"Director Lv says the type of research is important as cars become more automated and tech-dependent."
I'd like to nominate this for the "Understatement of the Year" awards.
Chinese hackers have attacked Tesla electric cars from afar, using exploits that can activate brakes, unlock doors, and fold mirrors from up to 20 kilometres (12 miles) away while the cars are in motion. Keen Security Lab senior researchers Sen Nie, Ling Liu, and Wen Lu, along with director Samuel Lv, demonstrated the hacks …
I'll say, but the obviousness of it say say lot able the car industry.
Marketing: "I know, we'll add a remote connection and Internet to the cars, that'll make them sell better!"
Engineering: "Er....."
Marketing: "Remote control, mobile apps, live streaming!!!"
Engineering: "Er this is going to be really hard..."
Marketing: "Don't care do it or be sacked with vigour"
Engineering: "(brown trouser) Er, Okay I guess"
The long term strategic consequences for a car manufacturer of putting any kind of long range radio data connection (eg 3G network, or WiFi) has been wildly underestimated by the auto industry.
For example, there's already 3G in some cars as part of an automatic emergency services alerting system for when the car crashes. Fine, but 3G won't be in use in 10 years time. Are they going to recall and upgrade all those cars to 4G? Or silently let the system fall into disuse? Both are expensive...
My ~2000 era car is designed with commendable paranoia.
The In Car Entertainment stuff uses dedicated wiring that is only used for this purpose, and so regardless of what you plug into your radio you can't screw with the rest of the car. The controls on the wheel are hardwired to the plug for the stereo unit not just network addresses on the car network.
The engine control unit is only acessible via the ODBII port, and while it is possible to read data from this at any time for diagnostics (or running one of those little HUD things from ebay, etc) the cars software is write locked when the engine is running, which neatly prevents pretty much any malicious activity.
The only time you can write to it is when the keys are in the ignition, the ignition is turned on, but the engine is turned off. This writes off a huge majority of attacks that can be launched,from the "try to kill the driver" sort of issues covered in the article to the modern celebrated "sit outside the car with a dealer laptop, open the doors, start the engine and drive away without needing the keys" features that must have been requested by organised crime gangs to steal expensive, but badly designed cars.
Now, if a reasonable set of security measures could be devised ~twenty years ago to prevent these sort of obviously forseeable problems why are we having these problems today...?
He's not having a good month, is he?
This should be a warning to all manufacturers putting remote connectivity into their cars. It's easy to do, generates enormous and never ending reputational risk.
The only sure way Tesla have right now to fix it is to do a firmware update that disables the remote connectivity. That totally ruins the car, but if this hack (particularly the application of the brakes) goes unfixed for any appreciable length of time they'll risk copping a massive fine, just like Fiat Chrysler did.
Hopefully they'll learn the exact vulnerability exploited here and be able to fix it properly in the very near future.
The article does mention that the researchers have sent details to Tesla.
As to disabling remote connectivity, in the video when they hack the new vehicle they ask the driver to search for the nearest charging point - so they must be somehow intercepting the exchange involved in doing that, or perhaps impersonating a charging station. (This may explain why it's up to 20km, rather than from anywhere.) That search is presumably necessary because charging stations aren't as ubiquitous as filling stations - but that must be where the vulnerability lies.
Plus having everything else accessible as a result of that? As MrDamage says below - everything running off the same system (or perhaps internally networked) is madness.
I agree with Bazza, and I think Cuddles missed his point.
So, they've located, and fixed the issue? Great! What happens when someone discovers another bug?
Bloody hell, this isn't just someone using your PC to send spam emails, this could be life or death. As Bazza says, the fact this is possible in the first place shows a fundamental HARDWARE issue, that can not just be fixed in software.
And again, as Bazza says, better luck next time with the next hardware design. The current design is toast.
"As Bazza says, the fact this is possible in the first place shows a fundamental HARDWARE issue, that can not just be fixed in software"
Actually, it's a software exploit, thus a software problem and was subsequently fixed in a SOFTWARE update. Also, this was using WiFi so unless someone's following you down the motorway with a WiFi hotspot and the driver manually connected to this hotspot, it requires extremely precise conditions to pull off. (Not that I'm detracting from the seriousness of exploiting this - Although I would be an order of magnitude more concerned if they had exploited it over 3G).
Actually it is an architectural issue that this sort of exploit is possible and most probably the architectural flaws extend to the hardware. Part of the risk and safety analyis and management should have been to seperate safety functions for examples control of brakes from non safety functions and paticularily any remote connectivity. Completely seperate busses and processors would be prudent. If there has to be a means of transferring information to the safety sub-systems it should be through a single well controlled point with very limitted capabilities.
Fixing speific bugs will not solve a flawed architetcure and leaves the system vulnerable to the next bug that is discovered..
Sorry - I don't get it.
Shirley there's no risk whatsoever in browsing the net from your car? Apart from the obvious road safety driver distraction issues that is
The 'net bit will be a totally separate system, with NO connections to any vital bit of the car, won't it?
I mean, security and safety and all that ....
