Tesla Fixes Security Bugs After Claims of Model S Hack (reuters.com) 76
An anonymous reader quotes a report from Reuters: Tesla Motors Inc has rolled out a security patch for its electric cars after Chinese security researchers uncovered vulnerabilities they said allowed them to remotely attack a Tesla Model S sedan. The automaker said that it had patched the bugs in a statement to Reuters on Tuesday, a day after cybersecurity researchers with China'a Tencent Holdings Ltd disclosed their findings on their blog. Tesla said it was able to remedy the bugs uncovered by Tencent using an over-the-air fix to its vehicles, which saved customers the trouble of visiting dealers to obtain the update. Tencent's Keen Security Lab said on its blog that its researchers were able to remotely control some systems on the Tesla S in both driving and parking modes by exploiting the security bugs that were fixed by the automaker. The blog said that Tencent believed its researchers were the first to gain remote control of a Tesla vehicle by hacking into an onboard computer system known as a CAN bus. In a demonstration video, Tencent researchers remotely engaged the brake on a moving Tesla Model S, turned on its windshield wipers and opened the trunk. Tesla said it pushed out an over-the-air update to automatically update software on its vehicles within 10 days of learning about the bugs. It said the attack could only be triggered when a Tesla web browser was in use and the vehicle was close enough to a malicious Wi-Fi hotspot to connect to it.
Slashdot reader weedjams adds some commentary: Does no one else think cars + computers + network connectivity = bad?
Re:Let me know (Score:5, Funny)
Re: (Score:1)
I think that AC may have stopped taking his lithium for too long
Turn off the wireless (Score:1)
I disable Wi-Fi, Bluetooth, and location services on my phone when I'm not actively using them. Hopefully you can do the same for your car.
Re: (Score:1)
Re: (Score:2)
You expect that a sales person even knows what a SIM card is or where it is located?
Cars? (Score:3)
"Does no one else think cars + computers + network connectivity = bad?"
Does no one else think that phone + computer + network connectivity + radio connectivity + location sensing + chargeable services + .... + ... = bad?
Apparently only a few.
Re: (Score:1)
Connecting two different systems that have no place in intercommunicating doesn't make sense.
Attaching the wifi to the CAN bus is an awful idea. It borders on stupid.
Re: (Score:2)
If that borders on stupid, I have to ask from which side.
CAN was never supposed to be a user space bus. When it was created, security was simply a non-issue because back then to get access to it, you'd pretty much have had to dismantle the whole car. Stealing it was heaps easier. And it's also not like with TCP where you can simply stack TLS on top of it, it doesn't work that way.
Leave the CAN bus alone! And don't even get the idea to mix user space electronics, where the idiot on the wheel can plug his ins
Re: (Score:2)
Re: (Score:3)
Re:Cars? (Score:4, Insightful)
"Does no one else think cars + computers + network connectivity = bad?"
Whether it's your car, television or phone, it's not bad if done properly. The problem is, nobody gives two shits about doing it properly.
Re: (Score:2)
Re: (Score:2)
I think if you engaged the brake at the wrong time without warning it might be able to cause and accident
Re: (Score:2)
Re: (Score:2)
I'm just throwing this out there with admittedly not knowing, but I've always assumed radio connectivity in airplanes is informational and not actually able to control the plane in any possibly disastrous way.
Boeing has had remote control capabilities since 2006. Airlines don't use it for fear of hacks. Source: http://www.dailymail.co.uk/new... [dailymail.co.uk]
Re: (Score:2)
Does no one else think that airplanes with radio/network connectivity = bad? Does no one else think satellites orbiting Earth at 17,000mph with radio network connectivity = bad? Apparently only a few.
I would ask if the control of an air plane can be controlled remotely like the car? If so, then it is bad. And if Tesla can update/patch their firmware of their car via Internet, then I am waiting to see some other vulnerabilities of the update/patch system they have in the future...
Re: (Score:2)
cars + computers + network connectivity + bad security = bad
You can't isolate yourself from the entire world. That's why we have locks on doors. Some people have strong locks, others don't need strong locks.
Cars need strong locks. These security researchers did the right thing. They found a vulnerability, notified Tesla, and Tesla was able to fix it quickly and roll out the fix to its cars. That's the way it's supposed to work.
