cars. It's easy to do, generates enormous and never ending reputational risk.

    The only sure way Tesla have right now to fix it is to do a firmware update that disables the remote connectivity. That totally ruins the car, but if this hack (particularly the application of the brakes) goes unfixed for any appreciable length of time they'll risk copping a massive fine, just like Fiat Chrysler did.

    Hopefully they'll learn the exact vulnerability exploited here and be able to fix it properly in the very near future.

    1. VinceH

      Re: Poor old Elon

      The article does mention that the researchers have sent details to Tesla.

      As to disabling remote connectivity, in the video when they hack the new vehicle they ask the driver to search for the nearest charging point - so they must be somehow intercepting the exchange involved in doing that, or perhaps impersonating a charging station. (This may explain why it's up to 20km, rather than from anywhere.) That search is presumably necessary because charging stations aren't as ubiquitous as filling stations - but that must be where the vulnerability lies.

      Plus having everything else accessible as a result of that? As MrDamage says below - everything running off the same system (or perhaps internally networked) is madness.

      1. Jamie Jones Silver badge
        FAIL

        Re: Poor old Elon

        I agree with Bazza, and I think Cuddles missed his point.

        So, they've located, and fixed the issue? Great! What happens when someone discovers another bug?

        Bloody hell, this isn't just someone using your PC to send spam emails, this could be life or death. As Bazza says, the fact this is possible in the first place shows a fundamental HARDWARE issue, that can not just be fixed in software.

        And again, as Bazza says, better luck next time with the next hardware design. The current design is toast.

        1. Adam JC

          Re: Poor old Elon

          "As Bazza says, the fact this is possible in the first place shows a fundamental HARDWARE issue, that can not just be fixed in software"

          Actually, it's a software exploit, thus a software problem and was subsequently fixed in a SOFTWARE update. Also, this was using WiFi so unless someone's following you down the motorway with a WiFi hotspot and the driver manually connected to this hotspot, it requires extremely precise conditions to pull off. (Not that I'm detracting from the seriousness of exploiting this - Although I would be an order of magnitude more concerned if they had exploited it over 3G).

          1. Anonymous Coward
            Anonymous Coward

            Re: Poor old Elon

            Actually it is an architectural issue that this sort of exploit is possible and most probably the architectural flaws extend to the hardware. Part of the risk and safety analyis and management should have been to seperate safety functions for examples control of brakes from non safety functions and paticularily any remote connectivity. Completely seperate busses and processors would be prudent. If there has to be a means of transferring information to the safety sub-systems it should be through a single well controlled point with very limitted capabilities.

            Fixing speific bugs will not solve a flawed architetcure and leaves the system vulnerable to the next bug that is discovered..

      2. PNGuinn
        FAIL

        Re: Poor old Elon

        Sorry - I don't get it.

        Shirley there's no risk whatsoever in browsing the net from your car? Apart from the obvious road safety driver distraction issues that is

        The 'net bit will be a totally separate system, with NO connections to any vital bit of the car, won't it?

        I mean, security and safety and all that ....

        OH ...D'oh.

        Someone needs to be given a very painful repeated software update behind the nearest shed with a lead filled rubber hose. Videoed and plastered on spewtube as an example.

    2. Cuddles

      Re: Poor old Elon

      "The only sure way Tesla have right now to fix it is to do a firmware update that disables the remote connectivity. Hopefully they'll learn the exact vulnerability exploited here and be able to fix it properly in the very near future."

      If only the article had addressed this in some way. Perhaps they could have included a quote from Tesla saying they've already fixed it.

      "A Tesla spokesman told El Reg: "Within just 10 days of receiving this report, Tesla has already deployed an over-the-air software update (v7.1, 2.36.31) that addresses the potential security issues."

      1. James Hughes 1

        Re: Poor old Elon

        Upvote for Cuddles for actually reading to the end of the article.

        IT'S FIXED ALREADY PEOPLE.

        1. Anonymous Coward
          Anonymous Coward

          Re: Poor old Elon

          "IT'S FIXED ALREADY PEOPLE."... so you've tested it then?

