Tesla's charging ports use a standard msg to open on 315MHz and can be replayed
twitter.comThis seems to firmly be in the realm of "eh, working as intended, who cares".
The charging port cover, as far as I know, isn't a security mechanism, and it opening is just a matter of user convenience. Having an easy protocol to open it means that a third-party charger can open it automatically to be inserted more easily, so that seems fine.
Even if they did require some sort of signed message from the charger, since anyone can buy a "wall connector" charger for home the private key would already be out there (unless a visitor had to pair their per-car key before they could use your charger? That sounds like bad ux)
There's already some people in the twitter comments talking about this as a security issue, so I'll respond do that too.
I guess you can sort of say this is a security issue (like I'm sure with enough work you could short the battery or such)... but jamming such a device into a car would be about as obvious as shoving a brick through the window, keying the paint, or any of a number of other physical attacks. This is the same sort of security issue as the security issue of "car's glass windows can be broken by a determined malicious individual". We don't run around with a fear of "cars aren't secure because a malicious person could put a brick through the glass", and a fear of "a malicious person could open the charge port and do something" is way further down the list of any reasonable person's concerns imo.
I also believe this is not an issue right now, but I'll throw this out to ponder:
Since supercharging is paid and tied to the VIN, that implies that there is some kind of data transfer occurring between the vehicle and the charging station, right? It's not just a dumb terminal connection.
Given that this is the case, could a theoretical exploit use that data connection to gain access to the vehicle and e.g. unlock the doors? Since any common criminal can open the charging port with this exploit, they could also plug in a fake charger to weaponize the exploit and drive away with a free car.
Yeah, I know, sounds pretty ridiculous. But these are expensive cars and it might be reality soon enough similar to how common thieves can buy replay attack devices on the black market now.
One would hope that the part of the car that communicates with the charger and the part that controls the doors are separate.
Most certainly.. the doors are BLE or an rfid card on any current Model 3/Y.
One can hope. I await the CVE.
A theoretical exploit can always hack anything at any time anywhere.
Except my computer, which has perfect theoretical security.
But it is Tesla, so people has to make a drama about it
Recently I was talking to someone about my new Model 3. They had heard all about the body panels not lining up. But when I asked him if he had ever heard about the Subaru brake light recall or the Toyota airbag shrapnel, he became concerned because he drives a Toyota.
For some reason, all minor Tesla recalls become public scandals yet serious safety-related recalls of other automakers are obscure.
Thanks, that was my point but I didn't have the energy to write it as well as you did. Appreciate it
The OP on twitter says its not going to help you pwn Teslas, and as of the time of commenting every comment on this post has the same opinion that this is ok.
Where's the drama?
Here:
'...some people in the twitter comments talking about this as a security issue...'
None, this is astroturfing from the reverse extreme.
Furthermore, if I press the button when near two Teslas, both charge ports open up, so the ability for the person to replay the signal yielded a "duh" to me.
I’m having a hard time coming up with a reason why there needs to be any replay protection here. That port is supposed to open without unlocking the car. You can approach a locked Tesla and press the button on a charging connector and it’ll open. The whole thing is unauthenticated by design.
On my 2017 model x the charging port is locked shut when the car is locked.
I get a strange amount of vitriol from anti-EV folks where I live, I could imagine somebody putting a metaphorical potato in the metaphorical tailpipe. Although that type of person is more likely to use a screwdriver than a replay attack.
Is it really locked? I don't know the Model X well enough, but on my 2018 Model S the charging port is underneath the reflective part next to the brake light, which you can open by pressing down on it. I only found out I didn't have to use my key to open it a couple months ago.
Yep, it's really locked. If the car is locked pressing the little reflective thing does nothing. The flap has a lock and a servo to flip it open and closed - I can open and close it from the MCU touchscreen.
Makes sense that they'd ditch this as unnecessary complication.
Don't forget being near the car with your key is enough to be "unlocked". Ditch your fob inside and try it.
Yeah. The charging port on my Volvo never locks, and I see that as a good thing - it means I can get out of the car, lock it, then go around and plug the charging cable in. Don't really see any issue with it.
Off topic, I'm curious, as a Volvo owner, do you think Volvo is Swedish owned?
I think it's a Swedish car. Even though my particular one was actually made in China.
And I know what you're hinting at but I don't actually care. Just like a Land Rover is a British car even though it's owned by an Indian corporation.
I bought a Volvo a long time back and it turned out it was a Ford Focus with a Volvo skin. My mistake. Never again. Not that I have anything against Ford but the quality was atrocious — things just falling apart for no reason at all other than they must have not been made properly. I babied the car and the things that went wrong ($1000 - $2000 repairs) were amazing… like all the parts in the mechanism for moving the moon roof, which I pretty much never opened, spontaneously started sliding around in the rooftop one day. I heard they are now Chinese owned, although it seems buyers think they are still Swedish. Thanks for the reply.
So for extra context - Volvo was bought out by Ford years and years ago, and Ford only wanted them for their patents and tech. For example the engine in the Focus RS is derived from the Volvo designed T5 motor.