All cars have a CAN bus which can control many things in the car. It needs a stro
Re: (Score:2)
This is only really bad if the remote connectivity portion is physically connected to the CAN bus, so as to affect vehicle control through remote commands, and be effectively impossible to secure well enough to prevent exploitation.
... except this is what every manufacturer does with their telematics systems, on purpose.
I guess it's only monumentally stupid if you write the software such that it can rewrite it's firmware and whole control system via remote update.
... which is what Tesla does, for "cus
Re: (Score:2)
If you ask the "right" people, apparently the barn has been "fully engulfed and about to collapse" for thousands of years now. Shit happens, we fix the shit, and try to get it as right going forward as is reasonably possible. The way people talk, it's like some kind of massive collective failure that will bring about the end of days *any day now* that humans are not perfect.
Better equation (Score:2)
Nope. Tesla was able to patch all their cars quickly, without asking drivers to come in to get serviced.
That's a net gain of: thousands of kms saved + time saved + less cars on road = good
A worse equation is that Tesla is working to eliminate:
Cars + humans + driving + distraction( texting | eating | doing makeup ) = bad
Re: (Score:2)
There's certainly something to be said for having an air gap, but even air gaps aren't foolproof, and they're becoming increasingly unrealistic in the world of interconnected systems we live in.
Re: (Score:2)
If the automobiles didn't have easy network connectivity, they couldn't be compromised so readily be bad actors.
I'm buying a new car soon and I have resolved not to buy one that doesn't allow me to disable any built-in radios immediately.
Re: (Score:2)
or your car is old to get that update buy new car (Score:2)
or your car is 1 year old to get that update to auto drive 1.5 buy A NEW CAR! or pay $2500 + labor to install an new CPU unit.
Re: (Score:2)
Re: (Score:2)
Tesla was able to patch all their cars quickly
Have you ever heard of a zero-day exploit?
Re: (Score:2)
"Does no one else think cars + computers + network connectivity = bad?" Nope. Tesla was able to patch all their cars quickly, without asking drivers to come in to get serviced.
???
The patch would not have been needed had the connectivity not existed.
"Luckily, this problem that would not have existed without network connectivity was solved by using the network connectivity." Circular reasoning at its finest, folks. There would have been no patch if there was no network connectivity.
Re: (Score:2)
Your tagline: "-- space for rent"
Is it referring to space in the GPs head? Or are you simply selling advertising in your sig?
Re: (Score:2)
"Does no one else think cars + computers + network connectivity = bad?"
Nope. Tesla was able to patch all their cars quickly, without asking drivers to come in to get serviced.
That's a net gain of: thousands of kms saved + time saved + less cars on road = good
You're making the assumption that only legitimate researchers who follow proper notification procedures are looking for this stuff. Hackers looking to take advantage of it are looking, too, but they won't tell Tesla (or whatever relevant manufacturer) if they find anything.
What happens if some genius security researcher with a mental instability (we know they exist) gets recruited by Daesh, and figures out how to lock up the brakes on every Tesla that's travelling faster than 50 mph with a GPS location tha
Re: (Score:1)
Connectng (Score:4, Informative)
Re: (Score:2)
I disagree with your first half, but agree with the latter.
I would like my devices to be able to easily download patches, whether they be security or new features. I don't want to have to go to a dealer ship to get a critical patch and then be talked about 10 other things I could pay for to have done.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Your front door can be broken into. Yet you still lock it, because doors are useful and the pragmatic likelihood that somebody will break down your door is a lot lower than somebody walking into it unlocked. The real question I have to wonder if what do hackers have to gain from hacking a car? If the barrier to entry is high enough, there are plenty of easier ways of causing people harm, stealing the car, or whatever other police-procedural fantasy crime you can think of.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Title wording (Score:2)
It's not a claim Reuters!!! The researchers reported the issues to Tesla, who fixed them. Tesla fixed them BECAUSE the hack worked. It's not a claim at all.
Computers and networks in cars are fine (Score:3)
Does no one else think cars + computers + network connectivity = bad?
