[obermd]

Researchers figured out how to break the encryption in the older Model S key fobs using about $600 in equipment. Cars and key fobs made since June 2018 aren't vulnerable to this exploit. For more information take a look at https://www.wired.com/story/hackers-steal-tesla-model-s-seconds-key-fob.

Upon reflection, Tesla should replace all the older, 40 bit encryption key fobs for free and charge their supplier for failure to use best practices for computer security in their products. 40 bit encryption has been known to be vulnerable to very rapid brute force attacks for well over a decade. If I had one of these vulnerable key fobs I would be talking to a lawyer for a class action naming the supplier as the primary defendant and Tesla as the co-defendant.

 

[jcanoe]

Tesla has responded, pushed an update to the older Model S vehicles so that the owner can set a PIN that needs to be entered to start the vehicle. Newer Model S vehicles have an updated key fob with enhanced encryption/security.

 

[obermd]

Tesla has responded, pushed an update to the older Model S vehicles so that the owner can set a PIN that needs to be entered to start the vehicle. Newer Model S vehicles have an updated key fob with enhanced encryption/security.

Those are remediations. There is an actual fix to the original issue - reissue new key fobs to all owners and bill the company that made them. As much focus as Tesla has had on security I'm actually surprised they missed this vulnerability, but the ultimate source of this flaw lies with the vulnerable key fobs. (I wouldn't be surprised to see the contract for the fobs specifying "current best practices", in which case the vendor did NOT comply with the contract.)

I'm a computer systems professional and this is just another example of vendors paying lip service, if even that, to security. Until we as the buying public force vendors to step up their default security we'll continue to see this type of crap from them.

 

[jcanoe]

I wonder how many examples of the Model S were built to use the deficient key fobs?

 

[FI Spyder]

There are only two types of safes, those that have been broken into and those that will be broken into.

 

[Barry]

One day, if you steal a Tesla, the car will probably lock you in and drive you to the police station.

 

[obermd]

There are only two types of safes, those that have been broken into and those that will be broken into.

While 100% true, there's no reason to build a safe that's known to be vulnerable to break ins. This, in effect, is what the key fob vendor did by using 40 bit encryption.

 

[jcanoe]

One day, if you steal a Tesla, the car will probably lock you in and drive you to the police station.

Or not. Magnavolt advertisement

 

[BillG]

I would be talking to a lawyer for a class action naming the supplier as the primary defendant and Tesla as the co-defendant.

Good grief. Just what we need. Wouldn't you actually have to own a car that was stolen using this hack before you could line up the lawyers?

 

[obermd]

Good grief. Just what we need. Wouldn't you actually have to own a car that was stolen using this hack before you could line up the lawyers?

Not necessarily. It would be a breach of contract case and I suspect Tesla is actually caught in the middle here.

 

[Shivetya]

considering how much of a mess the airbag issue what for many brands and it is still not resolved I doubt class action or similar would matter here or be needed. let alone there were other brands susceptible to hacking including while being driven!

 

[JRRF]

Not necessarily. It would be a breach of contract case and I suspect Tesla is actually caught in the middle here.

If you signed the contract you could sue for breach. Otherwise you'd have to have had your car stolen to show you were an "injured" party.

 

[Tomt]

It should be noted that with $600 worth of equipment, almost any modern car that uses fobs can be broken in to and stolen... One reads about it all the time... Tesla is hardly alone in this.