Archive for Tesla

Teen Claims To Have Pwned Tesla Cars In 13 Countries

Posted in Commentary with tags , on January 13, 2022 by itnerd

A 19-year-old claims to have hacked into more than 25 Tesla cars in 13 countries, saying in a series of tweets that a software flaw allowed him to access the EV pioneer’s systems.

David Colombo, a self-described information technology specialist, tweeted Tuesday that the software flaw allows him to unlock doors and windows, start the cars without keys and disable their security systems. Colombo noted that he could not drive the cars remotely.

Media reports can be found here and here.

Tesla hasn’t responded to this yet. But if this is true, this is a serious problem for Tesla. And it reminds me of a similar situation with GM’s OnStar where came up with a method to do something similar to OwnStar equipped cars which was dubbed “OwnStar”.

Morgan Whitlow, Sr. Security Researcher, www.grimm-co.com had this commentary:

“From what has been said by Colombo both in the original posts to social media and within interviews, it sounds like this might have been a vulnerability in Tesla’s mobile companion app or the related API. 

Many of the commands and functions he mentions line up with the mobile app’s features and capabilities; honking the horn, flashing the lights, unlocking the door, etc. This could explain how he’s able to perform certain commands on vehicles without being able to say, drive it around like a toy RC car, or having to be within a certain range; the app/API doesn’t support that level of control. 

If he’s found a way to exploit the app/API, or to login as the customer, then he’s essentially tricking Tesla’s backend servers that he’s the legitimate owner and they’ll carry out any app-allowable command just the same as they would normally. That said, it’s hard to say this with any certainty until we have more concrete information, but it’ll be interesting to watch it unfold. “

I’ll be watching this very closely as this is something that Tesla will have to respond to very quickly in order to keep their owners safe and confident about their rather expensive electric vehicles. Watch this space.

#Fail: Tesla App Outage Locked Some Owners Out of Their Cars For Hours

Posted in Commentary with tags on September 4, 2019 by itnerd

Some Tesla owners who depended on the app to unlock their cars were left scrambling for their physical keys yesterday when the app went down for maintenance:

A Tesla spokesperson confirmed to Gizmodo that Tesla’s app was temporarily unavailable on Monday but full functionality was soon restored. Tweets suggest the app was down for around three hours at least.

The company clarified that Tesla owners were still able to access their Model 3 with their physical key fob or key cards, which the company encourages owners to carry in the event that they lose their phone or it dies. Owners were also able to gain access to and start their cars through their mobile devices if they had activated the phone-as-key function, which uses Bluetooth Low Energy to connect with the car and doesn’t rely on the app.

However, Model 3 owners who don’t carry a key fob or key card, and don’t use the phone-as-key feature, and who only use the Tesla in-app lock and unlock feature that requires cell signals will be temporarily screwed when the app fails.

I guess this underlines the fact that using your phone to do stuff is great. But it isn’t perfect. Thus if you own a Tesla, you should always keep your physical keys on your person as something like this is likely to happen again.

Elon Musk Suggests That Tesla Would Buy A Factory That GM Is Closing…. And Says A Bunch Of Other Things That Will Attract Negative Attention

Posted in Commentary with tags on December 10, 2018 by itnerd

In an new interview with the CBS program 60 Minutes, Tesla CEO Elon Musk suggested that Tesla would buy a factory that GM is closing. Partially mirroring what I suggested after GM made the announcement that they were closing a number of factories. Though not specifically saying which one that he might be interested in buying. Now while that part of the interview will be of interest to people who are affected by GM’s plant closures. But what will likely attract attention is the rest of the interview where he says the following:

  • Nobody is overseeing is Tweeting despite the fact he’s gotten into trouble with the SEC by saying things on Twitter that he should not.
  • He can get “anything he wants” from Tesla’s board despite the fact that he is no longer on the board due to getting into trouble with the SEC as he is the largest shareholder.
  • He “doesn’t respect” the SEC.

Both of these items will attract a lot of negative attention. And do not be surprised if the SEC who has already slapped Musk once decides that he needs to be slapped again. But much harder.