          Or are we only left with the claim it's been fixed? I'm sure if you'd asked Tesla a month ago they'd have told you this type of hack was impossible!

      2. swm

        Re: Poor old Elon

        "A Tesla spokesman told El Reg: "Within just 10 days of receiving this report, Tesla has already deployed an over-the-air software update (v7.1, 2.36.31) that addresses the potential security issues."

        What else could be deployed (by whom?) in an over-the-air software update?

  3. MrDamage Silver badge

    As much as I want Tesla

    The fact that they decided on a single computer system to drive every aspect of the car, leaving the owner/driver vulnerable to remote attacks, I'm getting less and less keen on them.

    If you can get a fully offline Tesla that will not respond to any wireless signal (as in no wireless hardware at all), and has to be physically plugged in for any firmware/software updates, then I might be interested. This goes for entry into the vehicle, and "ignition" too. I want a key, not some bleeping fob.

  4. Anonymous Coward
    Anonymous Coward

    Another reason to remove/block the cellular modem in any car you buy

    Bad enough that automakers likely provide the government access (knowingly or not) to tracking data that shows where your car is at any moment, but it would also allow a way in. I'd also kill the GPS while I'm at it, so it can't record where I've been for the shop to download when I'm in for service.

    If someone sells a car that won't operate without those unnecessary services, then I won't buy it.

    1. Charles 9

      Re: Another reason to remove/block the cellular modem in any car you buy

      And if EVERYONE is FORCED to sell nothing but by law and your old car's days get numbered? Do you give up or stop driving?

  5. sabroni Silver badge

    soft-brick?

    You mean hang?

  6. DrXym

    Pretty likely how they attacked

    All those functions are things that an app for the car might contain. I assume they've just intercepted the traffic between app and car and figured out a way of doing a replay attack or a man in the middle.

    1. Adam 1

      Re: Pretty likely how they attacked

      Activating wipers? Applying brakes? Not sure what apps you've been using but I don't want such a feature of any car I'm in.

      1. DrXym

        Re: Pretty likely how they attacked

        Just because you can't see the commands in the app doesn't mean they're not there in the protocol. Cars have diagnostic modes. Providing you can convince the car to authenticate you it probably doesn't care what command you send over the wire.

        1. Adam 1

          Re: Pretty likely how they attacked

          It is possible to construct a system that way, but anyone who does should stay well away from software development.

          That sort of diagnostics should only be possible by plugging something via the OBD2 port. I can well imagine a company working towards autonomous driving vehicles needs a remote override to activate the brakes during testing, but this can be achieved pretty easily by relaying the command via an onboard laptop with a 4G connection plugged into OBD2. Then your hacking risk isn't to your customers' vehicles.

          1. DrXym

            Re: Pretty likely how they attacked

            "That sort of diagnostics should only be possible by plugging something via the OBD2 port."

            It's not the same as the diagnostics when you bring your car in to be serviced.

            I mean diagnostics that Tesla developers might in their app to test remote functionality like keyless entry, summon etc. The in-house build probably has a page with diagnostics, commands to hit the brakes and other stuff that a dev might need to test features in the car already or features they're in the process of adding. There must even be an API of sorts since there are 3rd party apps like Remote S can control the car remotely.

            I agree they've screwed up big time. I expect the fault probably lies in the authentication layer, allowing replay attacks or suchlike. But Tesla should also disable certain commands from having any action when the car is in motion.

            But yes Tesla have screwed up bigtime here.

  7. Anonymous Coward
    Anonymous Coward

    In other news..

    .. sales of cheap Chinese jammers just shot up..

    Well, I was looking at Tesla, and this was one of my concerns. I know for a fact that the other vehicle I am considering has decent security and privacy protections in place (because I talked to the people who manage it - nice side effect of my work), but Tesla is US originated and that's not a good starting point anyway (sorry, but I can't change the facts).

