Tag Archives: Tesla

Security News for the Week Ending September 3, 2021

Apple Offers Fixes For Broken iPhone 12s

While not exactly a security issue, Apple is offering to fix defective iPhone 12s that were made between October 2020 and April 2021 and which have a defective receiver module component. That is mighty kind of them since every single one of them is still under warranty and if you can’t hear sound on your phone, it is of lesser usefulness. Still, we are talking about Apple. Owners can take them to an Apple store or authorized repair center. Apple says you might want to back up your data first in case something bad happens. Credit: Bleeping Computer

Teslas on Autopilot Crash into Cop Cars

I don’t think it is intentional, but on more than one occasion, Teslas on autopilot have crashed into police cars. At night. On autopilot When they have their lights flashing. Those high intensity lights have occasionally blinded me at night so it doesn’t seem like much of a stretch that it could also bother Tesla’s cameras also. Right now they are investigating about a dozen of these crashes. Credit: Vice

Federal Departments Ordered to Improve System Logging to Respond to Incidents

As a result of the recent executive order on cybersecurity, the OMB has ordered federal agencies to begin outlining the steps they plan to take to improve their incident logging capabilities, including log retention and log management. You should assume this will flow down to you, even if you aren’t an agency and don’t sell to one. It is just good practice. Credit: Data Breach Today.

Teamsters Are Coming for Amazon’s Tax Breaks

This is not directly a security issue, but it does point out that there are many different forms of attacks and if one doesn’t work then the attackers might try a different one – as happens all the time with cyber attacks. I will let you read the details if you are interested, but the Teamsters have not been successful at winning union elections so they are changing tactics. When Amazon comes to a local government to ask for a tax break to add, according to the union, dangerous, depressed wage jobs, they launch a campaign asking the voters to explain why the city should give a tax break to one of the wealthiest companies in the country just so that they can create more dangerous, low paying jobs that will be automated out of existence as soon as Amazon can do it. Interesting tactic. Credit: Motherboard Vice

Industrial Control Systems Bugs Out of Control

In just the first six months of 2021 there were 637 bugs in products of 76 vendors affecting Industrial Control Systems. More than 70% of them are rated critical. Three quarters of the bugs do not require any privileges and two thirds can be exploited without any user involvement. Given all the attacks we have seen and the fact that ICS owners are very slow to deploy patches, expect hackers to start exploiting these and taking down factories, utilities and critical infrastructure. Credit: Security Week

Unhappy Days in Tesla-Land

Tesla (and other self driving car companies) have been particularly close-mouthed about crashes, especially when their cars are in self driving mode.

The National Highway Traffic Safety Administration (NHTSA) issued a new rule that pulls the covers off of that secrecy.


Now companies will have to report ALL crashes in which semi-autonomous, steering assist or automatic lane-keeping are involved. Not only does this affect Tesla, but it also affects Waymo, Zoox, Cruise and others.

The new rule says that any crash involving a semi-autonomous system and “a hospital-treated injury, a fatality, a vehicle tow-away, an air bag deployment, or a vulnerable road user such as a pedestrian or bicyclist” must be reported to NHTSA within one day of learning about the crash, with an update submitted 10 days later.

The companies also have to generate monthly reports and provide them to the NHTSA.

To encourage companies to comply, failure to comply will subject companies to fines of $22, 992 per day.

With a maximum fine of $100 million.

I assume that will get even Elon’s attention.

The objective is for the feds to have more data to understand how safe or not some of this new tech is.

Credit: Vice

Security News for the Week Ending March 26, 2021

China Bans Military and Government from using Teslas – Due to ‘Spying’

The WSJ is reporting that the Chinese government has restricted the use of Tesla vehicles near or in sensitive installations like military and government facilities. The theory is that the cameras on Teslas could be used for spying. Tesla, of course, denies that they are spies, but consider this. What is to stop hackers or state intelligence agencies from hacking ANY self driving car and stealing the data. I am sure that Musk would say that his security is great, but is it perfect? This is not a Tesla problem, this is a ’20 cameras on 4 wheels with an Internet connection’ problem and this case, I would say the Chinese are correct. The problem is that with more and more self driving cars, do you ban all cars from sensitive places? What if you convince the owner to sell their data after driving around a sensitive facility? If someone offered you $50,000 to rent your car for a week, no questions asked, would you take it? Oh, yeah, it might back with less data than it went out with. Credit: ZDNet

Facebook Fails to Derail $15 billion Privacy Lawsuit

Facebook is being accused of violating wiretap laws because of the way the Facebook “Like” icons work to track even people who do not have Facebook accounts, never mind ones who do have an account but are not logged in. Of course, Facebook monetizes this data in a variety of ways. Facebook told the Supreme Court that if they allowed the California federal court decision to let the case proceed (which is different than saying the plaintiffs will win), that would have detrimental consequences. While $15 billion is a lot of money, remember that Facebook made $30 billion in PROFIT just last year and allowing the case to proceed, does not mean anyone will win or what the penalty might be. Surely if Facebook loses it will be detrimental – to them, but that is never been a reason to stop a lawsuit from moving forward. Credit: Security Week