A Message To Elon Musk: Buy The Oshawa Ontario Plant That GM Wants To Close

Posted in Commentary with tags on November 28, 2018 by itnerd

Earlier this week, shockwaves were sent through Canada and the United States by General Motors who announced that as part of a shift to electric cars and autonomous vehicles they were closing a number of plants in Canada and the US. Included on this list is an assembly plant in Oshawa Ontario which is east of Toronto. Now cars have been built in this community for about a century. Thus this announcement has not only sent shockwaves through this community, but the entire country as well. Now there’s talk from politicians and the union that represents workers at this plant that they’re going to fight GM on this and force them to continue production at that plant. But I think that this ship has sailed and they need to reach out to someone else who can help them.

That person’s name is Elon Musk.

The reason why I say Elon Musk should get involved is simple. He’s done something like this before. The Tesla facility in Fremont California builds every Model S, X, and Model 3 at present. But Musk got his hands on it when he bought it from GM who along with Toyota were using it to build the Pontiac Vibe most recently. But shut it down and threw thousands out of work. Musk bought the plant and put a lot of those people back to work as they were basically a ready made workforce having built cars for GM and Toyota.

At present, the Fremont facility is cranking out as many cars as it can. But it is clear that Musk and Tesla need more manufacturing capacity. Thus Oshawa would be ideal. Not only does it give him a facility with a ready to go workforce that is highly skilled that he can leverage, he also has a supply chain that has built up around the plant over the century that cars have been built in Oshawa. On top of that, Canada has proven to be one of Tesla’s more successful markets and it could use the positive press of having a plant in Canada to accelerate that. Not to mention that there are key advantages that Canada has [Warning: PDF] when it comes to the automotive industry. Finally, I am sure that both the Ontario Government and the Canadian Government would trip over themselves to help Musk to set up shop here. Thus making his initial outlay a whole lot more affordable to him.

Potential risks? We’ll I’ll admit that there’s only one. His name is Donald Trump. He’s leveled threats about imposing tariffs on Canadian made cars in the past. And were this to happen, it would be ugly. Now Elon Musk is no fan of Donald Trump so he may not care. And given Tesla’s success in places like Europe, he may ship cars made in Canada elsewhere to avoid this. But every other company who makes cars in Canada certainly will care and let Musk know about it. But this shouldn’t stop Musk from making a play to by the soon to be closed GM plant in Oshawa. It’s a win for him, and for Canada.

So how about it Mr. Musk?

 

When It Comes To Privacy For In Car Infotainment Systems, It’s An Open Question As To What Data Google And Apple Collects From You

Posted in Commentary with tags , , , on April 20, 2018 by itnerd

The issue of privacy when it comes to in car infotainment systems like Android Auto and Apple CarPlay flared up again yesterday when it came to light that Toyota took a pass on Android Auto because of privacy concerns. They joined Porsche who famously did the same thing a few years ago.

That made me wonder if it is spelled out clearly what data either of these systems collects and how it is used. Why does that matter? I’d like to know if Google or Apple is motioning how aggressively I drive. And what they do with that information and who gets to see it.  Thus I spent a day looking around the Internet to see if such documentation exists. The net result of my research is that neither company does a great job of spelling out what data they collect via their infotainment systems and how it is used. To illustrate this, I want to use Tesla as an example of what I am looking for. Their privacy policy makes it very clear what they collect in terms of data. And they go into a great amount of detail about how it is used. That way, you know exactly what Tesla is doing. As far as I am concerned, this is the gold standard when it comes to this sort of thing as it removes any questions from my mind about what Tesla may or may not be doing.

Now let’s go over to Apple. They have a privacy microsite that is better than most and specifically mentions Apple CarPlay here where it says this:

All the rigorous privacy measures built into your iPhone and apps carry over to CarPlay. Only essential information that enhances the CarPlay experience will be used from your car. For example, data such as your car’s GPS location can be used to help iPhone produce more accurate results in Maps.

That’s something I suppose, but beyond that there’s no specific mention in their privacy policy or anywhere else on their microsite about what CarPlay collects and what is done with that information.

In the case of Google and Android Auto, I was unable to find anything that specifically mentions Android Auto, and I looked at the Android Auto site and their privacy and terms microsite which if you dig for bit lists pretty much every product that they make except Android Auto. Which means that I have no idea what info Google collects. And that’s a step behind Apple who at least gives me some minimal information on this front.

