How a White-Hat Hacker Once Gained Control of Tesla's Entire Fleet (electrek.co) 42
"A few years ago, a hacker managed to exploit vulnerabilities in Tesla's servers to gain access and control over the automaker's entire fleet," remembers Electrek (in a story shared by long-time Slashdot reader AmiMoJo).
Tesla enthusiast Jason Hughes had already received a $5,000 bug bounty for reporting a vulnerability, but "knowing that their network wasn't the most secure, to say the least, he decided to go hunting for more bug bounties." After some poking around, he managed to find a bunch of small vulnerabilities. The hacker told Electrek, "I realized a few of these things could be chained together, the official term is a bug chain, to gain more access to other things on their network. Eventually, I managed to access a sort of repository of server images on their network, one of which was 'Mothership'." Mothership is the name of Tesla's home server used to communicate with its customer fleet.
Any kind of remote commands or diagnostic information from the car to Tesla goes through "Mothership." After downloading and dissecting the data found in the repository, Hughes started using his car's VPN connection to poke at Mothership. He eventually landed on a developer network connection. That's when he found a bug in Mothership itself that enabled him to authenticate as if it was coming from any car in Tesla's fleet.
All he needed was a vehicle's VIN number, and he had access to all of those through Tesla's "tesladex" database thanks to his complete control of Mothership, and he could get information about any car in the fleet and even send commands to those cars.
Last week Hughes released an annotated version of the bug report he'd submitted to Tesla. "Hughes couldn't really send Tesla cars driving around everywhere..." reports Electrek, "but he could 'Summon' them..." Telsa gave him a special $50,000 bug report reward — several times higher than their usual maximum — and "used the information provided by Hughes to secure its network."
Electrek calls it "a good example of the importance of whitehat hackers."
Tesla enthusiast Jason Hughes had already received a $5,000 bug bounty for reporting a vulnerability, but "knowing that their network wasn't the most secure, to say the least, he decided to go hunting for more bug bounties." After some poking around, he managed to find a bunch of small vulnerabilities. The hacker told Electrek, "I realized a few of these things could be chained together, the official term is a bug chain, to gain more access to other things on their network. Eventually, I managed to access a sort of repository of server images on their network, one of which was 'Mothership'." Mothership is the name of Tesla's home server used to communicate with its customer fleet.
Any kind of remote commands or diagnostic information from the car to Tesla goes through "Mothership." After downloading and dissecting the data found in the repository, Hughes started using his car's VPN connection to poke at Mothership. He eventually landed on a developer network connection. That's when he found a bug in Mothership itself that enabled him to authenticate as if it was coming from any car in Tesla's fleet.
All he needed was a vehicle's VIN number, and he had access to all of those through Tesla's "tesladex" database thanks to his complete control of Mothership, and he could get information about any car in the fleet and even send commands to those cars.
Last week Hughes released an annotated version of the bug report he'd submitted to Tesla. "Hughes couldn't really send Tesla cars driving around everywhere..." reports Electrek, "but he could 'Summon' them..." Telsa gave him a special $50,000 bug report reward — several times higher than their usual maximum — and "used the information provided by Hughes to secure its network."
Electrek calls it "a good example of the importance of whitehat hackers."
Elon Musk is moving the world to a better place. (Score:4, Interesting)
2 of Elon Musk's ongoing contributions:
1) Helping the human race eliminate the very expensive gasoline cars and replace them with cars with electric moters that requre FAR less maintenance. There will be far less pollution, and less global warming due to the burning of fuel.
2) Musk's Internet satellites will give Internet access to poor people. Many people live in areas that don't have libraries. Internet access provides access to information that helps allow people to train themselves out of poverty.
Re: (Score:3)
Re: (Score:3)
Do you have any evidence of this? There are a lot of complaints about Summon picking stupid routes on the Tesla forums. Same for the sat nav.
Re:Elon Musk is moving the world to a better place (Score:5, Interesting)
He didn't have to make the cars all connected to the mothership just to make them electric though. And not just connected but able to be remotely controlled. The summon feature could have used Bluetooth, which would also ensure the driver is near enough to keep an eye on it.
Re: (Score:2, Informative)
He didn't have to make the cars all connected to the mothership just to make them electric though. And not just connected but able to be remotely controlled.
With all the people, companies, and interest groups actively attempting to destroy Tesla for their own gains, I would argue at least your first point.
There have been many dozens of attempted lawsuits trying to blame Tesla for what had been driver error or intentional driver actions, and the telemetry was the primary reason those suits were all dismissed.
As for remote summon, I'll agree with that.