Amazon Contractors Have to Sign a Biometric Consent Form or Lose Their Job

Amazon continues to ratchet down on their contract drivers (and probably their own too). They are installing AI based cameras in their delivery vehicles that watch both the road and the drivers. If a driver yawns, they see that. If the driver looks at his or her phone, they see that too. Not wearing your seatbelt? Problem. Too many negatives and they are history. Or, they can quit now. Oh, yeah, they can keep the data forever. Credit: Vice

Hackers Demand $50 Million Ransom from Acer – Threaten to Leak Data

In what is probably the largest ransom demand ever (at least that we know of), hackers encrypted systems at Acer on March 14th and demanded a $50 million ransom. The hackers posted on the dark web that negotiations had broken down. Acer, apparently, offered $10 million, but Acer is not confirming anything. Leaked documents are less sensitive financial info, so we don’t really know what they have. The compromise may have started with the Microsoft Exchange Server hack. The main risk factor here, likely, is the disclosure of whatever the hackers stole. Stay tuned. Credit: Hackread

After NSA Head Says NSA Missed SolarWinds Because it Can’t Spy in US, Administration Says It Does Not Plan to Increase US Surveillance

An administration official, earlier this month, said that the administration, worried about the political blowback of the NSA spying on Americans, was not CURRENTLY seeking additional laws to allow the NSA (or others) to do additional spying on Americans. Instead, they want to focus on tighter partnerships with the private sector and allow them to provide the data to the feds. This would give the feds a cover story that they are just using data that has already been collected. This is my de-spinning of what they said. Credit: Security Week

Researchers Hack Tesla Key Fob in 2 Seconds

Researchers have figured out how to hack a Telsa’s key fob in under two seconds.  That’s impressive.  Remotely.  I think in this case remotely means that they do not have to touch the fob or the car, but they have to be pretty damn close to it – in radio range of the fob.  Still, it is not particularly hard to be nearby the car.

The researchers say that the technique should work on any keyless entry system, but maybe that isn’t quite true.

Tesla’s keyless entry system is made by Pektron and they are using relatively weak encryption.  We have actually seen this exact problem with other cars like the system that VW uses and sells to many other manufacturers (which I have written about in the past).  So if may be fair that other manufacturers have similar problems, but not necessarily the same.  But maybe not all.

Because computers are fast and can support a lot of data, the researchers made a table of all 2 to the 16th possible encryption key codes.  That is only 6 terabytes – a disk that you can easily put on a PC, never mind a more powerful computer.

Then you need about $600 of hardware to intercept the owner unlocking the car.  You get the encrypted code that way.

Then all you have to do is scan this table that you built to find the matching entry and voila, you can clone the fob.  This MAY BE true for other manufacturers as well.  As I recall, the VW hack was even easier.

Telsa attempted to defend itself by saying that other car makers have crappy security too.  Not much of a defense.

So what do you do?

First, maybe passive entry is not the most secure thing in the world, so do you really NEED it, or is it just a cool toy.

Second, make sure that your insurance will replace your car if it is stolen in this manner.

In the case of Telsa, they warned their customers to disable passive entry.  That may be an option for other cars too.  If you can disable it, do so.

Telsa has created a new key fob that you can BUY, but you need to upgrade the software in the car first.  The software is free, the fob is not.  Still, if it is reasonably priced, you should probably do it.

Owners of other vehicles should check with the dealer for updates and probably scan Google periodically to see if their particular system has been hacked.

Telsa has also added a PIN code to its alarm system, but you have to enable it.

Generally, there is a trade off between security and convenience.  This is an example of it.    

Check the options in your car and select, maybe, the most secure one instead of the easiest.  Typically the dealer will explain the easiest one because that is also the coolest one.  Leaving the key in the car is also easy, but I don’t recommend that either.

Unless you are ready to buy a new car.  In which case, what color do you like?

Information for this post came from Motherboard.

 

The Risk of the Insider Threat

Elon Musk, CEO of Tesla, sent an email to all employees over the weekend telling them that the company was hacked by an employee who changed code on an internal product and sent company data outside without permission.

The software, the Tesla Manufacturing Operating System, is likely used internally in the manufacturing process.

The employee created false user names and then modified the software without approval.  He also sent large volumes of sensitive Tesla data to third parties.

This investigation is not over and there is a question about whether outsiders were involved.  There are lots of people who do not like the idea of an electric car, starting with the oil and gas industry and some Wall Street insiders.  The traditional car makers, who seem perfectly willing to lie and cheat to pass emissions test could also be motivated to harm Tesla.

In this particular case, the employee said he was mad because he was passed up for a promotion.  THAT was probably a good move since it is going to be hard for him to work from prison.

This is an important notice for all employers.

Every company, except those with one or two employees, have employees who are not happy.  Would an unhappy employee become a saboteur?  Hopefully not, but the larger the company is, the more likely that at least one person will have a grudge and could, possibly, act on it.

In Tesla’s case, even though this person created fake accounts to try and hide his deeds, the company had sufficient tools in place to uncover the sabotage and figure out who the employee was.

For your company, how much damage could a disgruntled employee do and could you detect it?  How quickly could you repair the damage?  Could you figure out who did the damage in order to prevent a repeat performance?

In today’s world it probably does not take much to get just one employee really peeved and if you have someone outside the company who could motivate that action with money – well you have really increased the odds.

Information for this post came from CNBC.