Tesla Fixes Security Bugs After Claims of Model S Hack

An anonymous reader quotes a report from Reuters: Tesla Motors Inc has rolled out a security patch for its electric cars after Chinese security researchers uncovered vulnerabilities they said allowed them to remotely attack a Tesla Model S sedan. The automaker said that it had patched the bugs in a statement to Reuters on Tuesday, a day after cybersecurity researchers with China'a Tencent Holdings Ltd disclosed their findings on their blog. Tesla said it was able to remedy the bugs uncovered by Tencent using an over-the-air fix to its vehicles, which saved customers the trouble of visiting dealers to obtain the update. Tencent's Keen Security Lab said on its blog that its researchers were able to remotely control some systems on the Tesla S in both driving and parking modes by exploiting the security bugs that were fixed by the automaker. The blog said that Tencent believed its researchers were the first to gain remote control of a Tesla vehicle by hacking into an onboard computer system known as a CAN bus. In a demonstration video, Tencent researchers remotely engaged the brake on a moving Tesla Model S, turned on its windshield wipers and opened the trunk. Tesla said it pushed out an over-the-air update to automatically update software on its vehicles within 10 days of learning about the bugs. It said the attack could only be triggered when a Tesla web browser was in use and the vehicle was close enough to a malicious Wi-Fi hotspot to connect to it. Slashdot reader weedjams adds some commentary: Does no one else think cars + computers + network connectivity = bad?

Re:Let me know

[Maritz]

I think they've been on lithium ion for a while now.

Re:

[Anonymous Coward]

I think that AC may have stopped taking his lithium for too long

Turn off the wireless

[Anonymous Coward]

I disable Wi-Fi, Bluetooth, and location services on my phone when I'm not actively using them. Hopefully you can do the same for your car.

Re:

[Anonymous Coward]

Good luck with that. When shopping around at a Jeep dealership I asked how to remove the SIM card from the mobile data connection used by Uconnect (as opposed to Uconnect Via Mobile on the cheaper models which uses the Buletooth internet gateway on your smartphone) and nobody would own up to knowing anything about it. That's fine, plead ignorant. I bought a car from a different manufacturer.

Re:

[Coren22]

You expect that a sales person even knows what a SIM card is or where it is located?

Cars?

[ledow]

"Does no one else think cars + computers + network connectivity = bad?"

Does no one else think that phone + computer + network connectivity + radio connectivity + location sensing + chargeable services + .... + ... = bad?

Apparently only a few.

Re:

[Anonymous Coward]

Connecting two different systems that have no place in intercommunicating doesn't make sense.
Attaching the wifi to the CAN bus is an awful idea. It borders on stupid.

Re:

[Opportunist]

If that borders on stupid, I have to ask from which side.

CAN was never supposed to be a user space bus. When it was created, security was simply a non-issue because back then to get access to it, you'd pretty much have had to dismantle the whole car. Stealing it was heaps easier. And it's also not like with TCP where you can simply stack TLS on top of it, it doesn't work that way.

Leave the CAN bus alone! And don't even get the idea to mix user space electronics, where the idiot on the wheel can plug his ins

Re:

[bozzy]

They aren't necessarily intrinsically bad, per se. It's just that people either make mistakes (introduce bugs) or are malicious (abuse it). It's why we can't have nice things.

Re:

[fluffernutter]

This goes directly against the whole Autopilot philosophy. In your example, people are expected to be capable of using poison properly and responsibly. If you spread it around and someone doesn't use it properly, well, it's not your fault. Didn't you read the small sign in the corner of the yard? What makes it more interesting is that automation is being pushed on the premise that humans aren't perfect, yet expect perfection from them in other ways? It's a strange way of thinking.

Re:Cars?

[rudy_wayne]

"Does no one else think cars + computers + network connectivity = bad?"

Whether it's your car, television or phone, it's not bad if done properly. The problem is, nobody gives two shits about doing it properly.

Re:

[fluffernutter]

Even worse, if someone does do it properly customers will complain that it is inconvenient and probably not buy it.

