You wouldn’t download a car…

You wouldn’t download a car…but is that just because none of us know how to? And OF COURSE none of us know how to: it’s a really hard thing to do!

Raspberry Pi Tesla

Dramatic reenactment using a Mini because, c’mon, as if I can afford a Tesla!

Nikola Tesla was in love with a pigeon ??

True story. He was also the true father of the electrical age (sorry, not sorry, Edison) and looked so much like David Bowie that here’s David Bowie playing Nikola Tesla:

David Bowie as Nicola Tesla — Raspberry Pi Tesla

Not even pigeon love

Which is the perfect segue, as here’s a Tesla playing David Bowie, and here’s also where our story truly begins…

Some people dislike Tesla (the car manufacturer, not the scientist) but we love them

But some people also dislike going to the dentist, so ¯\_(ツ)_/¯. (I also love going to the dentist.)

I’m pretty sure the reason some people have issues with Tesla is that electric cars still seem like a form of magic we’re not quite comfortable with.

Whatever people’s reason for holding a grudge against Tesla, recent findings at a university in Belgium this week have left the tech community aflutter: the academics announced that, with the aid of a “$35 computer”, they can clone your Tesla car key and steal. Your. Car.

If you haven’t guessed yet, we’re the ones behind the $35 computer. (Hi!)

Says WIRED: A team of researchers at the KU Leuven University in Belgium on Monday plan to present a paper at the Cryptographic Hardware and Embedded Systems conference in Amsterdam, revealing a technique for defeating the encryption used in the wireless key fobs of Tesla’s Model S luxury sedans. With about $600 in radio and computing equipment, they can wirelessly read signals from a nearby Tesla owner’s fob. Less than two seconds of computation yields the fob’s cryptographic key, allowing them to steal the associated car without a trace.

When I said that the tech community was all aflutter, what I meant was, on the whole, we find this hack somewhat entertaining but aren’t all that shocked by it. Not because we hate Tesla, but because these things happen. Technology is ever evolving, and that $600 worth of kit can do a thing to another thing isn’t all that unbelievable.

The academics showed an example of the hack using “just” a couple of radios, a Raspberry Pi, some batteries, and your basic, off-the-shelf “pre-computed table of keys on a portable hard drive”. And through the magic of electric car IoT technology, Tesla instantly released a series of fixes to allow existing Tesla users to protect their cars against the attack, which is all kinds of cool.

Alex, why are you making such light of this?!

Because The Fast and the Furious isn’t real. And I highly doubt there’s a criminal enterprise out there that’s capable of building the same technology as well-funded university researchers.

Yes, this study from KU Leuven University is interesting. And yes, we all had a good laugh at the expense of Tesla and Elon Musk, but we don’t need academics to provide material for that. And I genuinely love Tesla and the work Elon is doing. True love.

Instead, we should be seeing this as a reminder that data encryption and online security are things we all need to take seriously in this digital world. So stop connecting your phone to whatever free WiFi network you can find, stop using PASSWORD123 for all your online accounts, and spend a little more time learning how you can better protect yourself and your family from nasty people on the internet.

And leave Britney Tesla alone!

17 comments

Avatar

Didn’t Tesla’s instant fix take about a year from first report to distribution to the fleet?
It is good that they have a way to get updates out to the cars that does not need a recall but it still took a long time.
No word yet from the other car makers that are using the same techonology provider.

Avatar

$600 worth of kit can do a thing to another thing?
No way

Alex Bate

True story.

Avatar

Nobody else think Tesla (the super hero not the car) looks like Novak Djokovic?

Avatar

See https://www.theregister.co.uk/2018/09/12/tesla_hack/ for more details, including a link to the report.

Despite it being reported a year ago, Tesla did have a reporting process and took the researchers seriously, releasing a fix and paying an undisclosed bug bounty. The problem is also suspected to exist in McLaren, Karma and Triumph cars but they have not even acknowledged the issue.

