Tag Archives: Tesla

Bluetooth Spec Says it is not Secure – They Are Right

There have been many issues over the years with passive (keyless) entry systems, including but not limited to vehicles.

In this case, researchers at the NCC Group used a “relay attack” to not only unlock a Tesla Model 3, but also start it and drive away.

A relay attack works like this. You take one phone and put it near the key fob and another phone and put it near the car. These two phones talk to each other and with $50 worth of bluetooth hardware, they are able to relay the signal from the fob to phone 1 to phone 2 to the car.

Some of these relay attacks don’t work because there is a time delay introduced in this type of attack, but these researchers figured out how to work within the timeout window.

While they only tested a model 3, they think the attack will also work on a model Y.

Tesla has a history of problems like this. In 2014 researchers were able to unlock a Tesla. In 2016 another group was able to create a similar attack. Also in 2016, the Tesla app was compromised to track, locate and start vehicles. In 2018 Belgian researchers were able to clone the Tesla keyfob and get full access to the car.

It’s worth noting that the Bluetooth Core Specification makes no claims that BLE proximity signals are secure. In Proximity Profile specification updates from 2015, the Bluetooth Special Interest Group (SIG) stated “the Proximity Profile should not be used as the only protection of valuable assets,” and additionally “there is currently no known way to protect against such attacks using Bluetooth technology.”

https://www.theregister.com/2022/05/17/ble_vulnerability_lets_attackers_steal/

Credit: The Register

These researchers say that this is not a bug that can be fixed with a software patch, nor is it an error in the specification. Instead, it is a problem with using the protocol for something that it was not designed to do (security).

Tesla says that they are not going to fix it. They do say that you can disable the proximity feature.

The researchers also say that this attack will work on any other Bluetooth proximity device such as other cars, smart locks, building access systems, mobile phones, laptops and many other devices.

This is one of those cases where convenience won out over security. Credit: Helpnet Security

Security News for the Week Ending November 26, 2021

Tesla Locks Owners Out of Cars – On Accident

Hundreds of Tesla owners got locked out of their cars when a server that powers the Tesla app crashed due to load. Apparently those owners forgot there is such a thing as a car key. The outage lasted about 5 hours and Elon Musk later tweeted that they would work to avoid this in the future. This doesn’t happen often; just a reminder that no tech is perfect. Credit: The Guardian

The Zelle Fraud Scam – Don’t Fall Victim

The Zelle fraud scam starts with a fake text message that asks if you made a Zelle payment in the amount of $X. If you respond to the text with anything, you will get a call from the scammer pretending to be your bank. The scammer asks for your online banking USER NAME (not password) and the hacker then does a password reset, asking you for the PIN that your bank sends to do the password reset. And then empties your bank account. For more details, see the Brian Krebs account of the attack.

Microsoft Says Attackers Don’t Bother to Brute Force Long Passwords

A Microsoft engineer analyzed over 25 million password attempts against a honeypot of SSH servers and discovered that 77% of the attempts to brute force a password used passwords of 7 characters or less and only 6% used passwords of over 10 characters. Also, only 7% of the attempts used a special character. This gives users some parameters for constructing passwords. Credit: The Record

US Sanctions 28 Quantum Computing Companies in China, Russia, Pakistan and Japan

The US continues to work on protecting our technology from foreign bad actors. The Commerce Department added 28 companies in multiple countries as a risk to the US. These sanctions prohibit US companies from dealing with these organizations. Given that quantum computing is a strategic technology for everyone, we do not want to accidentally be helping the bad guys. For a list of these companies, check out this article.

Israel Bans Sales of Hacking Tools to 65 Countries

In the wake of all of the negative press that Israeli hacking tools company NSO Group is getting, including being banned in the US, Israel reduced the list of countries that companies like NSO can sell to from 102 to just 37 countries. See the list here.