Re:

[pr0fessor]

I think if you engaged the brake at the wrong time without warning it might be able to cause and accident

Re:

[fluffernutter]

I'm just throwing this out there with admittedly not knowing, but I've always assumed radio connectivity in airplanes is informational and not actually able to control the plane in any possibly disastrous way.

Re:

[kelemvor4]

I'm just throwing this out there with admittedly not knowing, but I've always assumed radio connectivity in airplanes is informational and not actually able to control the plane in any possibly disastrous way.

Boeing has had remote control capabilities since 2006. Airlines don't use it for fear of hacks. Source: http://www.dailymail.co.uk/new... [dailymail.co.uk]

Re:

[parkinglot777]

Does no one else think that airplanes with radio/network connectivity = bad? Does no one else think satellites orbiting Earth at 17,000mph with radio network connectivity = bad? Apparently only a few.

I would ask if the control of an air plane can be controlled remotely like the car? If so, then it is bad. And if Tesla can update/patch their firmware of their car via Internet, then I am waiting to see some other vulnerabilities of the update/patch system they have in the future...

Re:

[mspohr]

cars + computers + network connectivity + bad security = bad
You can't isolate yourself from the entire world. That's why we have locks on doors. Some people have strong locks, others don't need strong locks.
Cars need strong locks. These security researchers did the right thing. They found a vulnerability, notified Tesla, and Tesla was able to fix it quickly and roll out the fix to its cars. That's the way it's supposed to work.
All cars have a CAN bus which can control many things in the car. It needs a stro

Re:

[sigmabody]

This is only really bad if the remote connectivity portion is physically connected to the CAN bus, so as to affect vehicle control through remote commands, and be effectively impossible to secure well enough to prevent exploitation.

... except this is what every manufacturer does with their telematics systems, on purpose.

I guess it's only monumentally stupid if you write the software such that it can rewrite it's firmware and whole control system via remote update.

... which is what Tesla does, for "cus

Re:

[SirSlud]

If you ask the "right" people, apparently the barn has been "fully engulfed and about to collapse" for thousands of years now. Shit happens, we fix the shit, and try to get it as right going forward as is reasonably possible. The way people talk, it's like some kind of massive collective failure that will bring about the end of days *any day now* that humans are not perfect.

Better equation

[gachunt]

"Does no one else think cars + computers + network connectivity = bad?"

Nope. Tesla was able to patch all their cars quickly, without asking drivers to come in to get serviced.

That's a net gain of: thousands of kms saved + time saved + less cars on road = good

A worse equation is that Tesla is working to eliminate:

Cars + humans + driving + distraction( texting | eating | doing makeup ) = bad

Re:

[Fire_Wraith]

A better comparison would be what the situation would be like if the cars didn't have easy network connectivity that allowed OTA patches. You'd have to bring them in to a service center to get patched. How many people would do it right away? How many would just be lazy and not bother at all?

There's certainly something to be said for having an air gap, but even air gaps aren't foolproof, and they're becoming increasingly unrealistic in the world of interconnected systems we live in.

Re:

[FrankHaynes]

If the automobiles didn't have easy network connectivity, they couldn't be compromised so readily be bad actors.

I'm buying a new car soon and I have resolved not to buy one that doesn't allow me to disable any built-in radios immediately.

Re:

[fluffernutter]

If your car isn't connected to anything and it is working properly, why would you need patches?

or your car is old to get that update buy new car

[Joe_Dragon]

or your car is 1 year old to get that update to auto drive 1.5 buy A NEW CAR! or pay $2500 + labor to install an new CPU unit.

Re:

[fluffernutter]

If you didn't like the way the car worked, you shouldn't have bought it.

Re:

[fluffernutter]

Tesla was able to patch all their cars quickly

Have you ever heard of a zero-day exploit?

Re:

[goose-incarnated]

"Does no one else think cars + computers + network connectivity = bad?" Nope. Tesla was able to patch all their cars quickly, without asking drivers to come in to get serviced.

???

The patch would not have been needed had the connectivity not existed.

"Luckily, this problem that would not have existed without network connectivity was solved by using the network connectivity." Circular reasoning at its finest, folks. There would have been no patch if there was no network connectivity.