So in either case, both Android Auto and Apple CarPlay fall well short of telling their users about what data they collect and how it is used when compared to Tesla. That’s a problem given how privacy and the security of data is now a top of mind issue. As a result, we’re left with rumor rather than fact. And that’s a huge problem for both companies if they want their infotainment systems to be adopted widely.

My challenge to both companies would be for them to make their data collection and usage policies for their infotainment systems as clear as Tesla does. At least when Tesla spells it out, I know what I am getting myself into up front assuming that I read the document. I believe that Google and Apple owe us the same.

So how about it Apple and Google? Will you do what’s right for users of Android Auto and Apple CarPlay, or will you continue to keep them in the dark about what data you collect and how it is used in terms of those products? Inquiring minds want to know.

 

Tesla AWS Site Pwned To Mine Cryptocurrency

Posted in Commentary with tags on February 21, 2018 by itnerd

Hackers have reportedly pwned parts of Tesla’s cloud environment to use its CPU power to mine cryptocurrencies. What’s worse is that they possibly might have caught a glimpse of the car maker’s sensitive data.

The pwnage was discovered by RedLock security researchers who were searching for the organisation behind an Amazon Web Services (AWS) account that was left open to the public. They discovered that the account happened to belong to Tesla. Further investigation uncovered the pwnage along with attempts to cover up the pwnage so that Tesla wouldn’t notice. Which clearly didn’t work as RedLock had to tell them that they were pwned. Tesla then quickly patched things up. But you have to bet that Elon Musk is having a chat with a few of their IT staff about how this happened. And I wouldn’t want to be them.

What’s really bad about this is the hacker had access Tesla’s larger AWS based cloud environment. Which means that they could have had access to a lot of other data from personal info to info about Tesla vehicles. So it is possible that they could have seen sensitive data of some sort. Though, I am guessing that mining cryptocurrency was a higher priority than swiping data.

Clearly Tesla needs to take a look at how they use AWS to make sure that they don’t ever get pwned like this. Because if it does happen again, there may not be someone around who will tell them about it.

Let Me Debunk This Tesla Hack For You

Posted in Commentary with tags on November 23, 2016 by itnerd

There’s a video that in the last 24 hours or so has gained a lot of attention. Allegedly, hackers in Norway are able to steal a Tesla because of a “lack of security in the Tesla smartphone app”. Now before I completely debunk this video, let me show you the video in question:

Okay. This looks scary on the surface. I will admit that. But here’s the problem. There is no security issue in the Tesla app. These guys used an Android phone where the user was tricked into logging into unsafe WiFi and downloading an app that stole the credentials of the Tesla app. So in short, they hacked the phone and not the Tesla app or the car itself. Using this method, these guys could have “hacked” a Tesla, a GM vehicle, or anything else that uses an app to open the doors of a car and to start it. Thus this is something that I doubt that Tesla would lose sleep over.

I didn’t see what version of Android that they used. But based on what I see in this video, the exploit that they used appears to be a variant of “SlemBunk” which was discovered in 2015 and mitigated in more recent versions of the Android OS. Note that I did not say fixed as it is still possible (though harder) to do this sort of attack. Thus users need to protect themselves by not connecting to unsafe Wifi, not downloading “sketchy” apps from outside the Google Play Store, and keeping your Android OS up to date. In short, if you do all of that, this “hack” will be less possible. Alternately, don’t tie your car to your smartphone. That ensures that there is no attack vector via a smartphone to steal it.

Consider this debunked.

 

Tesla Model S Hack That Enables Remote Control Demoed… And Quickly Fixed

Posted in Commentary with tags on September 20, 2016 by itnerd

I’ve been saying for a very long time that car companies have to do a better job of securing their cars from hacks. The Jeep hack from last year proves that more needs to be done on that front. Now there’s a new hack that has come to light. Hackers at the Keen Security Lab of Tencent, a Chinese Technology conglomerate, discovered the vulnerability and published a video demonstrating the hack:

But before any Tesla owners panic, the company has already pushed out a fix for this as fixes can be delivered over the air to Tesla owners. If you’re running v7.1, 2.36.31 of the Tesla software, you’re covered. That’s because Keen reported the issue to Tesla and gave the company the chance to fix it before going public. Also, I am guessing that they got paid as well seeing as Tesla has a bug bounty program. That’s good and this sort of quick action is something that other car companies should emulate so that their customers are protected from those who would wish to do something malicious.