Shame about the initial problem, but a great deal of points for their response; no points at all for the others

Avatar

Service or lack there of, that is why I’m not a fan of Tesla.
https://youtu.be/okLgtYgnd7A

Avatar

D’ye think the same thing could happen to my Volvo?
Cos, my daughter’s key-fob has gone deaf, and the dealer wants about £300 to replace it.
So with a bit of engine-uity and a Pi, I’m sure I could clone my own key-fob, then all she needs to carry in her handbag is a Pi-zeroW and a battery.

Avatar

Would you please stop giving my password to everyone on teh interwebs.

Avatar

Mercedes had this issue as well, but criminals were actually utilizing it. They would walk up to the victim’s house at night and pull out their “scanning” device around the front door (I’m assuming because people often hang keys by the door). Once this device retrieved the key code, it would relay the code to a smaller “remote”. This “remote” would then unlock and start the car just as easily as the real key.

Video:
https://www.youtube.com/watch?v=RKCmm4pOziM

Avatar

I saw the title of this blog post and assumed it was going to be about 3D printing… ;-)

Avatar

“I highly doubt there’s a criminal enterprise out there that’s capable of building the same technology as well-funded university researchers.”

Riiiight. Students are way better funded than organized crime.

Avatar

“spend a little more time learning how you can better protect yourself and your family from nasty people on the internet.”
(linking to https://www.getsafeonline.org/ )

That site is not a good guide on secure passwording, at least. They write at https://www.getsafeonline.org/protecting-your-computer/passwords/ among other things three bad suggestions for a strong password:

1 “To create a strong password, simply choose three random words.”
2 “Choose a password with at least eight characters … a combination of upper and lower case letters, numbers and keyboard symbols”
3 “Someone else’s mother’s maiden name (not your own mother’s maiden name).”

Method 1 alludes to the old XKCD method https://xkcd.com/936/ , which nowadays is vulnerable to dictionary attacks
Method 3 is also too easy to bruteforce with a dictionary
Method 2 is flawed in that 8 characters is probably too short, unless the user takes great care to get the complexity right.

The most important thing is to go for length! Make it 15 characters or more and don’t use dictionary words or predictable variations thereof. Bonus step: first check your password against dumps of millions of real passwords. Anything in those dumps is no longer secure. See https://blog.codinghorror.com/password-rules-are-bullshit/ for a lot more details.

Avatar

I always assumed the xkcd method was vulnerable to dictionary attacks. If a user picked 3 words from the 2000 most common words, there are only about 8 billion combinations to check. A 10 year old computer could crack that in a weekend assuming you had access to the hashed password.

Avatar

My current password is 5 dictionary words, 2 symbols and a number, in that order, 36 characters in all. I’ve tried using hashcat to crack my NTLMv2 hash, but I can’t get it to combine more than 3 dictionary words at a time (combinator3), and I think anything more than 15 characters is too long for hashcat. I haven’t played with John the Ripper yet. Is my password too long to be cracked by today’s cracking software? Am I just not creating a smart enough rule to crack my password?

Avatar

I assumed the title was a riff off the IT Crowd episode “Moss and the German.” A little disappointed it wasn’t, but still an interesting article. When I was in university 10+ years ago, my embedded systems professor told a story about how thieves were hacking the CAN bus through the side mirrors of luxury cars. Some things never change.

Avatar

95% of Tesla criticism I hear/read is about the fact that simple repairs can take months, Tesla doesn’t believe in the right to repair, they don’t even sell you lug nuts without an interrogation, let alone more complicated parts. They’re like the Apple of car manufacturers. And that doesn’t sit well with a lot of Tech oriented people, especially Maker/hacker kind of people.

Avatar

Given that the Raspberry Pi Foundation relies so heavily on adult volunteers and given that Elon Musk has a record of publically making unfounded attacks on adult volunteers (calling one a ‘pedo’ for no reason at all), I am surprised that the Foundation has published such a pro-Elon Musk article.
I am disappointed in you :(

Leave a Comment

Comments are closed