Wednesday, August 28, 2013

You spent $100,000 on a Tesla?

Oh, sorry.  Security will be extra:
Slack authentication in Tesla's Model S REST API exposes the electric car to a variety of non-safety but non-trivial attacks, according to a Dell engineer and Tesla owner.

In this post over at O'Reilly, Dell senior distinguished engineer and executive director of cloud computing George Reese says the “flawed” authentication protocol in the Tesla REST API “makes no sense”. Rather than using OAuth, Tesla has decided to craft its own authentication, which Reese unpicked.
Use a common security standard that's field proven?  Nah - let's make up our own.  It'll be awesome.
While the flaw doesn't offer access to any “operational” aspects of the car – like steering or brakes – the risks are still significant. An attacker could fool around with configuration settings, the climate control, the sunroof, open the charge port, and anything else supported by the API. Apart from tracking owners' movements, “there is enough here to do some economic damage both in terms of excess electrical usage and forcing excess wear on the batteries”, Reese notes.
Like I said, it'll be awesome.  RTWT for all the simply horrifying n00b mistakes that Tesla made.  There's more, so very much more.

3 comments:

lelnet said...

Honestly, from reading about the state of security in the car biz, it sounds like Tesla (wherein, at least according to this article, you definitely won't be able to use Bluetooth to remotely disable the brakes) is one of the _better_ ones.

Which just goes to show how sad things really are.

Rob K said...

I am constantly befuddled by programmers who roll their own implementation of something, when, if they'd take a few hours of research, there are great robust libraries available to do it.

Simply put, never roll your own unless you absolutely have no other choice.

Dave H said...

Agreed. If your boss has any money sense at all, he won't let you roll your own. I've tried, but it always came down to this:

Boss: "How much to buy it?"
Me: "$20 grand."
Boss: "And how long will it take you to do it?"
Me: "Nine months."
Boss: "Buy it."
Me: "But..."
Boss: "PURCHASE REQ. NOW."

Also, when you buy code from someone else, you can blame them when it breaks. That's worth a lot.