In principle no I do not. Cars have been loaded with computers for quite some time now for all sorts of good reasons. You just don't usually notice them - which is a good thing. As for network connectivity that is fine too. There are all sorts of useful things you can do with network access. Are there downsides? Sure, just like any technology. I haven't seen any showstoppers however. Just problems that will take some time to work through. I think the auto companies are going to struggle for a while to learn to deal with the security issues because they have no experience with them but they'll figure it out eventually. There also are some privacy issues but those too will eventually be sorted out to a reasonable degree.
Actually I think cars without computers are a much worse idea in most cases. Worse performance, worse fuel economy, more dangerous, less features, more maintenance, etc. I'm old enough to remember when cars mostly didn't have computers in them. They're better with computers.
Re: (Score:2)
Why a network? Plenty of reasons (Score:2)
The question, put more precisely here is: why does a car need to be on a packet switched network?
Lots of reasons. Map updates, traffic updates, relaying location, weather updates, infotainment, concierge services, updates to car features, etc. The list is almost endless if one thinks about it.
The conclusion I come to is that as a convenience factor for the company, it's easier to have it on a network.
It's not just a convenience for the car company though that is a real factor. It's also a convenience for the car owner. If there is a recall on something software related (which happens a lot these days) it is MUCH more convenient for the car owner to not have to waste a substantial portion of the day schedul
Re: (Score:2)
Lots of reasons. Map updates, traffic updates, relaying location, weather updates, infotainment, concierge services, updates to car features, etc. The list is almost endless if one thinks about it.
So lets not put any of those things in a car. That's what tablets and phones are for.
Re: (Score:2)
The auto company doesn't have to do anything to make networked cars more secure except hire people already knowledgeable in the field computer systems design and security. And actually listen to what they are telling you to do. Putting a computer on a car is no different than putting a computer in any other situation that we've been doing for years. We already know how to make computers secure.
It's fine to have a bluetooth radio. But the radio should not be in any way hooked up to the core systems of the
Re: (Score:2)
Re: (Score:1)
I routinely see cars from the 30s, 40s, 50s, and 60s on the road. Some of them never restored, but still running.
When was the last time you saw a car from the 80s on the road? 80s cars, with computers especially, are unmaintainable, unreliable, and are just junk. Late 90s started getting reasonable, but I still think they are unmaintainable. When an eprom goes out what do you do with an antique car? Replace entire engine or transmission because a $2 part went bad that you can't possibly get a replaceme
Re: (Score:2)
Re: (Score:2)
In principle I agree with you, but...
Computers + cars, as you've said, is a wonderful thing.
I personally chose my [used] car based on the LACK OF network connectivity (before it was a known issue).
I liked the Chrysler 300 w/ uConnect. So I bought one -- specifically 2012. I wasn't considering any 2013 or later as it was mid-way through 2013 that they added Internet capabilities to uConnect. I wasn't going to muck around trying to figure out when the car I wanted was manufactured during the year -- I just de
Re: (Score:2)
For a long time you could simply perforate the brake-line and let the fluid drain. This could be used to cause a crash. Where were the articles about car security then? No matter what we put into cars, there will always be some way for a malicious actor to take advantage of some design flaw to put someone in danger. However, the risk is relatively small, while the reward is great.
Re: (Score:2)
There is no security on the CAN communications of any modern vehicles that I know of. Any person connected to the bus can masquerade as anyone else.
That's why Tesla has several layers of bus, with firewalls between them, inside each car.
Get on one of the buses, you get to tweak the stuff on THAT bus. But you have to convince a firewall you're cool (i.e. doing something the firewall recognizes as legitimate) before it forwards your transaction to anything on even an adjacent bus.
Re: (Score:2)
Re: (Score:2)
Correct. :*)
WTF? (Score:2)
Slashdot reader weedjams adds some commentary
Really? Linking tangentially related articles at the end of the summary wasn't retarded enough? Now we're just adding random comments?
Related (Score:2)
"You are only given the privilege to pay the massive price tag, but you are FORBIDDEN to work on it. Bring it to us, along with your nose to pay thru."
Network (Score:2)
>Does no one else think cars + computers + network connectivity = bad?
Not half as bad a wireless pacemakers.
CAN bus still around? Damn... (Score:2)
The CAN bus was developed decades ago when cars first got electronics.
It has no appreciable security standards. The devices on the bus can implement their own security features, but that becomes a problem when you want to include components from various vendors. Most of them never even thought of security.
The only security was physical security, and that vanished as soon as the wifi connected.