India to Ban Almost All Private Crypocurrencies

India is about to ban almost all private cryptocurrencies. A new bill will create a framework for an official digital currency, to be issued by the Reserve Bank of India. Included in the ban would be Bitcoin and Ethereum. Effectively, if this bill becomes law non-fiat cryptocurrency would cease to exist in one of the world’s most populous countries. Credit: Euronews

Security News for the Week Ending September 3, 2021

Apple Offers Fixes For Broken iPhone 12s

While not exactly a security issue, Apple is offering to fix defective iPhone 12s that were made between October 2020 and April 2021 and which have a defective receiver module component. That is mighty kind of them since every single one of them is still under warranty and if you can’t hear sound on your phone, it is of lesser usefulness. Still, we are talking about Apple. Owners can take them to an Apple store or authorized repair center. Apple says you might want to back up your data first in case something bad happens. Credit: Bleeping Computer

Teslas on Autopilot Crash into Cop Cars

I don’t think it is intentional, but on more than one occasion, Teslas on autopilot have crashed into police cars. At night. On autopilot When they have their lights flashing. Those high intensity lights have occasionally blinded me at night so it doesn’t seem like much of a stretch that it could also bother Tesla’s cameras also. Right now they are investigating about a dozen of these crashes. Credit: Vice

Federal Departments Ordered to Improve System Logging to Respond to Incidents

As a result of the recent executive order on cybersecurity, the OMB has ordered federal agencies to begin outlining the steps they plan to take to improve their incident logging capabilities, including log retention and log management. You should assume this will flow down to you, even if you aren’t an agency and don’t sell to one. It is just good practice. Credit: Data Breach Today.

Teamsters Are Coming for Amazon’s Tax Breaks

This is not directly a security issue, but it does point out that there are many different forms of attacks and if one doesn’t work then the attackers might try a different one – as happens all the time with cyber attacks. I will let you read the details if you are interested, but the Teamsters have not been successful at winning union elections so they are changing tactics. When Amazon comes to a local government to ask for a tax break to add, according to the union, dangerous, depressed wage jobs, they launch a campaign asking the voters to explain why the city should give a tax break to one of the wealthiest companies in the country just so that they can create more dangerous, low paying jobs that will be automated out of existence as soon as Amazon can do it. Interesting tactic. Credit: Motherboard Vice

Industrial Control Systems Bugs Out of Control

In just the first six months of 2021 there were 637 bugs in products of 76 vendors affecting Industrial Control Systems. More than 70% of them are rated critical. Three quarters of the bugs do not require any privileges and two thirds can be exploited without any user involvement. Given all the attacks we have seen and the fact that ICS owners are very slow to deploy patches, expect hackers to start exploiting these and taking down factories, utilities and critical infrastructure. Credit: Security Week

Unhappy Days in Tesla-Land

Tesla (and other self driving car companies) have been particularly close-mouthed about crashes, especially when their cars are in self driving mode.

The National Highway Traffic Safety Administration (NHTSA) issued a new rule that pulls the covers off of that secrecy.


Now companies will have to report ALL crashes in which semi-autonomous, steering assist or automatic lane-keeping are involved. Not only does this affect Tesla, but it also affects Waymo, Zoox, Cruise and others.

The new rule says that any crash involving a semi-autonomous system and “a hospital-treated injury, a fatality, a vehicle tow-away, an air bag deployment, or a vulnerable road user such as a pedestrian or bicyclist” must be reported to NHTSA within one day of learning about the crash, with an update submitted 10 days later.

The companies also have to generate monthly reports and provide them to the NHTSA.

To encourage companies to comply, failure to comply will subject companies to fines of $22, 992 per day.

With a maximum fine of $100 million.

I assume that will get even Elon’s attention.

The objective is for the feds to have more data to understand how safe or not some of this new tech is.

Credit: Vice

Security News for the Week Ending March 26, 2021

China Bans Military and Government from using Teslas – Due to ‘Spying’

The WSJ is reporting that the Chinese government has restricted the use of Tesla vehicles near or in sensitive installations like military and government facilities. The theory is that the cameras on Teslas could be used for spying. Tesla, of course, denies that they are spies, but consider this. What is to stop hackers or state intelligence agencies from hacking ANY self driving car and stealing the data. I am sure that Musk would say that his security is great, but is it perfect? This is not a Tesla problem, this is a ’20 cameras on 4 wheels with an Internet connection’ problem and this case, I would say the Chinese are correct. The problem is that with more and more self driving cars, do you ban all cars from sensitive places? What if you convince the owner to sell their data after driving around a sensitive facility? If someone offered you $50,000 to rent your car for a week, no questions asked, would you take it? Oh, yeah, it might back with less data than it went out with. Credit: ZDNet

