<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class=""><br class=""></div><div class="">Vulnerability details:</div><div class=""><br class=""></div><div class=""><ul class="MailOutline"><li class=""><a href="https://www.openvehicles.com/vuln-tr-20181203a" class="">Vulnerability Announcement: Tesla Roadster vulnerable to sniffing of security PIN code via CAN bus</a><br class=""><br class=""></li><li class=""><a href="https://www.openvehicles.com/vuln-tr-20181203b" class="">Vulnerability Announcement: Tesla Roadster vulnerable to brute-force unlock via CAN bus</a></li></ul></div><div class=""><br class=""></div><div class="">Discussion Forum:</div><div class=""><br class=""></div><div class=""><ul class="MailOutline"><li class=""><a href="https://teslamotorsclub.com/tmc/threads/public-disclosure-tesla-roadster-pin-vulnerabilities.136861/" class="">https://teslamotorsclub.com/tmc/threads/public-disclosure-tesla-roadster-pin-vulnerabilities.136861/</a></li></ul></div><div class=""><br class=""></div><div class="">Summary:</div><div class=""><br class=""></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div class=""><span style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class="">On 3rd May 2017, I reported two vulnerabilities to Tesla regarding the PIN code on Tesla Roadster vehicles. As no fix has been forthcoming from Tesla in the past 18 months, and in accordance with standard industry practice, I now publicly disclose these below. The intent here is to raise awareness of the security issues and to encourage Tesla Roadster owners to take steps in order to avoid exploit and/or loss of their vehicle.</span><br style="margin-top: 0px; color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class=""><br style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class=""><span style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class="">Short summary</span><br style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class=""><ol style="margin: 1em 0px 1em 3em; padding: 0px; color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class=""><li style="margin: 0px; padding: 0px; list-style: decimal outside;" class="">A convertible vehicle such as the Tesla Roadster does not always offer the same physical protections as a fully enclosed vehicle. In particular, access to the vehicle communication networks, and physical interior, may be easier (particularly in the case when the vehicle is parked with the roof off).<br class=""><br class=""></li><li style="margin: 0px; padding: 0px; list-style: decimal outside;" class="">The communication between the VDS (little display) and VMS (car computer) in the Tesla Roadster is not encrypted. This means that when you enter your PIN on the VDS, any system on the car network can see it in relatively plain text.<br class=""><br class=""></li><li style="margin: 0px; padding: 0px; list-style: decimal outside;" class="">There is no protection in the Tesla Roadster firmware against multiple PIN access attempts. This means that a malicious actor could brute-force guess the PIN in a relatively short time (less than one minute for a 4 digit PIN code).<br class=""><br class=""></li><li style="margin: 0px; padding: 0px; list-style: decimal outside;" class="">The same PIN code is used for both valet and car lock/unlock functions. The valet code (if known) can be used to unlock the vehicle.<br class=""><br class=""></li><li style="margin: 0px; padding: 0px; list-style: decimal outside;" class="">While vehicles outside North America are fitted with an immobiliser that helps mitigate this issue, North American Tesla Roadsters have no such immobiliser and the PIN can be used to both disarm the vehicle alarm and unlock the doors.<br class=""><br class=""></li><li style="margin: 0px; padding: 0px; list-style: decimal outside;" class="">While the full solution to these issues can only be implemented by Tesla via firmware update, owners can mitigate the impact by:</li></ol><div style="margin: 0px; padding: 0px 0px 0px 30px; color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class=""><ul style="margin: 1em 0px 1em 3em; padding: 0px;" class=""><li style="margin: 0px; padding: 0px; list-style: disc outside;" class="">Using a strong 8 digit PIN, rather than the default 4 digit.</li><li style="margin: 0px; padding: 0px; list-style: disc outside;" class="">Ensuring that the vehicle is locked, with the roof on, when parked.</li><li style="margin: 0px; padding: 0px; list-style: disc outside;" class="">Being aware that valet parking attendants will have full unrestricted access to the vehicle, and time to determine the PIN and copy the physical vehicle key.</li></ul></div><span style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class="">I hope that Tesla will address these issues by implementing firmware protection against multiple PIN access attempts (for example, 3 incorrect PIN attempts results in a 5 minute lock-out would be reasonable), and by encouraging owners to use strong 8 digit PINs.</span><br style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class=""><br style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class=""><span style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class="">A summary of the vulnerabilities is given below. For full details, refer to the links.</span><br style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class=""><br style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class=""><b style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class=""><a href="https://www.openvehicles.com/vuln-tr-20181203a" target="_blank" class="externalLink" style="color: rgb(204, 0, 0); text-decoration: none; border-radius: 0px; padding: 0px 3px; margin: 0px -3px;">Tesla Roadster vulnerable to sniffing of security PIN code via CAN bus</a></b><br style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class=""><a href="https://www.openvehicles.com/vuln-tr-20181203a" target="_blank" class="externalLink" style="color: rgb(204, 0, 0); text-decoration: none; border-top-left-radius: 0px; border-top-right-radius: 0px; border-bottom-right-radius: 0px; border-bottom-left-radius: 0px; padding: 0px 3px; margin: 0px -3px; font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);">Vulnerability Announcement: Tesla Roadster vulnerable to sniffing of security PIN code via CAN bus | Open Vehicles</a><br style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class=""><br style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class=""><div style="margin: 0px; padding: 0px 0px 0px 30px; color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class="">The Tesla Roadster instrumentation CAN bus (running at 1MHz) supports a CAN bus message to lock/unlock the car as well as enable/disable valet mode and change the PIN. Authentication on this message is via simple user PIN code which is typically 4 digits (but can be up to 8 digits). This PIN code is usually entered on the VDS by the user, and then transmitted in plain text on the instrumentation CAN bus to the VMS.