Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Security Software AI Bug Technology

Tesla Fixes Security Bugs After Claims of Model S Hack (reuters.com) 76

An anonymous reader quotes a report from Reuters: Tesla Motors Inc has rolled out a security patch for its electric cars after Chinese security researchers uncovered vulnerabilities they said allowed them to remotely attack a Tesla Model S sedan. The automaker said that it had patched the bugs in a statement to Reuters on Tuesday, a day after cybersecurity researchers with China'a Tencent Holdings Ltd disclosed their findings on their blog. Tesla said it was able to remedy the bugs uncovered by Tencent using an over-the-air fix to its vehicles, which saved customers the trouble of visiting dealers to obtain the update. Tencent's Keen Security Lab said on its blog that its researchers were able to remotely control some systems on the Tesla S in both driving and parking modes by exploiting the security bugs that were fixed by the automaker. The blog said that Tencent believed its researchers were the first to gain remote control of a Tesla vehicle by hacking into an onboard computer system known as a CAN bus. In a demonstration video, Tencent researchers remotely engaged the brake on a moving Tesla Model S, turned on its windshield wipers and opened the trunk. Tesla said it pushed out an over-the-air update to automatically update software on its vehicles within 10 days of learning about the bugs. It said the attack could only be triggered when a Tesla web browser was in use and the vehicle was close enough to a malicious Wi-Fi hotspot to connect to it. Slashdot reader weedjams adds some commentary: Does no one else think cars + computers + network connectivity = bad?
This discussion has been archived. No new comments can be posted.

Tesla Fixes Security Bugs After Claims of Model S Hack

Comments Filter:
  • by Anonymous Coward

    I disable Wi-Fi, Bluetooth, and location services on my phone when I'm not actively using them. Hopefully you can do the same for your car.

    • by Anonymous Coward
      Good luck with that. When shopping around at a Jeep dealership I asked how to remove the SIM card from the mobile data connection used by Uconnect (as opposed to Uconnect Via Mobile on the cheaper models which uses the Buletooth internet gateway on your smartphone) and nobody would own up to knowing anything about it. That's fine, plead ignorant. I bought a car from a different manufacturer.
  • by ledow ( 319597 ) on Wednesday September 21, 2016 @08:19AM (#52930491) Homepage

    "Does no one else think cars + computers + network connectivity = bad?"

    Does no one else think that phone + computer + network connectivity + radio connectivity + location sensing + chargeable services + .... + ... = bad?

    Apparently only a few.

    • by Anonymous Coward

      Connecting two different systems that have no place in intercommunicating doesn't make sense.
      Attaching the wifi to the CAN bus is an awful idea. It borders on stupid.

      • If that borders on stupid, I have to ask from which side.

        CAN was never supposed to be a user space bus. When it was created, security was simply a non-issue because back then to get access to it, you'd pretty much have had to dismantle the whole car. Stealing it was heaps easier. And it's also not like with TCP where you can simply stack TLS on top of it, it doesn't work that way.

        Leave the CAN bus alone! And don't even get the idea to mix user space electronics, where the idiot on the wheel can plug his ins

    • by bozzy ( 992580 )
      They aren't necessarily intrinsically bad, per se. It's just that people either make mistakes (introduce bugs) or are malicious (abuse it). It's why we can't have nice things.
    • Re:Cars? (Score:4, Insightful)

      by rudy_wayne ( 414635 ) on Wednesday September 21, 2016 @08:53AM (#52930667)

      "Does no one else think cars + computers + network connectivity = bad?"

      Whether it's your car, television or phone, it's not bad if done properly. The problem is, nobody gives two shits about doing it properly.

      • Even worse, if someone does do it properly customers will complain that it is inconvenient and probably not buy it.
    • by mspohr ( 589790 )

      cars + computers + network connectivity + bad security = bad
      You can't isolate yourself from the entire world. That's why we have locks on doors. Some people have strong locks, others don't need strong locks.
      Cars need strong locks. These security researchers did the right thing. They found a vulnerability, notified Tesla, and Tesla was able to fix it quickly and roll out the fix to its cars. That's the way it's supposed to work.
      All cars have a CAN bus which can control many things in the car. It needs a stro

    • This is only really bad if the remote connectivity portion is physically connected to the CAN bus, so as to affect vehicle control through remote commands, and be effectively impossible to secure well enough to prevent exploitation.

