Tesla Model S Hacking Prize Claimed 59
savuporo sends word that a $10,000 bounty placed on hacking a Tesla Model S has been claimed by a team from Zhejiang University in China. The bounty itself was not issued by Tesla, but by Qihoo 360, a Chinese security company.
"[The researchers] were able to gain remote control of the car's door locks, headlights, wipers, sunroof, and horn, Qihoo 360 said on its social networking Sina Weibo account. The security firm declined to reveal details at this point about how the hack was accomplished, although one report indicated that the hackers cracked the six-digit code for the Model S's mobile app.
Not how this is supposed to work... (Score:4, Interesting)
So it could be a hoax, but more likely they're black-hatting in public view.
Re: (Score:2)
The hell you say! O_O
Re:Not how this is supposed to work... (Score:5, Funny)
Only if they don't tell Tesla. In fact until they tell Tesla and give them some time to get a fix, they probably shouldn't tell the general public.
Oh my fucking God!
Do you mean to tell me that someone might be able to gain control of a car now!
Those Fuckers at Tesla will cause the downfall of civilization!
We have had cars for well over a hundred years now, and it looks like Tesla is the only company that has cars that can be stolen!. Shit! First fires, now stolen vehicles.This electrical car thing isn't going to work at all.
Umm, Thanks, Obama!
Re: (Score:2)
Re: (Score:2)
people have been getting carjacked for some time, but it would suck if all tesla cars across the nation were carjacked at 70mPH on the freeway
Don't read the news? The Internetz is a-coming to all cars, not just the evil spawn of Satan Teslas. Perhaps the Internal combustion cars will be immune?
You know, this was a way for Tesla to improve their vehicles. They have a slightly different paradigm. Find the problem, and fix it. Somewhat Different than GM's approach to their deadly ignition switch problem.
http://www.nytimes.com/2014/06... [nytimes.com]
But hey - it was an internal combustion engine, so it's just fine - right?
This isn't aimed specifically a
Re: (Score:1)
Because no bridges collapse anywhere else...
http://en.wikipedia.org/wiki/I... [wikipedia.org]
http://en.wikipedia.org/wiki/L... [wikipedia.org]
I count 16 bridge collapses on that list alone in the US since 2000.
Re: (Score:2)
Or a 6-digit pin only has one million combinations to try so they just brute forced it.
Re: Not how this is supposed to work... (Score:1)
So (Score:2)
Re:So (Score:4, Interesting)
Basically they guessed the password to gain control of the accessories you can operate with an android app? Some hacking job there, lol.
If that is what they did (and we don't know that) then that is a security flaw. Tesla should not have allowed the PIN to be brute forced. The PIN should be stored by the car, not by the app, and it should have a 30 second lock-out after 3 wrong attempts, and then double the lock-out time for each additional wrong attempt. This is Security 101.
Re: (Score:2)
PIN probably shouldnt be stored in the car, store a salted hash.
By the way, my old 91 Camaro used to have a start "security feature", where they had a basic resistor embedded in the ignition key. If the resistance was off or didnt start and blocked further tries after 3 attempts or something for 15 minutes.
Awesome when the contacts got slightly oxidized : )
Re:So (Score:4, Insightful)
Tesla should not have allowed the PIN to be brute forced. The PIN should be stored by the car, not by the app, and it should have a 30 second lock-out after 3 wrong attempts, and then double the lock-out time for each additional wrong attempt. This is Security 101.
At which point, anyone in the world could very very easily DOS your car.
There are ways around that, but the naive and very very common implementation you describe is trivial to DOS. I'd hope that the users key could still get them in and get an override, but the app should use much stronger auth to avoid DOS issues (ex. challenge response with something that requires largish compute time for the client in order to register and calculate a very large shared key - ie. this would be a one time registration per client app; then use the lock out on a per-registered-client basis; thus is would be costly to generate more client ids, and the lock out would make each only worth a few bad tries before forcing re-handshake). PIN would still be used on top of that (adds another factor, and something easily set/changed on the car side).
Re: (Score:3)
At which point, anyone in the world could very very easily DOS your car.
Nope. The car should only accept PIN attempts from pre-registered devices. So in order to DOS your car, the DOSer would have to first steal your cell phone.
Re: (Score:2)
At which point, anyone in the world could very very easily DOS your car.
Nope. The car should only accept PIN attempts from pre-registered devices. So in order to DOS your car, the DOSer would have to first steal your cell phone.
Which is basically what I described immediately following that. As long as the registration is something that is not trivial to spam (thus my suggestion for a challenge response akin to DH), then that'd do fine.
But what is the protocol on the wire? One doesn't *have* to go through the app. If the protocol only has a pin in it, then it doesn't matter what app requirements they make. The client must be uniquely and securely identifiable before that 3 strikes and your locked out stuff goes into place, and it h
Re: (Score:2)
That could be done with a jammer, no amount of fancy security would stop that... except you know, a car door key.
Re: (Score:1)
They can't even steal it because they have access to the doors and sunroof and despite being able to enter it they can't use the ignition. Unless they can also change the PIN all they can do is to annoy people.
I'm certainly relieved that they couldn't use the ignition: imagine the mayhem the hackers could cause if they figured out how to ignite those batteries!
Re: (Score:2)
Do Tesla's have keys? I think it would be pretty awesome to back up the security with a physical item. So, when you lock your car after too many failures, the smart-phone remote access is just completely disabled until you use the physical key to unlock the door.
I suppose you could do the same thing with the key-fob and it wouldn't be any less secure than the key-fob already is.
That would be quite strong defense against brute forcing the PIN, and I don't think it would be that annoying since....how ofte
Re: (Score:1)
Yes, it has a "key fob" to allow anyone to steal your car as long as you are in range with the fob when they drive off (for example if you are standing next to the car). When they get out of range, the car will complain about the missing fob but will still continue to drive until you turn it off (or run out of battery). But you can use the remote control on your phone to honk the horn, lower the windows etcetera while they are driving, hopefully attracting attention to them.
(Note: this is how it worked a wh
Re: (Score:2)
I'll be so dangerous driving down the road with my headlights flashing, wipers on, sunroof open and doors locked!
Now, if they could do the turn signals, they would really have something there.
Six digits? (Score:2)
Six digits? What is this, the mid-1980's?
Remote controlled cars (Score:1)
Not hacking (Score:1)
So by "hacking" they mean brute forced a weak pin. Lame.
Re: (Score:2)
Yeah, hacking. You know, that thing you do to underbrush with a machete. And about that subtle from the sounds of it.
China Helps China (Score:1)
Simply put this was faked. The only thing this does it market and promote china and Chinese companies. I wouldn't be surprised if the same people where in control of both groups, or knew each other very well.
Poor password selection (Score:2)
This "hack" sounds like they brute forced a weak password on the service that that provides access to the Model S mobile apps. That password is shared with the "My Tesla" owner's website. It is possible to set that password to a far longer and complex password, certainly far longer than 6 characters. I suspect this contest was rigged and someone set the password to "111111" or something like that.
The car itself talks to Tesla using an OpenVPN session over 3G or Wifi.
Re: (Score:2)
Yes, thank you for correcting the inaccuracies. There is no "PIN" for accessing a Tesla. There is a password, with complexity requirements.
You cannot honk the horn or control the windows from the app while the car is moving.
The "hack" was likely a set-up. Could potentially be done with a MitM/replay attack, but that would still lead me to believe it was a set-up.