OH ...D'oh.
Someone needs to be given a very painful repeated software update behind the nearest shed with a lead filled rubber hose. Videoed and plastered on spewtube as an example.
"The only sure way Tesla have right now to fix it is to do a firmware update that disables the remote connectivity. Hopefully they'll learn the exact vulnerability exploited here and be able to fix it properly in the very near future."
If only the article had addressed this in some way. Perhaps they could have included a quote from Tesla saying they've already fixed it.
"A Tesla spokesman told El Reg: "Within just 10 days of receiving this report, Tesla has already deployed an over-the-air software update (v7.1, 2.36.31) that addresses the potential security issues."
"A Tesla spokesman told El Reg: "Within just 10 days of receiving this report, Tesla has already deployed an over-the-air software update (v7.1, 2.36.31) that addresses the potential security issues."
What else could be deployed (by whom?) in an over-the-air software update?
The fact that they decided on a single computer system to drive every aspect of the car, leaving the owner/driver vulnerable to remote attacks, I'm getting less and less keen on them.
If you can get a fully offline Tesla that will not respond to any wireless signal (as in no wireless hardware at all), and has to be physically plugged in for any firmware/software updates, then I might be interested. This goes for entry into the vehicle, and "ignition" too. I want a key, not some bleeping fob.
Bad enough that automakers likely provide the government access (knowingly or not) to tracking data that shows where your car is at any moment, but it would also allow a way in. I'd also kill the GPS while I'm at it, so it can't record where I've been for the shop to download when I'm in for service.
If someone sells a car that won't operate without those unnecessary services, then I won't buy it.
It is possible to construct a system that way, but anyone who does should stay well away from software development.
That sort of diagnostics should only be possible by plugging something via the OBD2 port. I can well imagine a company working towards autonomous driving vehicles needs a remote override to activate the brakes during testing, but this can be achieved pretty easily by relaying the command via an onboard laptop with a 4G connection plugged into OBD2. Then your hacking risk isn't to your customers' vehicles.
"That sort of diagnostics should only be possible by plugging something via the OBD2 port."
It's not the same as the diagnostics when you bring your car in to be serviced.
I mean diagnostics that Tesla developers might in their app to test remote functionality like keyless entry, summon etc. The in-house build probably has a page with diagnostics, commands to hit the brakes and other stuff that a dev might need to test features in the car already or features they're in the process of adding. There must even be an API of sorts since there are 3rd party apps like Remote S can control the car remotely.
I agree they've screwed up big time. I expect the fault probably lies in the authentication layer, allowing replay attacks or suchlike. But Tesla should also disable certain commands from having any action when the car is in motion.
But yes Tesla have screwed up bigtime here.
.. sales of cheap Chinese jammers just shot up..
Well, I was looking at Tesla, and this was one of my concerns. I know for a fact that the other vehicle I am considering has decent security and privacy protections in place (because I talked to the people who manage it - nice side effect of my work), but Tesla is US originated and that's not a good starting point anyway (sorry, but I can't change the facts).
If I have no control over what the vehicle "shares" I'm simply not interested, thank you. I have no problem with a black box, but I hate this monitoring fetish that everyone seems to be infected by, especially if it's done without my knowledge or permission. If given a choice I may even agree with some if there is a sensible benefit to be had, but this behind my back spying has to stop.
so you'll accept the assurances of one group of people, but not another? biased much?
No, I only believe hard facts, especially when it's about protecting me and my family. My business happens to be high end privacy, so was easy for me to identify and talk to the right people and see what they actually did. Part of what I do is auditing, so I have a bit of a nose for when someone is avoiding a topic, but in this case I actually ended up with people who were happy and proud to show what they did because they had to originally do it against stiff opposition from marketing people who only saw social media and not consequences. I recognise that: it's nice to be found right in the end :).
My problem is that I live, work and operate in Europe where all of this is relatively easy (and I have a legal grip on companies that try to get creative as well), whereas I stand no chance at all reviewing and auditing a US company. Events suggest that is very much needed, so I hope Tesla is smart and gets this dealt with - openly, so customers can see it.
When it comes to understanding this kind of thing Tesla are way ahead of most car manufacturers.
And all cars are going online. It's far cheaper than a recall for fixes and opens up the ability of the car companies to sell content. They can't afford to keep cars offline.
Simon
It's far cheaper than a recall for fixes and opens up the ability of the car companies to sell content. They can't afford to keep cars offline.
Yes they can, as all cars still need regular servicing. That's an excellent time to update the software and IMHO the ONLY time to change the software because I sure as hell don't want an over the air update while I'm actually in the car driving it. I don't want someone to update the code for my ABS brakes when I'm gunning down a nice stretch of German motorway (also because it's an excellent way to cause an "accident" - just for the really paranoid out there). As a matter of fact, I don't want anyone updating the code of my car without good reason, and without telling me exactly what is in it.
No, no, no and no again. Just don't. I've gotten on just fine over the last few decades without connectivity in the car, about the only argument I see for data exchange is a GPS rerouting me around traffic jams like TomTom has been doing for years.