Tesla Driver Killed While Driving On Autopilot

Posted in Commentary with tags on July 1, 2016 by itnerd

Tesla has a feature called Autopilot which will all the car to drive itself in certain situations. However, the driver must keep their hands on the wheel so the they can take control if needed. Thus this is a semi-autonomous system. People, yours truly included, have always wondered what would happen if a car with a system like this got into an accident and someone died. Well, that’s now happened:

The 7 May accident occurred in Williston, Florida, after the driver, Joshua Brown, 40, of Ohio put his Model S into Tesla’s autopilot mode, which is able to control the car during highway driving.

Against a bright spring sky, the car’s sensors system failed to distinguish a large white 18-wheel truck and trailer crossing the highway, Tesla said. The car attempted to drive full speed under the trailer, “with the bottom of the trailer impacting the windshield of the Model S”, Tesla said in a blogpost.

police report in the Levy County Journal said the top of the vehicle “was torn off by the force of the collision”. The truck driver, Frank Baressi, 62, of Tampa, Florida, was uninjured, the Journal reported. 

America’s National Highway Traffic Safety Administration (NHTSA) has opened an inquiry into the accident.

Tesla, the maker of the Model S has posted a blog post that says among other things, this:

Following our standard practice, Tesla informed NHTSA about the incident immediately after it occurred. What we know is that the vehicle was on a divided highway with Autopilot engaged when a tractor trailer drove across the highway perpendicular to the Model S. Neither Autopilot nor the driver noticed the white side of the tractor trailer against a brightly lit sky, so the brake was not applied. The high ride height of the trailer combined with its positioning across the road and the extremely rare circumstances of the impact caused the Model S to pass under the trailer, with the bottom of the trailer impacting the windshield of the Model S. Had the Model S impacted the front or rear of the trailer, even at high speed, its advanced crash safety system would likely have prevented serious injury as it has in numerous other similar incidents.

This isn’t good news for Tesla. As of late, Tesla has quietly settled a lawsuit with a Model X owner who claims his car’s doors would open and close unpredictably, smashing into his wife and other cars, and that the Model X’s Auto-Pilot feature poses a danger in the rain. And the caught the attention of federal regulators when it appeared that Tesla might have been trying to cover up suspension issues. No owner Tesla CEO Elon Musk has been sleeping in the factory as of late. Now, Tesla does point out this in their blog post:

This is the first known fatality in just over 130 million miles where Autopilot was activated. Among all vehicles in the US, there is a fatality every 94 million miles. Worldwide, there is a fatality approximately every 60 million miles.

From a math perspective, you could say that Autopilot does a better job than humans. But that is cold comfort to family of the person who died in this accident. Because any death while driving is one too many. Thus I think it would be wise for Tesla to really show how they can improve Autopilot so that we don’t have to have this conversation again.

Has Tesla Covered Up Suspension Issues In The Model S?

Posted in Commentary with tags on June 10, 2016 by itnerd

Making the rounds today on the Internet are reports of somewhat widespread issues with the Tesla Model S where the suspension can fail suddenly:

Our investigation began in earnest upon reading a thread titled “Suspension Problem on Model S” in the Tesla Motors Club forum. The original poster (OP) in that thread described the suspension in his 2013 Model S (with 70,000 miles) failing at relatively low speed, saying the “left front hub assembly separated from the upper control arm.” Images of the broken suspension components showed high levels of rust in the steel ball joint and the OP reported being told by Tesla service center employees that the “ball joint bolt was loose and caused the wear,” which was “not normal.” Because his Tesla was out of warranty, the repair was reportedly sent to Tesla management for consideration.