      ... except this is what every manufacturer does with their telematics systems, on purpose.

      I guess it's only monumentally stupid if you write the software such that it can rewrite it's firmware and whole control system via remote update.

      ... which is what Tesla does, for "cus

  • "Does no one else think cars + computers + network connectivity = bad?"

    Nope. Tesla was able to patch all their cars quickly, without asking drivers to come in to get serviced.

    That's a net gain of: thousands of kms saved + time saved + less cars on road = good

    A worse equation is that Tesla is working to eliminate:

    Cars + humans + driving + distraction( texting | eating | doing makeup ) = bad
    • A better comparison would be what the situation would be like if the cars didn't have easy network connectivity that allowed OTA patches. You'd have to bring them in to a service center to get patched. How many people would do it right away? How many would just be lazy and not bother at all?

      There's certainly something to be said for having an air gap, but even air gaps aren't foolproof, and they're becoming increasingly unrealistic in the world of interconnected systems we live in.
    • Tesla was able to patch all their cars quickly

      Have you ever heard of a zero-day exploit?

    • "Does no one else think cars + computers + network connectivity = bad?" Nope. Tesla was able to patch all their cars quickly, without asking drivers to come in to get serviced.

      ???

      The patch would not have been needed had the connectivity not existed.

      "Luckily, this problem that would not have existed without network connectivity was solved by using the network connectivity." Circular reasoning at its finest, folks. There would have been no patch if there was no network connectivity.

      • Your tagline: "-- space for rent"

        Is it referring to space in the GPs head? Or are you simply selling advertising in your sig?

    • "Does no one else think cars + computers + network connectivity = bad?"

      Nope. Tesla was able to patch all their cars quickly, without asking drivers to come in to get serviced.

      That's a net gain of: thousands of kms saved + time saved + less cars on road = good

      You're making the assumption that only legitimate researchers who follow proper notification procedures are looking for this stuff. Hackers looking to take advantage of it are looking, too, but they won't tell Tesla (or whatever relevant manufacturer) if they find anything.
      What happens if some genius security researcher with a mental instability (we know they exist) gets recruited by Daesh, and figures out how to lock up the brakes on every Tesla that's travelling faster than 50 mph with a GPS location tha

    • by lhowaf ( 3348065 )
      Why not do the updates through the charging cable/station? That way, at least you know the vehicle isn't in use. If the vehicle is in use, it won't be long before it is connected again.
  • Connectng (Score:4, Informative)

    by fluffernutter ( 1411889 ) on Wednesday September 21, 2016 @08:56AM (#52930691)
    Connecting a car to anything is just stupid and reckless. It will be a constant battle with hackers. All AI should be on board.
    • I disagree with your first half, but agree with the latter.

      I would like my devices to be able to easily download patches, whether they be security or new features. I don't want to have to go to a dealer ship to get a critical patch and then be talked about 10 other things I could pay for to have done.

      • The problem with that is, if Tesla can send you patches so can hackers. I'm pretty sure you wouldn't want hackers sending you patches. Security is inconvenient by necessity.
  • "Claims of Model S Hack"
    It's not a claim Reuters!!! The researchers reported the issues to Tesla, who fixed them. Tesla fixed them BECAUSE the hack worked. It's not a claim at all.
  • by sjbe ( 173966 ) on Wednesday September 21, 2016 @09:05AM (#52930753)

    Does no one else think cars + computers + network connectivity = bad?

    In principle no I do not. Cars have been loaded with computers for quite some time now for all sorts of good reasons. You just don't usually notice them - which is a good thing. As for network connectivity that is fine too. There are all sorts of useful things you can do with network access. Are there downsides? Sure, just like any technology. I haven't seen any showstoppers however. Just problems that will take some time to work through. I think the auto companies are going to struggle for a while to learn to deal with the security issues because they have no experience with them but they'll figure it out eventually. There also are some privacy issues but those too will eventually be sorted out to a reasonable degree.

    Actually I think cars without computers are a much worse idea in most cases. Worse performance, worse fuel economy, more dangerous, less features, more maintenance, etc. I'm old enough to remember when cars mostly didn't have computers in them. They're better with computers.