    If I have no control over what the vehicle "shares" I'm simply not interested, thank you. I have no problem with a black box, but I hate this monitoring fetish that everyone seems to be infected by, especially if it's done without my knowledge or permission. If given a choice I may even agree with some if there is a sensible benefit to be had, but this behind my back spying has to stop.

    1. L05ER

      Re: In other news..

      so you'll accept the assurances of one group of people, but not another? biased much?

      i'm not saying to believe Tesla, i'm saying you can't trust anyone with your stuff... just ask j-law.

      1. Anonymous Coward
        Anonymous Coward

        Re: In other news..

        so you'll accept the assurances of one group of people, but not another? biased much?

        No, I only believe hard facts, especially when it's about protecting me and my family. My business happens to be high end privacy, so was easy for me to identify and talk to the right people and see what they actually did. Part of what I do is auditing, so I have a bit of a nose for when someone is avoiding a topic, but in this case I actually ended up with people who were happy and proud to show what they did because they had to originally do it against stiff opposition from marketing people who only saw social media and not consequences. I recognise that: it's nice to be found right in the end :).

        My problem is that I live, work and operate in Europe where all of this is relatively easy (and I have a legal grip on companies that try to get creative as well), whereas I stand no chance at all reviewing and auditing a US company. Events suggest that is very much needed, so I hope Tesla is smart and gets this dealt with - openly, so customers can see it.

        1. Anonymous Coward
          Anonymous Coward

          Re: My business happens to be high end privacy

          As opposed to all that low level privacy the plebs have? How much is half a pound of really high end privacy these days?

          Sounds like you have a very active imagination!

          1. Anonymous Coward
            Anonymous Coward

            Re: My business happens to be high end privacy

            Bah! Got me!

            It sounded impressive though, right?

  8. Simon Rockman

    What's worrying is that it's a Tesla

    When it comes to understanding this kind of thing Tesla are way ahead of most car manufacturers.

    And all cars are going online. It's far cheaper than a recall for fixes and opens up the ability of the car companies to sell content. They can't afford to keep cars offline.

    Simon

    1. Anonymous Coward
      Anonymous Coward

      Re: What's worrying is that it's a Tesla

      It's far cheaper than a recall for fixes and opens up the ability of the car companies to sell content. They can't afford to keep cars offline.

      Yes they can, as all cars still need regular servicing. That's an excellent time to update the software and IMHO the ONLY time to change the software because I sure as hell don't want an over the air update while I'm actually in the car driving it. I don't want someone to update the code for my ABS brakes when I'm gunning down a nice stretch of German motorway (also because it's an excellent way to cause an "accident" - just for the really paranoid out there). As a matter of fact, I don't want anyone updating the code of my car without good reason, and without telling me exactly what is in it.

      No, no, no and no again. Just don't. I've gotten on just fine over the last few decades without connectivity in the car, about the only argument I see for data exchange is a GPS rerouting me around traffic jams like TomTom has been doing for years.

      1. Charles 9

        Re: What's worrying is that it's a Tesla

        So what happens WHEN (not IF) it becomes required by law?

        1. Anonymous Coward
          Anonymous Coward

          Re: What's worrying is that it's a Tesla

          So what happens WHEN (not IF) it becomes required by law?

          You mention the word "liability", at which point the relevant insurance people will panic and finally start bribing the RIGHT people. I will NOT buy a car with OTA software updates, and if that becomes impossible I'll get a jammer. Also sorts out any possible temptation to answer the phone whilst driving.

          1. Charles 9

            Re: What's worrying is that it's a Tesla

            Corporations aren't afraid of no liability. That's why they're structured the way they are: to assure scapegoats. That's why executives NEVER go to jail unless it's for a PERSONAL crime.

            PS. Don't forget radio jammers are illegal under the Telecommunications Act AND they're easy to detect. And the only legal alternative, shunting, has two strikes against it in a car: windows and lack of a ground.

            1. Anonymous Coward
              Anonymous Coward

              Re: What's worrying is that it's a Tesla

              PS. Don't forget radio jammers are illegal under the Telecommunications Act AND they're easy to detect

              You're right. Sabotage it is, then :).