So far, that seems to not all that unusual as I have heard this sort of response from a car company before. But here’s what happened next:

According to a subsequent post by the OP, Tesla management refused to repair the broken suspension under warranty despite the “not normal” levels of wear reported by the service techs. Then, just days later, the OP reported that Tesla had offered to pay 50% of the $3,100 repair bill in exchange for his signature on a “Goodwill Agreement” which he subsequently posted here (a scan of the stock agreement can be found here). That agreement included the following passage:

The Goodwill is being provided to you without any admission of liability or wrongdoing or acceptance of any facts by Tesla, and shall not be treated as or considered evidence of Tesla’s liability with respect to any claim or incidents. You agree to keep confidential our provision of the Goodwill, the terms of this agreement and the incidents or claims leading or related to our provision of the Goodwill. In accepting the Goodwill, you hereby release and discharge Tesla and related persons or entities from any and all claims or damages arising out of or in any way connected with any claims or incidents leading or related to our provision of the Goodwill. You further agree that you will not commence, participate or voluntarily aid in any action at law or in equity or any legal proceeding against Tesla or related persons or entities based upon facts related to the claims or incidents leading to or related to this Goodwill. [Emphasis added]

This is not normal. In short, what Tesla was asking the person to do is give up his right to do things like report this to the National Highway Traffic Safety Administration. Effectively covering up that this problem even exists. That’s very troubling, and likely not legal:

NHTSA spokesman Bryan Thomas said Thursday that the issue involves suspensions in the Model S, Tesla’s largest-selling vehicle. While not immediately disclosing the nature of the complaints, he says the agency is reaching out to Tesla owner and the company to gain more information about the problem.

At the same time, Thomas said Tesla has a “troublesome nondisclosure agreement” that implies customers should not report safety issues.

“The agency immediately informed Tesla that any language implying that consumers should not contact the agency regarding safety concerns is unacceptable, and NHTSA expects Tesla to eliminate any such language,” he said in a statement.

NHTSA says it waas told by company officials that they did not intend to dissaude customers from contacting the government about safety concerns.

That begs the question: Is Tesla trying to cover up this issue? Now the National Highway Traffic Safety Administration is apparently investigating this issue, and Tesla apparently isn’t talking about this with the exception of putting out a Technical Service Bulletin (TSB) in March of 2015, which indicates that a “known non-safety-related condition” applied to the front lower control arm of the Tesla Model S. But the optics of this really suck given this fact:

Until NHTSA publicizes the findings of its investigation, the sheer scope of Tesla’s apparent suspension defect won’t be clear. But other reports of suspension breakage are not hard to find, both in the “Suspension Problem on Model S” thread at TMC, elsewhere on that forum or around the internet. A gallery of photos apparently assembled by the hard-working Cassandra in this story shows a disturbing number of wrecked vehicles with broken suspensions. But these photos, like the two reports of Teslas driving off cliffs and other reports of inexplicable crashes, are circumstantial evidence at best. Until experienced investigators perform forensic analyses that can confirm whether suspension failure occurred before any of these crashes, these examples serve only to show the worst case scenario for Tesla.

Clearly Tesla has a major PR problem (at the very least) on it’s hands. What’s worse is that the way this was handled really paints the company in a negative light. Proving the fact that the cover up is often worse than the crime as shown with incidents like Watergate and Iran/Contra.

UPDATE: Let the PR war begin. This post is on the Tesla blog. Among other things, it say this:

Finally, it is worth noting that the blogger who fabricated this issue, which then caused negative and incorrect news to be written about Tesla by reputable institutions, is Edward Niedermayer. This is the same gentle soul who previously wrote a blog titled “Tesla Death Watch,” which starting on May 19, 2008 was counting the days until Tesla’s death. It has now been 2,944 days. We just checked our pulse and, much to his chagrin, appear to be alive. It is probably wise to take Mr. Niedermayer’s words with at least a small grain of salt.

We don’t know if Mr. Niedermayer’s motivation is simply to set a world record for axe-grinding or whether he or his associates have something financial to gain by negatively affecting Tesla’s stock price, but it is important to highlight that there are several billion dollars in short sale bets against Tesla. This means that there is a strong financial incentive to greatly amplify minor issues and to create false issues from whole cloth.

It seems that besides trying to refute the claims of the article, they’re going with the “shoot the messenger” approach. This should be fun to watch.