OTA firmware/software updates however I still think are a good thing in general, but the line between the two get
Helpful understanding (Score:1)
Re:Elon Musk is moving the world to a better place (Score:4, Informative)
It's also important to describe what's being talked about here: what he got access to control of was the Tesla API [teslaapi.io] (indeed, any company who has an app has some sort of API - open or closed). The API is what the Tesla App uses to communicate (indirectly, via Tesla) with the vehicle and send commands / receive data - anything you can do with the app . Third parties also write various tools for automated functions or third party apps for owners. Authentication requires an access token. He apparently was either able to get access tokens or bypass the need for them (e.g. issuing them direct from the Mothership).
It's important to note however that while he could run any API command, he obviously can't do anything that's not in the app. E.g., there's no API command for "swerve into a barrier" or whatnot; it's just basic app functionality. It didn't give him access to, say, send out new corrupted versions of firmware (which users, BTW, have to choose to install, and not-yet-installed updates can be recalled if Tesla became aware of an attack - plus, it takes time to dispatch and receive updates, given their size). With regards to Smart Summon, just like the app, you're limited to areas within 60 meters (US) / 6 meters (EU) of the vehicle, and it will refuse to drive on public roads.
That said, he sure could have pranked the hell out of people, stolen location data, or done things useful for thieves. Owners could have responded, if their vehicle started experiencing unwanted API commands, by disabling app access (Controls -> Safety and Security).
Still quite a serious breach - but not as much as "Gained Control of Tesla's Entire Fleet" makes it sound.
Musk's response to questions about the cybersecurity back in 2017:
To be fair, this was a fleet-wide hack. But only an API hack. That however doesn't change the fact that in this era of increasing vehicle connectivity, fleet-wide vehicle hacks remain a serious concern, and it's a small-but-extant risk that anyone who wants to have app, update, or real-time data access must take.
diagnostic information needs to be open to owner o (Score:3)
diagnostic information needs to be open to owner of the car and dealer / manufacturer remote tools needs to open to any repair shop / self repair.
Re: (Score:2)
Sure, but one of the big things they're working on is automated driving, and they need to update the capacities of their cars often. They also need to collect a lot of data to help develop the technology.
A lot of Tesla owners love the fact that a few times a year they go and start their car up and it suddenly has new tricks it can do. This is possible because of this connection back to the company.
We get it that you're rabidly anti-Tesla, but a lot of people want these things. They want to be part of the it
Re: (Score:1)
My problem is that when Tesla randomly changes the behaviour of their cars a certain percentage of owners get into accidents. I don't want to be in an accident caused by Tesla beta testing their software with unvetted, random owners on public roads.
Re: (Score:2)
That's what you worry about?
Lol. Sounds well worth hundreds of ranting anti-Tesla posts on the internet. I'm sure those have solved the problem once and for all.
Re: (Score:2)
He didn't have to make the cars all connected to the mothership just to make them electric though.
No, but he did have to have them all connect to some central repository to accept OTA updates. And he did have to have them all connect in order to retrieve self-driving training data for the purpose of someday achieving FSD (which I still think will take LIDAR to do correctly, but that's a separate discussion.)
Re: (Score:1, Insightful)
Helping the human race eliminate the very expensive gasoline cars
I'm assuming your implication is reducing the sunk costs of the fossil fuel industry, not the actual end-user pricing of gasoline cars. Or, maybe you're one of those folks who would never consider driving around in something like a Hyundai Accent, Mitsubishi Mirage, or Nissan Versa, so you pretend they don't exist?
Musk's Internet satellites will give Internet access to poor people.
You know the saying: when the only tool you have is a hammer...
It's not far off from believing you could solve world hunger by giving every person on Earth a fridge.
This is why all wireless needs an 'OFF' switch (Score:5, Insightful)
Vehicle owners need the ability to secure their vehicles themselves with a switch that completely disables the wireless transceivers in the vehicle, isolating it.
Re: (Score:3)
This is the flaw in connected vehicles. Until you can show all the software and hardware running in the background is absolutely secure, you are opening yourself up for all manner of shenanigans. It only takes one flaw, one opening, to wreak havoc.
Imagine if this guy never told anyone about this and decided to use it to his advantage. For all we know, there is something worse out there which someone knows about and is waiting for the opportunity to exploit it.
Re: (Score:3)
Sorry, I WANT LEO to be able to stop my stolen vehicle before the theives can damage it.
This is because you live in (or you believe you live in) a country that the government or the rich and powerful won't be the thieves themselves. Remote controlled "car accident" is a valid threat.
Re: (Score:3)
Re: (Score:2)
Do any of you really think that there is ever going to be any such thing as 'secure' when it comes to this? No. Not ever.
