Chinese Hackers Take Command Of Tesla Model S

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
First it was the story about the stolen Tesla that split in half and ended up wedged in a building. Then the company settled its first lemon law case a few days ago. Now we just found out that your Model S can be hacked. Tesla is having a bad week. :(

The hackers were attempting to win $10,000 in prize money at a kick-off event during the SyScan +360 security conference, which is co-sponsored by Qihoo. They were able to gain remote control of the car's door locks, headlights, wipers, sunroof, and horn, Qihoo 360 said on its social networking Sina Weibo account. The security firm declined to reveal details at this point about how the hack was accomplished, although one report indicated that the hackers cracked the six-digit code for the Model S' mobile app.
 
So which app do I need to download to make it burst into flames? Oh wait, they do that automatically. :p
 
Sometimes... However, cracking a 6 digit code for a mobile app, in order to control windshield wipers and horn is HARDLY a hack at all.

Ok, that was a bit of a selective response. It was just funny to me that they bothered to mention those at all. The door locks though, could be problematic.
 
So they didn't actually hack it then.

In fact they didn't hack anything.

They just guess a passcode on a guys phone and used the app he set up.
 
dunno..."hacked" is a strong word...especially since the details are lacking and it may require some form of intervention by the owner (aka clicking a suspicious link, etc.)

At least according to comments made by Chris Valasek, director of security Intelligence for IOActive:
https://twitter.com/nudehaberdasher/status/489836566836436993

In a way, it reminds me of those "Pwn2Own" contents where it's not really hacking...but exploiting since it usually requires the target to run something.
 
I am actually happy that this sort of things get covered, cause public awareness is beneficial.
 
Would anyone be upset if I suggested a law all members of the federal government be required to drive a Tesla?
 
Would anyone be upset if I suggested a law all members of the federal government be required to drive a Tesla?

That would be a lot of teslas and what exactly has the federal gov done to warrant such a perk? I'd make them drive whatever the latest ***box subcompact ford/chevy put out next.
 
So, they exploited the mobile app used to remotely control the vehicle. This isn't new, and my Jeep can be unlocked and remote started with a mobile app. In fact a friend of ours JUST had their car stolen in that exact same manner. Their Jeep was found gutted 100 miles away.

Let's not forget how easy it is to steal luxery cars that use electronic key fobs.

Truth is most car manufacturers don't secure their vehicles to attack...yet.
 
dunno..."hacked" is a strong word...especially since the details are lacking and it may require some form of intervention by the owner (aka clicking a suspicious link, etc.)

At least according to comments made by Chris Valasek, director of security Intelligence for IOActive:
https://twitter.com/nudehaberdasher/status/489836566836436993

In a way, it reminds me of those "Pwn2Own" contents where it's not really hacking...but exploiting since it usually requires the target to run something.

Huh? Virtually all malware requires you to do something. Maybe it's got a specific site or maybe it's running some software that you got somewhere or sticking your floppy disk in the computer of someone who ran that software, which sticks it's thing on your computer, because you did something.
 
If all that stands between a crook and my 80k car is a 6 digit code, Tesla needs to improve their PW system.
 
So they didn't actually hack it then.

In fact they didn't hack anything.

They just guess a passcode on a guys phone and used the app he set up.

Wow, what an easy way to make $10,000!!!

I need to join next year ;)
 
That would be a lot of teslas and what exactly has the federal gov done to warrant such a perk? I'd make them drive whatever the latest ***box subcompact ford/chevy put out next.

Well, after a full hack gets developed, we could show our congressman exactly how we feel about them by reinacting the 110mph car chase where the car got split in half with them in it.:D
 
The bottom line is that if you have to steal someones smartphone, or keys, or physically break into their car, home, or computer in order to "hack" it you haven't really "hacked" the car.
 
My neighbor's house got hacked last week. They through a brick through the front window and stole his wife's jewelry.
 
Does this mean soon I will be able to hire a Chinese child to drive me to and from work for 25 cents per day?
 
You can laugh all you want about the Chinese doing this, but they do try some serious hacks 24/7.
If any of you are running a firewall with any kind of logging, check out some of the IP addresses hitting port 22; about 90% of them are from an ISP in China.
 
So, they exploited the mobile app used to remotely control the vehicle. This isn't new, and my Jeep can be unlocked and remote started with a mobile app. In fact a friend of ours JUST had their car stolen in that exact same manner. Their Jeep was found gutted 100 miles away.

Let's not forget how easy it is to steal luxery cars that use electronic key fobs.

Truth is most car manufacturers don't secure their vehicles to attack...yet.
Because most require physical access to the OBDII port or controller which is protected by a door lock.
 
Steve, I wouldn't call it a bad week because of this, this is essentially the same story as "Tesla Model S Prone To Hacking?" from 3/31/14.....It's already been widely publicized that this is possible so I don't get why the media is acting like this is something entirely new to cast in a negative light.
nilepez said:
If all that stands between a crook and my 80k car is a 6 digit code, Tesla needs to improve their PW system.

It doesn't have to be, that's only the default and you can change the default to "correct horse battery staple" if you wish....Actually, in response to the March story, they upped the minimum length to 8 and put restrictions on the number of incorrect attempts to thwart this.

All the app controls is unlocking your doors, adjust climate control, sunroof venting, and you can honk the horn or flash the lights. That's it! Aside from these abilities, it is just like any other Web-accessible user account break-in. The fob has not been hacked, which is needed to drive the car, and is what I think should be implied with the word "hack"....To do this in the real world you would need to know beforehand the user account and email of the owner whose car you wanted to mess with. For all we know, the Chinese could have sent out a phish email and someone was dumb enough to respond ("This is Tesla Motors. In order to deploy necessary updates to your vehicle, we require your Tesla mobile account PIN so that they may be applied accurately without delay. Thank you for choosing Tesla Motors.") As was said earlier, a brick through the window would be far easier.
 
My neighbor's house got hacked last week. They through a brick through the front window and stole his wife's jewelry.

That's not a tool! That's a damned brick!!!

Sorry, that totally sucks your neighbors got robbed.
 
You can laugh all you want about the Chinese doing this, but they do try some serious hacks 24/7.
If any of you are running a firewall with any kind of logging, check out some of the IP addresses hitting port 22; about 90% of them are from an ISP in China.


Port scans for known ports/exploits isn't hacking either. They try default credentials, then move on. No real skill/hacking involved.

But yes, I constantly have to block large subnets because I do see that kind of traffic all the time from China. I also see from Ukraine/Russia/Iran and a few other countries, but like 75% of them are from China.
 
You can laugh all you want about the Chinese doing this, but they do try some serious hacks 24/7.
If any of you are running a firewall with any kind of logging, check out some of the IP addresses hitting port 22; about 90% of them are from an ISP in China.

I used to get quite a bit of this from Egypt actually. They'd try to get in through the Asterisk server at one of my old jobs from time to time. I don't know what they thought they'd accomplish hacking a PBX for a smallish company, but...

Always just null routed them and moved on...
 
Back
Top