Tesla Model S Ethernet Network Explored (opens in new tab)

Sadly, the segregation between CAN buses is not nearly as good as you would think. ONSTAR, for example, sits on the drive critical bus (and is exploitable). Of course, this is not on a Tesla, but still.

http://www.autosec.org/pubs/cars-usenixsec2011.pdf

Thank you for pointing this out. A few additional notes on the way most modern car electronics work:

1) The entertainment system generally has read-only access to the CAN bus via an intermediary DCU. Even if you were able to "jailbreak" it, you wouldn't be able to modify the CAN.

2) The control unit(s) that actually have the ability to modify things like brakes, maximum speed settings, etc. are ECUs (http://en.wikipedia.org/wiki/Electronic_control_unit) and are entirely separate from the entertainment system.

3) Updates to vehicle-critical systems generally never even go through the entertainment system. They are sent over the air to the car's receiver (usually a kind of DCU), and are processed outside the purview of the entertainment system. The only thing the entertainment system can do is schedule the download and read the progress of the update.

It's interesting to see that Ethernet is used to connect the infotainment displays, but this isn't really a security concern as far as I can see. It just means we'll probably see some mods for the displays in the future, like turning off the YouTube lockout or enabling different data displays.

> I am very amused that people in this thread assume that this ethernet port allows tinkering with the automotive systems.

I'm still surprised people think like this. We had 60+ years of technology hacking to learn that if it is not airgapped, it can be hacked. And even if it is, it probably still can be (cf. Stuxnet). So while I doubt Tesla is using Ethernet to control critical car systems, I also don't think that they can't be tinkered with using that port if someone cares hard enough to try.

I'm not expert on this, but I'm pretty sure the IT guys in our Formula Student Team use a Ethernet cable to connect their laptop to the Autobox and then the Box runs the CAN signals.

http://www.dspace.com/de/gmb/home/products/newprod/microauto... (Table: Host-Interface = Ethernet)

I guess the point is that signed binaries aren't full proof. Look at how jail breakers have been able to continually defeat the iOS security controls over the years. And surely Apple has a larger and more experienced development team than Tesla.

Just a note, automotive Ethernet PHYs exist [1] and there is some interest in real-time Ethernet applications (piggy-backing on an original audio use case, AVB) [2].

[1] http://www.broadcom.com/products/Physical-Layer/BroadR-Reach... [2] http://www.eetimes.com/document.asp?doc_id=1315425

That was my first fear, actually. Reading the headline, cold chill "They can't have been stupid enough to build the Tesla with Ethernet instead of CAN bus, right?"

You can be disappointed - you can unlock the vehicle from your app, thus 0wning/jailbreaking that box will give you CAN-bus access.

Super interesting. There was this hack from a few months ago that involved messing with items on the CAN bus. I think they get into more of the details;

https://www.youtube.com/watch?v=oqe6S6m73Zw

What about cars where you can enable/disable features like traction control and auto-break from the entertainment system? They must have some sort of connection, and that connection probably has bugs that could be exploited.

No way is the drive control software is running linux, its almost certainly running on its own embedded system.

You started with jailbreaking then transitioned to malicious software update - aren't those two different things? While it's possible that bad software would cause dangerous problems with the car, it's also possible that a bad repair job or bad part will as well. Yet we allow unlicensed mechanics, like the owner of the car, to do things like replace the brakes.

While you may not be comfortable jailbreaking your own car, you might also not be comfortable replacing your own brakes? Do you think my replacing the brakes of my own car would also be sketchy? I am a better programmer than I am a car mechanic. Also, after-market mods which reprogram the engine have been around for a while, so it's not like people do things like this already.

Now... imagine you have a low tech car facing an attacker armed with a pair of side cutters.

First, locate the hood, second, use the release to pop it. Locate the master cylinder, and the hose running to the engine, cut it. Now the brakes don't work very well. Locate the hose not running to the engine, cut that, now the brakes don't work at all.

Imagine that any person strong enough to operate side cutters can hack into your car and disable the brakes.

And that's a mighty hacker-unfriendly stance to take for a company whose client base is made up of a disproportionately large number of engineers and computer scientists, many of whom will doubtless be curious as to the inner workings of their car computer systems.

I mean, could you imagine if a car manufacturer took this attitude toward car owners who were exploring the car's transmission, which is clearly just as critical to the car's safety as the car computer system?

My view of Tesla just sank a notch (but I still want one).

Edit: Actually, I thought about it a bit, and I actually don't want one anymore if this is the attitude that prevails inside the company. For the same reason that I don't want any Apple products. I'm far from a Stallman acolyte, but I'll be damned if I'll buy from a company that wants to forbid me from hacking on hardware that I have purchased and own.

Poking around an unknown device's network and sending arbitrary commands to see how it responds could certainly very well damage something.

Moreover, it's my understanding that if there's any GPLv3 software on the Tesla, you have the right to receive installation instructions that allow you to install a modified version of that software on your Tesla. But Tesla is not required to honor the warranty of Teslas whose software has been modified.

I wonder if they ship coreutils?

If they don't modify gpl code but just configure existing software and add their own packages, do they still have to pub everything?

I could certainly see people modifying cotor controller settings. Changing hard RPM limits, or tuning PID controller gains for extra milliseconds on the track.

In Germany you have to get your car checked every two years by the "TÜV", if it passes you get a sticker for the license plate without which you are not allowed to drive the car.

Given how critical the software already is, I would be surprised if there isn't a system already in place, that car companies are required to put in, that can use to verify the software for any car.

Nice. A bit like Steam's verify game cache.

I tried reverse image searching the photo, but got nothing.

However, a simple YouTube search for the song name turned up a bunch of cover versions. This one matches the length shown (4:17): https://www.youtube.com/watch?v=tytPcvyJASc

The band, Simple Plan, also appears to have five members, which is pretty strong supporting evidence. Strangely, I couldn't find the exact image shown in the Tesla photo.

Agreed. There should be a large warning on the console: "Warning to passengers: The Vehicle Systems have been Compromised. Please do not ride in this vehicle. A Service tow truck has been dispatched."

Also, the car should not move.