<br class=""><br class="">Using a simple CAN bus tap, the 1MHz instrumentation CAN bus messages can be read. When the user enters the PIN code (for example to enable/disable valet mode), it is transmitted in plain text using a single CAN bus message. The instrumentation CAN bus is available at various points in the car, with the simplest being the engineering diagnostic connector in the passenger footwell of the vehicle.<br class=""><br class="">The most likely exploit would come at a valet parking station where a vehicle key could be easily copied and with access to the vehicle, a CAN bus logger installed in the passenger footwell. When the user returns to retrieve their vehicle, they disable the valet mode (via entry of PIN code on the VDS screen). At this point, the valet has a copy of the physical key as well as the PIN code to arm/disarm the vehicle alarm on North American vehicles.</div><br style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class=""><b style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class=""><a href="https://www.openvehicles.com/vuln-tr-20181203b" target="_blank" class="externalLink" style="color: rgb(204, 0, 0); text-decoration: none; border-radius: 0px; padding: 0px 3px; margin: 0px -3px;">Tesla Roadster vulnerable to brute-force unlock via CAN bus</a></b><br style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class=""><a href="https://www.openvehicles.com/vuln-tr-20181203b" target="_blank" class="externalLink" style="color: rgb(204, 0, 0); text-decoration: none; border-top-left-radius: 0px; border-top-right-radius: 0px; border-bottom-right-radius: 0px; border-bottom-left-radius: 0px; padding: 0px 3px; margin: 0px -3px; font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);">Vulnerability Announcement: Tesla Roadster vulnerable to brute-force unlock via CAN bus | Open Vehicles</a><br style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class=""><br style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class=""><div style="margin: 0px; padding: 0px 0px 0px 30px; color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class="">The Tesla Roadster instrumentation CAN bus (running at 1MHz) supports a CAN bus message to lock/unlock the car as well as enable/disable valet mode. Authentication on this message is via simple user PIN code which is typically 4 digits (but can be up to 8 digits). It appears that this is vulnerable to brute-force attack as there is no rate limiting on reception/interpretation of that message.<br class=""><br class="">Transmitting at 100 messages / second, I tested PIN codes 0000 through 9999 in 100 seconds. Average PIN discovery time was thus approximately 50 seconds at this rate. The CAN-USB adaptor I used was limited to approximately 100 messages / second. A faster adaptor could seemingly brute force this with greater speed.</div><br style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class=""><span style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class="">For both vulnerabilities, the PIN code permits the following functions:</span><br style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class=""><ul style="margin: 1em 0px 1em 3em; padding: 0px; color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class=""><li style="margin: 0px; padding: 0px; list-style: disc outside;" class="">Enable valet mode</li><li style="margin: 0px; padding: 0px; list-style: disc outside;" class="">Disable valet mode</li><li style="margin: 0px; padding: 0px; list-style: disc outside;" class="">Lock the vehicle</li><li style="margin: 0px; padding: 0px; list-style: disc outside;" class="">Unlock the vehicle</li><li style="margin: 0px; padding: 0px; list-style: disc outside;" class="">Cancel the alarm (via unlocking the vehicle) in North American vehicles</li><li style="margin: 0px; padding: 0px; list-style: disc outside;" class="">Change the PIN code</li></ul><span style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class="">On vehicles outside North America, a separate alarm system and immobiliser is used. That system is not affected by this PIN code, so functions 4 through 5 will have limited impact on these vehicles. There is a separate physical key used to start the vehicle, and unlock the steering wheel, that is not affected by this vulnerability.</span><br style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class=""><br style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class=""><span style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class="">Once the PIN code has been discovered, the greatest concerns are:</span><br style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class=""><ul style="margin: 1em 0px 1em 3em; padding: 0px; color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class=""><li style="margin: 0px; padding: 0px; list-style: disc outside;" class="">Cancelling a sounding alarm on North American vehicles</li><li style="margin: 0px; padding: 0px; list-style: disc outside;" class="">Providing access to the trunk and glove compartment of a locked vehicle</li><li style="margin: 0px; padding: 0px; list-style: disc outside;" class="">Malicious prank to enable valet mode</li><li style="margin: 0px; padding: 0px; list-style: disc outside;" class="">Malicious prank to change the PIN code (possibly after enabling valet mode)</li></ul><span style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class="">While the full solution to these issues can only be implemented by Tesla via firmware update, owners can mitigate the impact by:</span><br style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class=""><ul style="margin: 1em 0px 1em 3em; padding: 0px; color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class=""><li style="margin: 0px; padding: 0px; list-style: disc outside;" class="">Using a strong 8 digit PIN, rather than the default 4 digit.</li><li style="margin: 0px; padding: 0px; list-style: disc outside;" class="">Ensuring that the vehicle is locked, with the roof on, when parked.</li><li style="margin: 0px; padding: 0px; list-style: disc outside;" class="">Being aware that valet parking attendants will have full unrestricted access to the vehicle, and time to determine the PIN and copy the physical vehicle key.</li></ul><span style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class="">Reported: 3 May 2017</span><br style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class=""><span style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class="">Classification: Sensitive Data Exposure > Critically Sensitive Data > Password Disclosure</span><br style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class=""><span style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class="">Vendor Response: Declined to address, and no fix for more than 1 year, so public release</span><br style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class=""><span style="color: rgb(2, 2, 2); font-family: Roboto, sans-serif; font-size: 14px; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(254, 254, 254);" class="">Public Release: 3 Dec 2018</span></div></blockquote><div class=""><br class=""></div><div class="">Regards, Mark.</div><div class=""><br class=""></div></body></html>