  9. Anonymous Coward
    Anonymous Coward

    Why

    If they must have computers in cars to allow the car to run (activate brakes, run the engine) why are those computers accessible to the outside world via anything other than a short cable?

    As for unlocking doors and folding mirrors why are they computer controlled? Yes, I can see that, in the present day and age, computerised entertainment is something that most people would want but that is something that should be totally separate from anything to do with how the car works.

    1. Androgynous Cupboard Silver badge

      Re: Why

      Pure speculation, but I would imagine it could go something like this:

      1. Web browser allows access to something innocuous - I don't know, turn on the stereo.

      2. Buffer overflow found in the handler for this action in the webbrowser

      3. Buffer overflow exploited to load executable code onto the computer.

      4. exploited code sends specially crafted CAN bus message targetting the systems on the same bus as the stereo.

      It's not necessarily the case that you can control your brakes with a web browser, but could be that the devices the web browser is controlling are on the same comms bus. I have no knowledge of Tesla's internals, but most modern cars use a bus system and I presume something as electrically complex as a Tesla would do too. Running N individual wires to N devices back to a single control unit simply isn't practical.

      That said, I believe aircraft have their entertainment systems on a physically separate wiring harness. Not a bad idea all up.

  10. Anonymous Coward
    Terminator

    Over-the-air security of our products

    'A Tesla spokesman told El Reg: "Within just 10 days of receiving this report, Tesla has already deployed an over-the-air software update'

    There's your problem, you allow over-the-air access to the OS, by design. Just who in their right minds allow remote access to a cars breaking system.

    "We engaged with the security research community to test the security of our products"

    What security test did your own designers perform before releasing to market. If no such test were performed then your company should be subject legal sanctions.

    1. Adam 1

      Re: Over-the-air security of our products

      I don't even want a breaking system in my car. That should definitely be covered by warranty.

      1. Anonymous Coward
        Anonymous Coward

        Re: Over-the-air security of our products

        I don't even want a breaking system in my car.

        That's going to be interesting in traffic. You know that airbags only go off once, don't you?

        :)

  11. Mage Silver badge
    Flame

    Fixing it is almost irrelevant.

    I don't trust ANY maker to do software without bugs.

    Any system with any wireless connectivity may from time to time be vulnerable. The vast bulk of managements and many programmers are not good enough.

    If it's happened once, it will happen again.

  12. Badger Murphy
    Mushroom

    There is no fix for this

    You can patch and patch and patch to your heart's content. The problem lies in the fact that the computer that interfaces with the remote connectivity is the same computer that controls the car. Until you decouple these two functions into two separate and air-gapped computers, this will never cease. The stakes are high enough here that state-sponsored hacking will ensure that any system with this sort of architecture will never fully be secure.

    1. Charles 9

      Re: There is no fix for this

      Then we're all lost because the two MUST be linked in some way, hands-free, in case of emergency a la OnStar. It'll become mandatory soon enough to save lives.

  13. quxinot

    Erm.

    Hooray for carbs and systems no more complicated than necessary.

    BWAHAHAHAHAHAHAHA.

  14. Gerry 3
    FAIL

    Connected Cars? No, thank you !

    I took a test drive in a Tesla, but the massive Google touchscreen was enough to deter me from buying one. It showed that they prefer style over substance. Ditto the analogue-only radio (unless you spent a whopping £2k extra for a DAB radio that didn't even work properly because it lacked an external aerial).

    But all that almost pales into insignificance compared to the massive blunder of having internet connectivity and over-the-air upgrades. It's bad enough when dodgy M$ Windows software causes a PC crash once a day, but software causing a real car crash at any time is unacceptable.

  15. Alan Brown Silver badge

    hmmm

    Based on the description of the attack I'm wondering if Teslas are using http:// by default instead of https:// and keeping certificates onboard. If so, they're in good company: Toyota and others did it too - and it certainly explains the ability to make a MitM attack. I'd take paranoia at least a step further and use some form of secure DNS so that a MitM attacker can't simply do redirects that way.