    • by HBI ( 604924 )

      The computer thing is a red herring. There have been computers in cars since at least the early 1990s.

      The question, put more precisely here is: why does a car need to be on a packet switched network?

      I can come up with lots of reasons for cars to send packets out. Telemetry data comes to mind here, though why the owner would want this is less clear. I'm sure the car company is interested.

      But why does a car need to respond to incoming packets? I can only think of reasons that the owner would find either b

      • The question, put more precisely here is: why does a car need to be on a packet switched network?

        Lots of reasons. Map updates, traffic updates, relaying location, weather updates, infotainment, concierge services, updates to car features, etc. The list is almost endless if one thinks about it.

        The conclusion I come to is that as a convenience factor for the company, it's easier to have it on a network.

        It's not just a convenience for the car company though that is a real factor. It's also a convenience for the car owner. If there is a recall on something software related (which happens a lot these days) it is MUCH more convenient for the car owner to not have to waste a substantial portion of the day schedul

        • Lots of reasons. Map updates, traffic updates, relaying location, weather updates, infotainment, concierge services, updates to car features, etc. The list is almost endless if one thinks about it.

          So lets not put any of those things in a car. That's what tablets and phones are for.

    • The auto company doesn't have to do anything to make networked cars more secure except hire people already knowledgeable in the field computer systems design and security. And actually listen to what they are telling you to do. Putting a computer on a car is no different than putting a computer in any other situation that we've been doing for years. We already know how to make computers secure.

      It's fine to have a bluetooth radio. But the radio should not be in any way hooked up to the core systems of the

      • Here's the problem.. What if these experts tell Tesla what they should, that the only secure way of doing it is to connect physically? Tesla is just gong to send them away because they know customers will complain about that, and Autopilot probably doesn't work at all without it.
    • by Anonymous Coward

      I routinely see cars from the 30s, 40s, 50s, and 60s on the road. Some of them never restored, but still running.

      When was the last time you saw a car from the 80s on the road? 80s cars, with computers especially, are unmaintainable, unreliable, and are just junk. Late 90s started getting reasonable, but I still think they are unmaintainable. When an eprom goes out what do you do with an antique car? Replace entire engine or transmission because a $2 part went bad that you can't possibly get a replaceme

      • This is a big reason why I think most people will not get their hands on automated vehicles. They will be expensive from the factory, and junk by the time they would be sold used. Every vehicle I have had in the last 20 years has had some sort of electrical glitch. Electronics and weather cycles just don't mix.
    • by krray ( 605395 )

      In principle I agree with you, but...

      Computers + cars, as you've said, is a wonderful thing.
      I personally chose my [used] car based on the LACK OF network connectivity (before it was a known issue).

      I liked the Chrysler 300 w/ uConnect. So I bought one -- specifically 2012. I wasn't considering any 2013 or later as it was mid-way through 2013 that they added Internet capabilities to uConnect. I wasn't going to muck around trying to figure out when the car I wanted was manufactured during the year -- I just de

    • For a long time you could simply perforate the brake-line and let the fluid drain. This could be used to cause a crash. Where were the articles about car security then? No matter what we put into cars, there will always be some way for a malicious actor to take advantage of some design flaw to put someone in danger. However, the risk is relatively small, while the reward is great.

  • Slashdot reader weedjams adds some commentary

    Really? Linking tangentially related articles at the end of the summary wasn't retarded enough? Now we're just adding random comments?

  • Most folks are still in love with Tesla, but I have to wonder if they're going to be any different than John Deere and Case - New Holland:
    "You are only given the privilege to pay the massive price tag, but you are FORBIDDEN to work on it. Bring it to us, along with your nose to pay thru."
  • >Does no one else think cars + computers + network connectivity = bad?

    Not half as bad a wireless pacemakers.

  • The CAN bus was developed decades ago when cars first got electronics.

    It has no appreciable security standards. The devices on the bus can implement their own security features, but that becomes a problem when you want to include components from various vendors. Most of them never even thought of security.

    The only security was physical security, and that vanished as soon as the wifi connected.

You see but you do not observe. Sir Arthur Conan Doyle, in "The Memoirs of Sherlock Holmes"

Working...