Facebook Fails to Derail $15 billion Privacy Lawsuit

Facebook is being accused of violating wiretap laws because of the way the Facebook “Like” icons work to track even people who do not have Facebook accounts, never mind ones who do have an account but are not logged in. Of course, Facebook monetizes this data in a variety of ways. Facebook told the Supreme Court that if they allowed the California federal court decision to let the case proceed (which is different than saying the plaintiffs will win), that would have detrimental consequences. While $15 billion is a lot of money, remember that Facebook made $30 billion in PROFIT just last year and allowing the case to proceed, does not mean anyone will win or what the penalty might be. Surely if Facebook loses it will be detrimental – to them, but that is never been a reason to stop a lawsuit from moving forward. Credit: Security Week

Amazon Contractors Have to Sign a Biometric Consent Form or Lose Their Job

Amazon continues to ratchet down on their contract drivers (and probably their own too). They are installing AI based cameras in their delivery vehicles that watch both the road and the drivers. If a driver yawns, they see that. If the driver looks at his or her phone, they see that too. Not wearing your seatbelt? Problem. Too many negatives and they are history. Or, they can quit now. Oh, yeah, they can keep the data forever. Credit: Vice

Hackers Demand $50 Million Ransom from Acer – Threaten to Leak Data

In what is probably the largest ransom demand ever (at least that we know of), hackers encrypted systems at Acer on March 14th and demanded a $50 million ransom. The hackers posted on the dark web that negotiations had broken down. Acer, apparently, offered $10 million, but Acer is not confirming anything. Leaked documents are less sensitive financial info, so we don’t really know what they have. The compromise may have started with the Microsoft Exchange Server hack. The main risk factor here, likely, is the disclosure of whatever the hackers stole. Stay tuned. Credit: Hackread

After NSA Head Says NSA Missed SolarWinds Because it Can’t Spy in US, Administration Says It Does Not Plan to Increase US Surveillance

An administration official, earlier this month, said that the administration, worried about the political blowback of the NSA spying on Americans, was not CURRENTLY seeking additional laws to allow the NSA (or others) to do additional spying on Americans. Instead, they want to focus on tighter partnerships with the private sector and allow them to provide the data to the feds. This would give the feds a cover story that they are just using data that has already been collected. This is my de-spinning of what they said. Credit: Security Week

Researchers Hack Tesla Key Fob in 2 Seconds

Researchers have figured out how to hack a Telsa’s key fob in under two seconds.  That’s impressive.  Remotely.  I think in this case remotely means that they do not have to touch the fob or the car, but they have to be pretty damn close to it – in radio range of the fob.  Still, it is not particularly hard to be nearby the car.

The researchers say that the technique should work on any keyless entry system, but maybe that isn’t quite true.

Tesla’s keyless entry system is made by Pektron and they are using relatively weak encryption.  We have actually seen this exact problem with other cars like the system that VW uses and sells to many other manufacturers (which I have written about in the past).  So if may be fair that other manufacturers have similar problems, but not necessarily the same.  But maybe not all.

Because computers are fast and can support a lot of data, the researchers made a table of all 2 to the 16th possible encryption key codes.  That is only 6 terabytes – a disk that you can easily put on a PC, never mind a more powerful computer.

Then you need about $600 of hardware to intercept the owner unlocking the car.  You get the encrypted code that way.

Then all you have to do is scan this table that you built to find the matching entry and voila, you can clone the fob.  This MAY BE true for other manufacturers as well.  As I recall, the VW hack was even easier.

Telsa attempted to defend itself by saying that other car makers have crappy security too.  Not much of a defense.

So what do you do?

First, maybe passive entry is not the most secure thing in the world, so do you really NEED it, or is it just a cool toy.

Second, make sure that your insurance will replace your car if it is stolen in this manner.

In the case of Telsa, they warned their customers to disable passive entry.  That may be an option for other cars too.  If you can disable it, do so.

Telsa has created a new key fob that you can BUY, but you need to upgrade the software in the car first.  The software is free, the fob is not.  Still, if it is reasonably priced, you should probably do it.

Owners of other vehicles should check with the dealer for updates and probably scan Google periodically to see if their particular system has been hacked.

Telsa has also added a PIN code to its alarm system, but you have to enable it.

Generally, there is a trade off between security and convenience.  This is an example of it.    

Check the options in your car and select, maybe, the most secure one instead of the easiest.  Typically the dealer will explain the easiest one because that is also the coolest one.  Leaving the key in the car is also easy, but I don’t recommend that either.

Unless you are ready to buy a new car.  In which case, what color do you like?

Information for this post came from Motherboard.