Re:

[cbiltcliffe]

Your tagline: "-- space for rent"

Is it referring to space in the GPs head? Or are you simply selling advertising in your sig?

Re:

[cbiltcliffe]

"Does no one else think cars + computers + network connectivity = bad?"

Nope. Tesla was able to patch all their cars quickly, without asking drivers to come in to get serviced.

That's a net gain of: thousands of kms saved + time saved + less cars on road = good

You're making the assumption that only legitimate researchers who follow proper notification procedures are looking for this stuff. Hackers looking to take advantage of it are looking, too, but they won't tell Tesla (or whatever relevant manufacturer) if they find anything.
What happens if some genius security researcher with a mental instability (we know they exist) gets recruited by Daesh, and figures out how to lock up the brakes on every Tesla that's travelling faster than 50 mph with a GPS location tha

Re:

[lhowaf]

Why not do the updates through the charging cable/station? That way, at least you know the vehicle isn't in use. If the vehicle is in use, it won't be long before it is connected again.

Connectng

[fluffernutter]

Connecting a car to anything is just stupid and reckless. It will be a constant battle with hackers. All AI should be on board.

Re:

[TFlan91]

I disagree with your first half, but agree with the latter.

I would like my devices to be able to easily download patches, whether they be security or new features. I don't want to have to go to a dealer ship to get a critical patch and then be talked about 10 other things I could pay for to have done.

Re:

[fluffernutter]

The problem with that is, if Tesla can send you patches so can hackers. I'm pretty sure you wouldn't want hackers sending you patches. Security is inconvenient by necessity.

Re:

[fluffernutter]

Yes, because encryption never breaks.

Re:

[SirSlud]

Your front door can be broken into. Yet you still lock it, because doors are useful and the pragmatic likelihood that somebody will break down your door is a lot lower than somebody walking into it unlocked. The real question I have to wonder if what do hackers have to gain from hacking a car? If the barrier to entry is high enough, there are plenty of easier ways of causing people harm, stealing the car, or whatever other police-procedural fantasy crime you can think of.

Re:

[fluffernutter]

What do people have to gain by dropping rocks off of overpasses? A lot of people just like the thrill of it. Also hackers like the challenge. If my house gets broken into, as much it would suck, my house insurance covers it and they are just things. If a car gets hacked and kills people, they aren't coming back so it is a bit more important for a car to be totally secure.

Re:

[fluffernutter]

Explain how a person hacks a car remotely if it is not network connected please. There is a world of difference between being present at the vehicle and not.

Re:

[fluffernutter]

You're just adding fuel to my fire, considering I've long been arguing that automation isn't mature enough to use yet.

Title wording

[campuscodi]

"Claims of Model S Hack"
It's not a claim Reuters!!! The researchers reported the issues to Tesla, who fixed them. Tesla fixed them BECAUSE the hack worked. It's not a claim at all.

Computers and networks in cars are fine

[sjbe]

Does no one else think cars + computers + network connectivity = bad?

In principle no I do not. Cars have been loaded with computers for quite some time now for all sorts of good reasons. You just don't usually notice them - which is a good thing. As for network connectivity that is fine too. There are all sorts of useful things you can do with network access. Are there downsides? Sure, just like any technology. I haven't seen any showstoppers however. Just problems that will take some time to work through. I think the auto companies are going to struggle for a while to learn to deal with the security issues because they have no experience with them but they'll figure it out eventually. There also are some privacy issues but those too will eventually be sorted out to a reasonable degree.

Actually I think cars without computers are a much worse idea in most cases. Worse performance, worse fuel economy, more dangerous, less features, more maintenance, etc. I'm old enough to remember when cars mostly didn't have computers in them. They're better with computers.

Re:

[account_deleted]

Comment removed based on user account deletion

Why a network? Plenty of reasons

[sjbe]

The question, put more precisely here is: why does a car need to be on a packet switched network?

Lots of reasons. Map updates, traffic updates, relaying location, weather updates, infotainment, concierge services, updates to car features, etc. The list is almost endless if one thinks about it.

The conclusion I come to is that as a convenience factor for the company, it's easier to have it on a network.

