Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Transportation Security

Tesla Model S Hacking Prize Claimed 59

savuporo sends word that a $10,000 bounty placed on hacking a Tesla Model S has been claimed by a team from Zhejiang University in China. The bounty itself was not issued by Tesla, but by Qihoo 360, a Chinese security company. "[The researchers] were able to gain remote control of the car's door locks, headlights, wipers, sunroof, and horn, Qihoo 360 said on its social networking Sina Weibo account. The security firm declined to reveal details at this point about how the hack was accomplished, although one report indicated that the hackers cracked the six-digit code for the Model S's mobile app.
This discussion has been archived. No new comments can be posted.

Tesla Model S Hacking Prize Claimed

Comments Filter:
  • by iluvcapra ( 782887 ) on Friday July 18, 2014 @04:19PM (#47485883)

    The security firm declined to reveal details at this point about how the hack was accomplished

    So it could be a hoax, but more likely they're black-hatting in public view.

  • by bswarm ( 2540294 )
    Basically they guessed the password to gain control of the accessories you can operate with an android app? Some hacking job there, lol.
    • Re:So (Score:4, Interesting)

      by ShanghaiBill ( 739463 ) on Friday July 18, 2014 @04:52PM (#47486107)

      Basically they guessed the password to gain control of the accessories you can operate with an android app? Some hacking job there, lol.

      If that is what they did (and we don't know that) then that is a security flaw. Tesla should not have allowed the PIN to be brute forced. The PIN should be stored by the car, not by the app, and it should have a 30 second lock-out after 3 wrong attempts, and then double the lock-out time for each additional wrong attempt. This is Security 101.

      • PIN probably shouldnt be stored in the car, store a salted hash.

        By the way, my old 91 Camaro used to have a start "security feature", where they had a basic resistor embedded in the ignition key. If the resistance was off or didnt start and blocked further tries after 3 attempts or something for 15 minutes.

        Awesome when the contacts got slightly oxidized : )

      • Re:So (Score:4, Insightful)

        by unrtst ( 777550 ) on Friday July 18, 2014 @05:12PM (#47486207)

        Tesla should not have allowed the PIN to be brute forced. The PIN should be stored by the car, not by the app, and it should have a 30 second lock-out after 3 wrong attempts, and then double the lock-out time for each additional wrong attempt. This is Security 101.

        At which point, anyone in the world could very very easily DOS your car.

        There are ways around that, but the naive and very very common implementation you describe is trivial to DOS. I'd hope that the users key could still get them in and get an override, but the app should use much stronger auth to avoid DOS issues (ex. challenge response with something that requires largish compute time for the client in order to register and calculate a very large shared key - ie. this would be a one time registration per client app; then use the lock out on a per-registered-client basis; thus is would be costly to generate more client ids, and the lock out would make each only worth a few bad tries before forcing re-handshake). PIN would still be used on top of that (adds another factor, and something easily set/changed on the car side).

        • At which point, anyone in the world could very very easily DOS your car.

          Nope. The car should only accept PIN attempts from pre-registered devices. So in order to DOS your car, the DOSer would have to first steal your cell phone.

          • by unrtst ( 777550 )

            At which point, anyone in the world could very very easily DOS your car.

            Nope. The car should only accept PIN attempts from pre-registered devices. So in order to DOS your car, the DOSer would have to first steal your cell phone.

            Which is basically what I described immediately following that. As long as the registration is something that is not trivial to spam (thus my suggestion for a challenge response akin to DH), then that'd do fine.

            But what is the protocol on the wire? One doesn't *have* to go through the app. If the protocol only has a pin in it, then it doesn't matter what app requirements they make. The client must be uniquely and securely identifiable before that 3 strikes and your locked out stuff goes into place, and it h

        • by MrL0G1C ( 867445 )

          At which point, anyone in the world could very very easily DOS your car.

          That could be done with a jammer, no amount of fancy security would stop that... except you know, a car door key.

      • Do Tesla's have keys? I think it would be pretty awesome to back up the security with a physical item. So, when you lock your car after too many failures, the smart-phone remote access is just completely disabled until you use the physical key to unlock the door.

        I suppose you could do the same thing with the key-fob and it wouldn't be any less secure than the key-fob already is.

        That would be quite strong defense against brute forcing the PIN, and I don't think it would be that annoying since....how ofte

        • Yes, it has a "key fob" to allow anyone to steal your car as long as you are in range with the fob when they drive off (for example if you are standing next to the car). When they get out of range, the car will complain about the missing fob but will still continue to drive until you turn it off (or run out of battery). But you can use the remote control on your phone to honk the horn, lower the windows etcetera while they are driving, hopefully attracting attention to them.

          (Note: this is how it worked a wh

    • by mspohr ( 589790 )

      I'll be so dangerous driving down the road with my headlights flashing, wipers on, sunroof open and doors locked!
      Now, if they could do the turn signals, they would really have something there.

  • Six digits? What is this, the mid-1980's?

  • And that is how we got remote controlled cars.
  • by Anonymous Coward

    So by "hacking" they mean brute forced a weak pin. Lame.

    • Yeah, hacking. You know, that thing you do to underbrush with a machete. And about that subtle from the sounds of it.

  • by Anonymous Coward

    Simply put this was faked. The only thing this does it market and promote china and Chinese companies. I wouldn't be surprised if the same people where in control of both groups, or knew each other very well.

  • This "hack" sounds like they brute forced a weak password on the service that that provides access to the Model S mobile apps. That password is shared with the "My Tesla" owner's website. It is possible to set that password to a far longer and complex password, certainly far longer than 6 characters. I suspect this contest was rigged and someone set the password to "111111" or something like that.

    The car itself talks to Tesla using an OpenVPN session over 3G or Wifi.

    • Yes, thank you for correcting the inaccuracies. There is no "PIN" for accessing a Tesla. There is a password, with complexity requirements.

      You cannot honk the horn or control the windows from the app while the car is moving.

      The "hack" was likely a set-up. Could potentially be done with a MitM/replay attack, but that would still lead me to believe it was a set-up.

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...