Vulnerability Announcement: Tesla Roadster vulnerable to brute-force unlock via CAN bus

SUMMARY

The Tesla Roadster instrumentation CAN bus (running at 1MHz) supports a CAN bus message to lock/unlock the car as well as enable/disable valet mode. Authentication on this message is via simple user PIN code which is typically 4 digits (but can be up to 8 digits).

It appears that this is vulnerable to brute-force attack as there is no rate limiting on reception/interpretation of that message.

TECHNICAL DETAILS

The CAN bus message is:

Vulnerability Announcement: Tesla Roadster vulnerable to sniffing of security PIN code via CAN bus

SUMMARY

The Tesla Roadster instrumentation CAN bus (running at 1MHz) supports a CAN bus message to lock/unlock the car as well as enable/disable valet mode and change the PIN. Authentication on this message is via simple user PIN code which is typically 4 digits (but can be up to 8 digits).

This PIN code is usually entered on the VDS by the user, and then transmitted in plain text on the instrumentation CAN bus to the VMS.

TECHNICAL DETAILS

The CAN bus message used to lock/unlock the car, and enable/disable valet mode is:

OVMS v3 v3.1.011 Over-the-Air firmware update

Today, we are pleased to release v3.1.011 to Early Access Program (EAP) participants. A summary of the major changes is here:

2018-10-24 MWJ  3.1.011  OTA release
- Config backup & restore using encrypted ZIP archives
    (AES 256 bit encryption, supported by e.g. 7z)
  New commands:
    config backup  [password=module password]
    config restore  [password=module password]
- Support custom MAC address (config network mac ...)

For full detail on all changes, check the GitHub revision history.

Pages