It's not just a convenience for the car company though that is a real factor. It's also a convenience for the car owner. If there is a recall on something software related (which happens a lot these days) it is MUCH more convenient for the car owner to not have to waste a substantial portion of the day schedul

Re:

[fluffernutter]

Lots of reasons. Map updates, traffic updates, relaying location, weather updates, infotainment, concierge services, updates to car features, etc. The list is almost endless if one thinks about it.

So lets not put any of those things in a car. That's what tablets and phones are for.

Re:

[CastrTroy]

The auto company doesn't have to do anything to make networked cars more secure except hire people already knowledgeable in the field computer systems design and security. And actually listen to what they are telling you to do. Putting a computer on a car is no different than putting a computer in any other situation that we've been doing for years. We already know how to make computers secure.

It's fine to have a bluetooth radio. But the radio should not be in any way hooked up to the core systems of the

Re:

[fluffernutter]

Here's the problem.. What if these experts tell Tesla what they should, that the only secure way of doing it is to connect physically? Tesla is just gong to send them away because they know customers will complain about that, and Autopilot probably doesn't work at all without it.

Re:

[Anonymous Coward]

I routinely see cars from the 30s, 40s, 50s, and 60s on the road. Some of them never restored, but still running.

When was the last time you saw a car from the 80s on the road? 80s cars, with computers especially, are unmaintainable, unreliable, and are just junk. Late 90s started getting reasonable, but I still think they are unmaintainable. When an eprom goes out what do you do with an antique car? Replace entire engine or transmission because a $2 part went bad that you can't possibly get a replaceme

Re:

[fluffernutter]

This is a big reason why I think most people will not get their hands on automated vehicles. They will be expensive from the factory, and junk by the time they would be sold used. Every vehicle I have had in the last 20 years has had some sort of electrical glitch. Electronics and weather cycles just don't mix.

Re:

[krray]

In principle I agree with you, but...

Computers + cars, as you've said, is a wonderful thing.
I personally chose my [used] car based on the LACK OF network connectivity (before it was a known issue).

I liked the Chrysler 300 w/ uConnect. So I bought one -- specifically 2012. I wasn't considering any 2013 or later as it was mid-way through 2013 that they added Internet capabilities to uConnect. I wasn't going to muck around trying to figure out when the car I wanted was manufactured during the year -- I just de

Re:

[RivenAleem]

For a long time you could simply perforate the brake-line and let the fluid drain. This could be used to cause a crash. Where were the articles about car security then? No matter what we put into cars, there will always be some way for a malicious actor to take advantage of some design flaw to put someone in danger. However, the risk is relatively small, while the reward is great.

Re:

[Ungrounded Lightning]

There is no security on the CAN communications of any modern vehicles that I know of. Any person connected to the bus can masquerade as anyone else.

That's why Tesla has several layers of bus, with firewalls between them, inside each car.

Get on one of the buses, you get to tweak the stuff on THAT bus. But you have to convince a firewall you're cool (i.e. doing something the firewall recognizes as legitimate) before it forwards your transaction to anything on even an adjacent bus.

Re:

[fluffernutter]

There are probably hackers reading about this and thinking, "Challenge accepted!".

Re:

[krray]

Correct. :*)

WTF?

[GrumpySteen]

Slashdot reader weedjams adds some commentary

Really? Linking tangentially related articles at the end of the summary wasn't retarded enough? Now we're just adding random comments?

Related

[ThatsNotPudding]

Most folks are still in love with Tesla, but I have to wonder if they're going to be any different than John Deere and Case - New Holland:
"You are only given the privilege to pay the massive price tag, but you are FORBIDDEN to work on it. Bring it to us, along with your nose to pay thru."

Network

[mjperson]

>Does no one else think cars + computers + network connectivity = bad?

Not half as bad a wireless pacemakers.

CAN bus still around? Damn...

[EndlessNameless]

The CAN bus was developed decades ago when cars first got electronics.

It has no appreciable security standards. The devices on the bus can implement their own security features, but that becomes a problem when you want to include components from various vendors. Most of them never even thought of security.

The only security was physical security, and that vanished as soon as the wifi connected.