[mitchellh]

The cool things: Tesla is running Linux (!) and standard technologies/protocols such as SSH, NFS, X11, HTTP, etc. to do things in the car. That is cool, and probably highly efficient since developer test labs can probably just be basic Ubuntu-like virtual machines.

The sketchy things: Jailbreaking a car seems pretty dangerous, especially since as far as I'm aware, the electronic systems control things including the brake. I know this only because Tesla recently released a software update that added "hill assist" which will hold the brake in place for 1 second when at a certain incline to avoid rolling back. Imagine a malicious software update that disabled the brake! Personally, I would jailbreak a phone, but not a car. :) HOPEFULLY the system the ethernet port provides access to is firewalled out of being able to update any software (i.e. the software update mechanism is some other device), but who knows.

The phone home can also be considered sketchy, but any Tesla owner is well aware the car pings home and relays diagnostic data to Tesla. At the very least, Tesla owners know it must ping home to check for updates periodically.

If anything, I thought it was kind of cool that Tesla engineers detected it and reached out so quickly. Imagine if you weren't tampering with your car and it WAS a high-tech attacker. It is good to know that they can detect the basics.

[jcdavis]

No way is the drive control software is running linux, its almost certainly running on its own embedded system.

[mitchellh]

Absolutely, I agree, but the software update mechanism is somehow able to update or interface with that system. If you're able to jailbreak _that_, then its one less barrier in the way of taking over the drive control.

[viraptor]

I'm sure only signed updates are allowed. Same as with intel microcode updates and most firmwares. They'd be highly irresponsible if jailbreaking was left possible.

[jamesaguilar]

Nobody intends jailbreaks to be possible. It's done through exploiting bugs. And saying it'd be highly irresponsible to write a bug is like saying it'd be irresponsible to use the bathroom. It may stink, but everyone does it.

[viraptor]

I'm aware these are just bugs, but there's a huge difference between iOS/android (let's keep it fairly secure, if anyone breaks it we'll release a fix... maybe, noone really cares) and car's system (probably at the level of: holy shit this cannot run untrusted code, even if that means adding trusted execution module that prevents booting if there's any unsigned byte present).

[evv]

Sure, I agree, but what system checks the signature? A responsible engineering team would have a dedicated piece of hardware for that. For decent security, it would need to physically sit between the untrusted, internet-connected machine and the embedded hardware.

Not to mention that there must be some key floating around Tesla that can be used to completely reprogram any Model S from anywhere.

Its not the first time a company has needed to privately secure a key, but this time there's a lot more at stake. I wonder what the privacy success rate is for companies with highly-sought-after keys like that. Over a long period of time, the chance of a key leak has got to be pretty high.

[viraptor]

> For decent security, it would need to physically sit between the untrusted, internet-connected machine and the embedded hardware.

TPM style solutions already exist. Keys burned into the chip + verification at boot should do most of the work.

> there must be some key floating around Tesla that can be used to completely reprogram any Model S from anywhere.

It could be something more interesting. A set of keys where signature requires N out of them? Even if there is some master key, they wouldn't keep it on a node connected to the network (one would hope...) Some hardware crypto-box maybe?

[TeMPOraL]

> Even if there is some master key, they wouldn't keep it on a node connected to the network (one would hope...) Some hardware crypto-box maybe?

I imagine Elon sending the only copy to space on one of the recent SpaceX launches, so that they can deorbit it when needed, but to steal it, you'd actually have to go up there and find it ;).

[TeMPOraL]

Jailbreaking is always possible, period. It's only matter of trying hard enough, and (un)fortunately, it's usually enough for one person to put the effort once, and then everybody can use the results.

[mikeash]

Lots of systems are built to only allow signed updates, but bugs often allow bypassing that. If you can exploit the existing firmware, you can effectively load new ones. That's how iOS jailbreaks work despite Apple's attempt to only allow booting an Apple signed OS.

[mschuster91]

...which you can hack, as all car systems are connected by the CAN bus, and people already have exploited buffer overflows in car radios, in turn giving access to the CAN bus, and unlocking the vehicle.

[Mister_Snuggles]

You are correct.

According to the article, the car's network consists of three devices - the centre console, the dashboard, and one unknown device. There's no way that the whole car has only three computers.

My guess is that this ethernet network is only for the user interface. I'd also guess that the unknown device serves as a gateway (and, hopefully, a firewall) between the critical systems of the car and the car's UI.

[mschuster91]

Firewall? The CAN bus interfacing with the core vehicle components assumes no access controls or anything. Any device connected to it is inherently trustable, no questions asked.