That's massively pessimistic. Someday we'll figure it out. We'll simplify the protocols. We can make it safe. The world has only been dealing with computer hackers for only about 50 years. How shitty were airplanes for the first 50 years? Guaranteed the squeamish society of today would have banned airplanes within 5 years, let alone 50, by foolishly saying there was no way to make it safe. Hell even the 1950's Boeing 707 and DC-8 airplanes were death traps by today's standards -- did we ban airplanes? 1 out
Re: (Score:2)
No, this is not a success for "white hats" (Score:2, Interesting)
The $50,000 bug bounty awarded here is not a bug bounty. It was an incentive for future criminals to confess rather than do damage. This was not a single exploit that was found. This was someone who went layer after layer in. This wasn't a white hat, this was someone who realized that the kind of access he ultimately got could only be used for a single prank, once, and was not otherwise monetizable. A white had would have reported the initial breach.
Crime does pay.
Re: (Score:3, Informative)
Using it once is all he needs.
1. Take a big short position in Tesla stock.
2. Send out an "update" that bricks Tesla cars everywhere, which would end Tesla as a profitable enterprise.
3. Profit!
If the hacker only got $50K he was robbed.
Re: (Score:2)
No, he probable didn't have enough liquid cash to buy enough stock to make it worthwhile. Tesla is like $500 a share. If you think it will drop $10 because of your actions, you need to short $2.5m worth of stock for that plan to break even. Not a lot of people have that sort of liquidity and balls to attempt it. Far fewer have multiples of that to really cash in.
Unless you start rich, fucking with the stock market is not within your grasp. Snagging a bug bounty which will be 1/3 to 1x your salary is.
Re: (Score:2)
Re: (Score:2)
The $50,000 bug bounty awarded here is not a bug bounty. It was an incentive for future criminals to confess rather than do damage.
That's what a bug bounty is! Literally!
This was not a single exploit that was found. This was someone who went layer after layer in.
So what you're saying is that for one bounty payment, they found out about in-depth vulnerabilities in their platform. Which is to say, the bug bounty program is working spectacularly well. I'm not seeing the problem here.
Curious (Score:2)
THATS how it's done (Score:5, Insightful)
Note what Tesla didn't do: ignore it, sweep it under the carpet, hit him with a cease and desist, report him to the FBI and press charges, or take him to court. In other words, your playbook.
And you other companies wonder why Tesla's stock is through the roof while yours is trading at a 0.3 P/E ratio. Musk is nutty, but (most of the time) he's got a pretty good internal compass. People recognize that.
Only $5,000 for that? (Score:3, Insightful)
That seems like a serious vulnerability. Only $5,000? Come on Elon, you cheap son of a bitch! (As if he's personally in control of the bug bounty program).
Re: Only $5,000 for that? (Score:2)
No. It was $50k, says the summary.
Be afraid. Be very afraid. (Score:2)
All of DJI's drones require the system to at a minimum contact DJI's servers via an internet connect before it will let you launch even if it's just to find out whether there are any software updates or not. The problem with this is that in the use-case of public safety search & rescue, you may not have internet access where you need to fly. If this happens, the entire product is borked until you do have internet access.
To most people, this would be an inconvenience or a case of STBY. But when someon
Re: (Score:2)
As a practical example, they will spend tens of thousands of dollars on the UAV, and the backend network/server infrastructure to support the thing. It becomes just something which needs to be managed, and the bureaucracy of the thing grows just a little more.
Mothership says you must use att at $20 meg roamin (Score:2)
Mothership says you must use att at $20 meg roaming if you don't buy the Canadian data plan.
Mothership says non dealer work done must report t (Score:2)
Mothership says non dealer work done must report to dealer via tow or service visit for an check.
Re: (Score:2)
Re: Department of Redundancy Department (Score:1)
Re: Department of Redundancy Department (Score:5, Informative)
The guy reported 1 bug, got 5k. Thought hey, I found one, can probably find more. Found more, figured out they could do serious mischief, and told Telsa. Telsa gave him an additional 50k for the new batch of bugs, for a grand total of 55k. They laid out 2 separate times, which is completely clear from the summary.
Re: (Score:2)
All he needed was a vehicle's VIN number
You beat me to it, but left out it should be the VVINN, for short. Now excuse me, I have to go to the Automatic ATM Machine to pay for my test for Human HIV Virus to see if I have the Acquired AIDS Syndrome.
With VW that couldn't have happened (Score:2)
Their electric cars have to go to the VW garage to get updated and the new ones don't even recognize your cellphone until some time in a blue moon.
Such a deal! (Score:2)
Telsa gave him a special $50,000 bug report reward
That's probably less than they would have paid him working as a software engineer during the same period.