    Yes it's good that "Tesla fixed it" but without full disclosure of the vulnerability and the changelog it's impossible to know if they just slapped a bandaid on the problem or dealt with the underlaying issues.

  16. Leeroy

    It's fixed now

    Until the next exploit Is found...

    Just imagine every Tesla slamming on the brakes at the same time, not pretty :/

  17. L05ER

    you do realize...

    that most (if not all) cars come with some level of connection...

    GM's OnStar service has had this level of control over cellular modem for some time now. tracking and shutting down a stolen car is one of its selling points...

    why is it so much Tesla hate (in the form of FUD) can be found on the register? the article seemed to avoid directly spreading any this time around, but the comments are still steeped in it.

    member when el reg used to be amazing?

    i member...

    1. wolfetone Silver badge

      Re: you do realize...

      Pepperidge Farm remembers.

      Pepperidge Farm also remembers the hate for the GM/Vauxhall/Opel Ampera, how it kept catching fire. Tesla fanbois will like to think that El Reg is hating on Elon, but it really isn't. It's just telling the truth.

  18. Herby

    Makes me long for the days...

    Of driving my '62 Porsche. Nothing "hi-tech" in that at all. I did add a CD (capacitive discharge) ignition to it, but that was about it. The highest tech thing was to convert it to 12 volts so I could use my ham radio stuff.

    What a car! Top down at 90 MPH at night is something to behold. I was young then.

    Yes, the vehicle is still in the family.

    1. Anonymous Coward
      Anonymous Coward

      Re: Makes me long for the days...

      Ahh. Mine was a 65 TR4A - also added the electronic ignition which did wonders for starting and fuel efficiency.

      Plus if it broke down - I could fix it! Which was a necessity because those cars did break down and require fixing.

      But the magic of driving home with the top down through the Ozarks in the wee hours of a spring morning ......

    2. Brian Miller

      Re: Makes me long for the days...

      You do know that old cars are still around, fixable, and drivable? Just ask the Motortrend Road Kill guys.

      Oh, wait ...

  19. Mark York 3 Silver badge
    Terminator

    Onestar

    No longer a problem since they decommissioned the old cell phone frequencies & by extension the on-board equipment in both the families cars in Canadaland - Pleas via phone calls, snail mail for the upgrade\replacement equipment fee (Twice with one vehicle less than 4 years old) fell on deaf ears.

    1. Charles 9

      Re: Onestar

      What happened when you told them if they don't fix it, you're going to turn it in and buy a different make instead? Threats of a defection tend to make company types pay attention.

  20. wolfetone Silver badge
    Thumb Up

    You know what can't be hacked? Can't catch fire due to faulty Lithium Ion/Polymer? Can't drive itself and then get confused by a white sided truck in bright sunlight? Oh, and can't be hacked?

    My 1998 Toyota Corolla.

    1. Charles 9

      And how much longer do you think it'll be considered street legal?

    2. Anonymous Coward
      Anonymous Coward

      My 1998 Toyota Corolla.

      That's what they invented emission limits for: get rid of old cars. Soon you'll only be able to drive it *outside* any city..

      1. wolfetone Silver badge

        I know that time will come, but the diesels will be banned long before an 18 year old petrol car will be.

    3. MonkeyCee

      Your Corolla doesn't catch fire after a 100mph impact? Damn....

  21. Fruit and Nutcase Silver badge
    Mushroom

    Connected Rockets?

    Hope the Falcon 9 has resilient comms

    1. Fred Flintstone Gold badge

      Re: Connected Rockets?

      Hope the Falcon 9 has resilient comms

      At least it doesn't have any ABS or folding door mirrors :)

  22. You aint sin me, roit

    "only triggered when the web browser is used"

    That's your problem right there. It might be convenient to run applications through a web browser, but it isn't necessarily secure.

    Tesla should be having a word with their so-called security experts who didn't find these issues. Given the publicity given to recent car hacks based on seemingly innocuous systems providing an entry point to more fundamental processes (such as controlling the brakes!) they really should be applying the basics of security - authentication, authorization, integrity and confidentiality.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like