[Gnewt]

I think the commenter you replied to was inferring that the whole CAN bus was not accessible via the Ethernet network.

[mschuster91]

Get ssh access to the box connected to the CAN bus and boom, you have access.

There must be at least one of those connected because Tesla is able to remote-unlock your vehicle.

[hengheng]

There are usually discrete CAN bus firewalls that sit between controllers that are explicitly programmable, and the bus. They might be ASICs, microcontrollers or FPGAs, but there's no way into the mfrom the network. The only attack vector onto the bus is to stab the car with a sharp knife until you have the PCB in your hands, at which point you have owned the car anyways.

[hamiltonkibbe]

Unless someone re-wrote the kernel to be MISRA-compliant...

MISRA Compliance...Coming soon in Ubuntu 149.04 Zany Zealot!!</s>

[XorNot]

Depends what level we're talking about surely? SpaceX have their own real time Linux which they do use on rocket systems - stands to reason they might bring a similar idea over to automotive systems.

[eik3_de]

likely using a real time os like qnx/vxworks for the more critical stuff.

[dalke]

You started with jailbreaking then transitioned to malicious software update - aren't those two different things? While it's possible that bad software would cause dangerous problems with the car, it's also possible that a bad repair job or bad part will as well. Yet we allow unlicensed mechanics, like the owner of the car, to do things like replace the brakes.

While you may not be comfortable jailbreaking your own car, you might also not be comfortable replacing your own brakes? Do you think my replacing the brakes of my own car would also be sketchy? I am a better programmer than I am a car mechanic. Also, after-market mods which reprogram the engine have been around for a while, so it's not like people do things like this already.

[taternuts]

I'm assuming the critical stuff is pretty walled off, but if I were Tesla I'd be nervous about someone potentially poking around with anything like that because they think they know what they are doing.

[dalke]

Oh, I agree. But wouldn't any existing car company also be worried about aftermarket mods to the car they sold, by people who "think they know what they are doing"? What marks Tesla's cars as significantly special or error-prone?

As important, how do you distinguish between a valid concern about the easy of making a stupid error, vs. designing the system to be more resilient to those sorts of mistakes, vs designing the system so the owner isn't able to modify the car without the manufacturer's permission?

(Eg, Massachusetts has a "Right to Repair" law, which is supposed to reduce the last case.)

[Nexxxeh]

>Oh, I agree. But wouldn't any existing car company also be worried about aftermarket mods to the car they sold, by people who "think they know what they are doing"? What marks Tesla's cars as significantly special or error-prone?

They ARE significantly special to the media and to consumers. Compare the press coverage of the Tesla fires to the, what, hundreds or thousands of petrol (gasoline) vehicle fires a year?

One fool disables some safety features to squeeze out some more performance from his vehicle, the vehicle catches fire and kills him. How do you think that'll play out in the mainstream American media and what will it do to Tesla's stock price?

[dalke]

Ahh, yes, I see your point.

[fleitz]

Now... imagine you have a low tech car facing an attacker armed with a pair of side cutters.

First, locate the hood, second, use the release to pop it. Locate the master cylinder, and the hose running to the engine, cut it. Now the brakes don't work very well. Locate the hose not running to the engine, cut that, now the brakes don't work at all.

Imagine that any person strong enough to operate side cutters can hack into your car and disable the brakes.

[evv]

Seriously? You're illustrating the point here. On low tech cars, an attacker has to hack the cars one-at-a-time. They could endanger one car load of people with each "job".

With high-tech cars, an attacker could hack every car of the same model. With thousands of Teslas on the road, I think it merits a higher concern than somebody with side cutters.

I thought it was obvious. Next time I'll let it go unsaid..

[nacs]

It's a wired-ethernet network not Wifi.

The attacker would still need physical access like the low-tech attacker to network and update software on the Tesla.

Also, the brake line could be cut in seconds whereas 'jailbreaking' and then flashing the drive control software would take ages in comparison.

[munin]

yeah but the state police can examine a crash after the fact to determine a brake line was cut.

even if the software survives a high-speed crash, it's possible for the surreptitiously placed modification to erase itself as its final act. additionally, the surreptitiously placed modification can wait for weeks or months, giving the attacker time to build a cover story or misdirect or accomplish any number of other goals.

[gramasaurous]

Now imagine someone hiding in the hood of your car waiting to cut your brakes while you are traveling 80mph down the freeway.

[langseth]

Is it even that complicated? Just cut one (or all 4) of the lines under the car that runs to the brake calipers. No need to get under the hood.

[taternuts]

You're almost certainly going to notice you have no breaks way before you're going to be at a speed to do serious harm, especially in an urban setting.