Apr 05 2014
Important: Read the stuff at the end of this post. I got a lot of feedback and I’ve added it there. Unlike some people, I actually want to be told when I’m wrong and learn from the experience.
I don’t own a Tesla S and probably never will. They’re beautiful cars, they’re (sort of) ecologically friendly, and they show that you have more money than common sense. I use a car to get my family from point A to point B and showing off my wealth (or lack there of) has never actually been part of the equation in buying a car. And one more reason I don’t think I’ll ever buy a Tesla is that I’m beginning to think they’re as insecure as all get out, at least from the network perspective.
Last week hacker* Nitesh Dhanjani wrote his experience with exploring the remote control possibilities of the Tesla Model S P85+. It starts with being able to unlock the doors, check the location, etc. And it ends with a total lack of security for the site and tools needed to control the car. The web site for controling your new Tesla has minimal password complexity controls, six characters with at least one letter and one number. I have no idea if it’ll even let you use symbols, but I’m guessing that’s either not supported or only a minimal subset of symbols are available. Which means password complexity is very low by almost any standard. Then there’s the fact that Tesla doesn’t have rudimentary controls around the web site, such as rate limits on password guesses or account lock out, which they’ve hopefully changed by now. Which gives you an easily guessed password combined with a site that allows unlimited guesses, making the possibility of brute forcing the password very real. That’s not even including the fact that so many people reuse account names and passwords, so there’s a good chance you can find a compromised account database with the owner’s details if you search for a little while.
That’s great so far. Now let’s add to this the fact that your Tesla S has wifi/4G wireless access. And there’s also a 4-pin connector in the dashboard that leads to the network inside your car. It’s running all sorts of wonderful things in that network too, none of which could possibly be vulnerable to outside attacks, right? SSH? Check. DNS? Check. Web Server? Check. Telnet? Check. Wait, telnet? Seriously? Oh, and “1050/tcp open java or OTGfileshare”. Yes, I really want either java or an open file share running in my car. At least one person was able to get Firefox running on the console of their Tesla, [Correction: x-11 forwarding misconfiguration, not running on the Tesla] even if was flipped on its head for some odd reason. Any or all of these services running on the car’s internal network could have vulnerabilities that allow configuration change, remote code execution or even full root access to the system. Or maybe they just allow for the systems to be rebooted, not something you really want when your driving on the winding coastal roads of California. [I've been told it's just the displays that would be affected, none of the handling characteristics would change. Still disconcerting]
So now we’ve got two fairly egregious methods of connecting to your Tesla with minimal security standards. The first is remote and allows for control of doors, sunroofs, braking and suspension profiles. The last two should concern everyone. While there are probably physical controls in place to keep the profiles of brakes and suspension from getting too far outside of the range of acceptable usage, I wouldn’t be willing to bet on it, given the otherwise lax security measures on the remote controls for the car. The second method of connecting to the Tesla does require physical access, but it sounds like this is built for the engineers and technicians who work on Teslas [Correction: The connection only allows for access to the entertainment system and there is an airgap between that and the CANBUS systems. However, I don't trust airgaps], and is likely to allow much greater control of the car and the various parameters of its design. Even less technologically advanced cars have the ability to make fairly advanced modification of the functioning of a car once you have access to the software, so Tesla probably has extremely advanced configuration capabilities. Meaning everything from how the car charges when plugged in to what shows up on the dash as you’re driving to manipulating acceleration and braking are within the realm of possibility.
As the Internet of Things becomes our daily reality, this sort of lax security on something as potentially deadly as an automobile is inexcusable. It wouldn’t take much of a tweak to the normal operation of a car to make it uncontrollable in the wrong situation. We haven’t seen anyone killed by having their car hacked yet, but it’s only a matter of time if companies aren’t willing to take the time to properly secure the systems that go into making the car run. While it’s important in the current marketing environment to make every device as configurable from you phone as possible, there have to be sufficient controls in place to make that configurability safe and secure as well. Yes, it might mean that you, Tesla, have to make your users go through two or three more steps in order to set up their systems for control, but it’s worth the effort. After all, who will be liable, who will be in the courts for years when the first person claims that their car was hacked, which is what caused the accident? Even if having a car hacked isn’t the cause of an accident, it can’t be too long before someone uses that as their defense and still costs the company millions in legal defense.
Let’s end this with a little thought experiment. The four pin connector in the Tesla has a full TCP stack and runs on a known set of IP’s, 192.168.90.100-102. Say I grabbed a Teensy 3.1, with built in wi-fi capabilities, and added an ethernet shield. With the current arduino libraries, I can create a wi-fi receiver that takes my traffic and routes it to the wired network, which just happens to have an accessible network inside the Tesla. Now I have a device that’s a small portal directly into your car that I can connect to from several hundred feet away, farther if I want to make myself a high gain pringles can yagi antenna. We’re not talking high technology spy gear, we’re talking about a weekend project I could do with my kids that would result in a package no bigger than a pack of cards. I could put this in the glove box with a single cable leading to the car’s ethernet port. Anything a Tesla engineer could control on the car, I could control remotely. Suddenly I have the biggest remote control car on the block, which just happens to be the Tesla you’re sitting in.
This is why we have to secure the Internet of things. If I can imagine it, you better believe there’s already someone else out there working on it.
* Hacker == someone who makes technology do things the engineers who designed it didn’t intend it to do.
Added, 9:15 GMT: So I got some feedback very quickly after posting this. And I admit a lot of what I’m saying here is based on guesswork, assumptions and third party statements. It’s my blog, I get to do that. Both Beau and the Kos have a lot more to say about why many of my assumptions are wrong. And they probably know more about cars than I do. So teach me. There will be follow up.
Thanks to @chriseng for basic spell checking. I do indeed know the difference between ‘break’ and ‘brake’, just not before breakfast.
@beauwoods: “Infotainment network and CANBUS are separate. The other issue is the equivalent threat model of a big rock to a window.” In other words, there’s a very real airgap between the two systems and it’d be impossible to control one from the other.
@theKos called my statement about the password limitations silly, stated that running Firefox on the system was a x-forward misconfiguration, that rebooting the displays won’t affect the running of the car, and that all products have vulnerabilities. I really have to challenge the last statement as a fallacy: knowing that all products have vulnerabilities doesn’t make them more acceptable in any way.