So much stuff need to happen for two devices to interact securely that there's seems to be no chain of events that could make this possible.
Either the app goes through their servers and back to the car, which would make it impossible to unlock the wrong car, or through BLE, which would make it easy to verify through digital signatures that the other device is who they say.
The entire tech industry has a long history of security issues, bad practices, mismanagement of security critical resources (openssl,...), horrible hacks with security issues that where widely discussed beforehand (http tunneling), etc. . The only fake story I could see from a mile away would be "Company publishes flawless auth system, hackers forced to retire".
I think we'd have heard this story more than once if it was possible.
EDIT: I grant the possibilities outlined by the responders to my post... still, I'll put a little $$ on this getting clarified otherwise in the coming weeks -- but not any more than that, as I've lost a $ in this week's banking crisis.
As if there's no opportunity for defects anywhere in that mountain of abstractions...
> “After five, 10 minutes I got a text on my phone that said ‘Rajesh are you driving [a] Tesla,’” he explained to the outlet. Randev went on to say the person who messaged him told him he was driving the wrong car.
> When the two Tesla owners met up, the rightful owner of the car Randev was driving told him he’d found Randev’s phone number on a document inside Randev’s car.
Overall the original article linked by jalopnik is better written though.
I bought an old cargo van which had been a Comcast installation vehicle and they had sabotaged the lock on the rear door because of this.
Everything had worked fine in his testing, but once in production there was enough concurrency to make this change in caching behavior matter. One customer's web login would spuriously see another customer's content, it all seemed completely random.
A similar change (or rare bug) could easily result in one customer's boolean "yes they're allowed" reach another who should have received "no they're not". There's all sorts of opportunities in the backend to cross such streams, especially things that need to scale and do a lot of caching.
I sure hope that startup learned that dev testing is not sufficient!
They solved this by adding the little chip to the key, so that even if you could open the door, you couldn't start the car with the wrong key, because it would read the chip in the ignition barrel. My uncle was involved in the testing and got to drive a Corvette for a while because that was the first model they tried it on.
After 2 weeks he took it back to the rental place and the owner wouldn't accept it as it wasn't his moped - looked just the same to us, but he checked the engine number (there were no number plates on the island).
He didn't know what to do, but after a while of trying to figure out what to do, on a hunch drove back to the very first cafe we'd visited after hiring the bike, on the other side of the island.
There outside the cafe was 'his' moped - a little dusty, but unmoved - he parked the bike and told the owners of the cafe, and rode back on the 'correct' moped. I hate to think what happened to the person who's moped we'd taken, I don't think there was an option of insurance when he hired the bikes.
Had a lot of fun with that one. Not sure the owner of the Saturn would agree.
One of my keys because so dull it wouldn’t unlock the door anymore. We got a key off eBay and programmed it. The sequence to start the programming was pretty cool. It was something like turn the ignition key to specific places, press the brake a set number of times, and some other combos.
Here’s an example.
- Son, did you drove the Uno today?
- I did.
- And you filled up the tank, thanks!
- Nope, I didn't, no money for that.
- So, who did it?
- Mmm, was my bag in the car?
- Nope.
- Oops!
Both black. One a panamera (so?) 4, one a 4s. One with dealer plates (the one they ended up taking home..) , one with a custom plate.
So, after showing up to this persons house (through a golf course, up a winding top of the hill driveway), I knocked on his door and asked him the same question (after apologizing for the workers mistake).
"Oh, well, it was evening and the radio stations were programmed in the same, so I just didn't even think about it. In the morning I said "well, that's strange, usually they wash the car nicely before returning it -- then I realized it wasn't my car".
Guy was super down to earth about it, not a care at all and the exchange was very pleasant.
Point being: some people just really go with the flow, and even with 100k+ cars 20 years ago, sometimes just don't really pay attention to, well, much of anything. Bigger fish to fry, I guess.
I'll never forget the whole interaction, fully expecting a grumpy person and coming face to face with "eh, life!".
> all he’s gotten from the automaker is radio silence
So...where did the text come from? No indication that the police were involved in the article. How did the other Tesla owner get his cell number?
This story seems implausible to me.
> When the two Tesla owners met up, the rightful owner of the car Randev was driving told him he’d found Randev’s phone number on a document inside Randev’s car.
> Randev said the other Tesla driver told him he was able to get his number because he had printed out a document, which was in his car and it had his phone number on it.
Keep in mind that PayPal is basically in the same boat as systems like Venmo and Cash App (Zelle is a little different). They all have problems. Musk’s main contribution to PayPal was actually x.com. X.com got absorbed into PayPal and PayPal is somewhat different from Musk’s vision for x.com.
Peter Thiel came out with confinity, then 1 year later x.com launched. They for some reason merged. Musk wanted to keep the name x.com Jusk was fired before it became paypal.
Point being - perhaps ids can accidentally be reused or mis-entered into some system?
Everything worked there as expected. This other random car didn't open. The way these key pairing systems are built it wouldn't really make sense for it to open or start. Thats why to me this smells like BS.