Then because Ford had absolutely no interest in the brand, they basically invested zero money, the cars stagnated, and yes, by the end of the Ford's ownership, they were absolutely crap and I would not recommend anyone buying one.
Then Ford finally got bored with it, and sold it to Geely, a chinese corporation - but they basically said "we'll leave you alone, here's an unlimited purse of money to design a car that people will want" - and so Volvo designed the new SPA platform, which they used for the XC60 then XC90 then all their other cars, and those were and still are regarded as hugely successful and well designed cars, with good engines. Under the chinese ownership Volvo was allowed to pioneer the plug-in hybrid drivetrains for instance, and they were one of the first ones to offer them.
Nowadays the domination they had in that area is weaning a bit, but Volvo is innovating with immediate launch of SPA2 platform, and hardcore push towards full electrification of all models.
>>I heard they are now Chinese owned, although it seems buyers think they are still Swedish
As far as I can tell, all Geely does is provides budget - the cars are still designed by Swedes. That makes it a Swedish car in my book.
Thanks again, good info!
The main issue will be TV-b-Gone style trolling tools. And the open charge ports may attract vandalism.
Doesn't mean that it is a bad design.
This behaviour is pretty old, I think Gael Musquet told me about this in 2018: https://nitter.net/ratzillas/status/958696765275942912
« Analysis of the radio opening of the charging hatch on @Tesla with #URH and #rtl433. Results: frames are the same for all superchargers/cars. A simple 433mhz module and a microcontroller allow you to open the hatch remotely by replaying the sequence! »
And it has been known since 2013 on the tesla forums: https://teslamotorsclub.com/tmc/threads/open-chargeport.2100...
All I have seen on here is cynical thinking, whether it's merited or not; so I will add something novel to the discussion.
This could be a cool feature! What if the Supercharger stations broadcast that frequency as you pull up to save you a step! ...or... In the "Fully Automated Future!"© The robotic arm that connects your Tesla to the charger emits that signal to access your charging port!
I drive an ICE car that does not have a lock on the fuel port. The gas cap doesn't have a lock either.
This Tesla feature is more secure then my car. And fuel can be siphoned out of my car.
The robotic arm that connects your Tesla to the charger
Tesla demoed that in 2015, but didn't make it into a product.[1] Apparently too many people thought it was "creepy".
(That's a good way to do the job. Snake arm robots are quite simple. The tube just contains some pull cables running through disks with holes.[2] All the motors are in the base. So you can build one of these with a protected base and an easily replaced arm tube. The usual problem with snake robots is that the cables wear out. But that's in painting applications, where they're in constant motion all day. A charging robot moves, slowly, for maybe one minute per hour. They're not very repeatable, which is fine in this application. The car won't be in the same place every time anyway. There's a TV camera in the end to find the socket. It's too bad that didn't ship as a product.)
Between having a very low risk of someone opening the charging port flap for a few seconds and having to pair a charging cable with the expensive “Tesla button”, I take the risk.
If you want to plug my car in, go for it.
You can send this signal with a Chrome browser and HackRF here: https://xakcop.com/tesla-opener/
With the rise in gas prices this could be an issue on a traditional combustion vehicle. But outside of pranks and demos of potential issues for other products that use similar simple protocols I don’t really see how this can be useful on an EV.
But sometimes these sorts of things have a larger impact than it seems at first. Looking forward to future stories of how teen hacker activists use this security flaw to take down “the man”.
I do not know much about EV's. Can you steal power from the car by only having access to the charge port or can you interface with the cars computer through this port? I know that some people power their homes with their car but does that require doing something with the cars computer or does the car have default and secure settings one can or should change?
On the Nissan Leaf, the CHAdeMO fast charging port connector exposes (one of) the car's CAN busses (a little in-car network). It's unauthenticated and has commands for charging and discharging the battery. The car doesn't need to be turned on, the vehicle computer wakes up any time that a charging cable is connected. The only security is a small door that covers the charging port, but I'm certain it could be jimmied open with a bit of patience.
So yeah, it's absolutely possible to just walk up to a random Leaf on the street and extract DC power from it (e.g. to charge another EV or power an AC inverter) but you'd need to build your own cable and controller, and also 500VDC at 100A is extremely lethal so it's a terrible idea....
Teslas dont have any V2G or V2H ability just yet, so not really. You could gum it up with something if you wanted to be a jerk, but couldn't you do the same to a lot of gas tanks that aren't locked?
couldn't you do the same to a lot of gas tanks that aren't locked?
Absolutely, that's why I use a locking gas cap. They aren't perfect but they are a PITA to take off if the key doesn't work. I've had to remove one without the key.
I wonder how well protected the charging circuits are against damage from malicious chargers.
If it is at all possible to damage the car, then I can image this turns out to be a problem.
What’s the threat model? It’s not much simpler to break a window and put the car on fire?
The vehicle power controls can handle up to and over 300kw of DC current.
Flipper Zero made this popular again it seems. Its known for a while.