So what happens WHEN (not IF) it becomes required by law?
You mention the word "liability", at which point the relevant insurance people will panic and finally start bribing the RIGHT people. I will NOT buy a car with OTA software updates, and if that becomes impossible I'll get a jammer. Also sorts out any possible temptation to answer the phone whilst driving.
Corporations aren't afraid of no liability. That's why they're structured the way they are: to assure scapegoats. That's why executives NEVER go to jail unless it's for a PERSONAL crime.
PS. Don't forget radio jammers are illegal under the Telecommunications Act AND they're easy to detect. And the only legal alternative, shunting, has two strikes against it in a car: windows and lack of a ground.
If they must have computers in cars to allow the car to run (activate brakes, run the engine) why are those computers accessible to the outside world via anything other than a short cable?
As for unlocking doors and folding mirrors why are they computer controlled? Yes, I can see that, in the present day and age, computerised entertainment is something that most people would want but that is something that should be totally separate from anything to do with how the car works.
Pure speculation, but I would imagine it could go something like this:
1. Web browser allows access to something innocuous - I don't know, turn on the stereo.
2. Buffer overflow found in the handler for this action in the webbrowser
3. Buffer overflow exploited to load executable code onto the computer.
4. exploited code sends specially crafted CAN bus message targetting the systems on the same bus as the stereo.
It's not necessarily the case that you can control your brakes with a web browser, but could be that the devices the web browser is controlling are on the same comms bus. I have no knowledge of Tesla's internals, but most modern cars use a bus system and I presume something as electrically complex as a Tesla would do too. Running N individual wires to N devices back to a single control unit simply isn't practical.
That said, I believe aircraft have their entertainment systems on a physically separate wiring harness. Not a bad idea all up.
'A Tesla spokesman told El Reg: "Within just 10 days of receiving this report, Tesla has already deployed an over-the-air software update'
There's your problem, you allow over-the-air access to the OS, by design. Just who in their right minds allow remote access to a cars breaking system.
"We engaged with the security research community to test the security of our products"
What security test did your own designers perform before releasing to market. If no such test were performed then your company should be subject legal sanctions.
You can patch and patch and patch to your heart's content. The problem lies in the fact that the computer that interfaces with the remote connectivity is the same computer that controls the car. Until you decouple these two functions into two separate and air-gapped computers, this will never cease. The stakes are high enough here that state-sponsored hacking will ensure that any system with this sort of architecture will never fully be secure.
I took a test drive in a Tesla, but the massive Google touchscreen was enough to deter me from buying one. It showed that they prefer style over substance. Ditto the analogue-only radio (unless you spent a whopping £2k extra for a DAB radio that didn't even work properly because it lacked an external aerial).
But all that almost pales into insignificance compared to the massive blunder of having internet connectivity and over-the-air upgrades. It's bad enough when dodgy M$ Windows software causes a PC crash once a day, but software causing a real car crash at any time is unacceptable.
Based on the description of the attack I'm wondering if Teslas are using http:// by default instead of https:// and keeping certificates onboard. If so, they're in good company: Toyota and others did it too - and it certainly explains the ability to make a MitM attack. I'd take paranoia at least a step further and use some form of secure DNS so that a MitM attacker can't simply do redirects that way.
Yes it's good that "Tesla fixed it" but without full disclosure of the vulnerability and the changelog it's impossible to know if they just slapped a bandaid on the problem or dealt with the underlaying issues.
that most (if not all) cars come with some level of connection...
GM's OnStar service has had this level of control over cellular modem for some time now. tracking and shutting down a stolen car is one of its selling points...
why is it so much Tesla hate (in the form of FUD) can be found on the register? the article seemed to avoid directly spreading any this time around, but the comments are still steeped in it.
member when el reg used to be amazing?
i member...
Of driving my '62 Porsche. Nothing "hi-tech" in that at all. I did add a CD (capacitive discharge) ignition to it, but that was about it. The highest tech thing was to convert it to 12 volts so I could use my ham radio stuff.
What a car! Top down at 90 MPH at night is something to behold. I was young then.
Yes, the vehicle is still in the family.
Ahh. Mine was a 65 TR4A - also added the electronic ignition which did wonders for starting and fuel efficiency.
Plus if it broke down - I could fix it! Which was a necessity because those cars did break down and require fixing.
But the magic of driving home with the top down through the Ozarks in the wee hours of a spring morning ......
No longer a problem since they decommissioned the old cell phone frequencies & by extension the on-board equipment in both the families cars in Canadaland - Pleas via phone calls, snail mail for the upgrade\replacement equipment fee (Twice with one vehicle less than 4 years old) fell on deaf ears.
That's your problem right there. It might be convenient to run applications through a web browser, but it isn't necessarily secure.
Tesla should be having a word with their so-called security experts who didn't find these issues. Given the publicity given to recent car hacks based on seemingly innocuous systems providing an entry point to more fundamental processes (such as controlling the brakes!) they really should be applying the basics of security - authentication, authorization, integrity and confidentiality.