@@Keneo1using it isn't a problem. Leaving things at defaults is an invitation to get hacked though. Even if this particular exploit doesn't lead anywhere, it shows a sloppiness that is worrisome.
9:19 The crazy SSID could be car service center SSID. We did a similar thing for Volvo - the idea was that while the driver is driving into the service center, it would search for predefined SSID from time to time, if it found it, it would authenticate and send diagnostics data, so the service center can approach the customer with info about any problems in the car. Edit: Ow, ok, watched a few more seconds - it's probably trying to authenticate with that charger.
@@TallPaulTech Just one more reason to isolate all IoT on a separate VLAN and block all access to other networks. This just reminds me of "unknown" data streams from Huawei cell base stations that one of my mates back in UK told me about 20+ years ago when they were setting those up for the first 3G network there.
And as this is probably an MCU1 tesla, the mcu board design probably dates back to 2010-12 where most people didnt have modern aps in the garage and some engineer probably figured cheap and reliable wifi is better than expensive and flaky
When your own Tesla brake checked you I knew that was Elon warning you not to go any further with your investigations. I love these types of videos and want to see more - stay safe!
I love it.. it's exactly the kind of thing I would do... and actually I do to other things I own. Love Paul's videos... even though he'd probably call me a cunt 😀
My concern is that it sounds like its listening for things that has nothing to do with it... It doesnt sound like anything malicious now but i could easily see it going that way in the future.
Elon “Tesla” data leak shown the video recording of people having sex in their cars. Including “18 and below” fucking in car. All the cameras footage gets sent to Tesla regardless.
Guessing it's doing a full DHCP association every time because it's shutting down the radio to save power, I did something similar on a weather sensor that reports over wifi on the minutes scale and is in deep sleep at all other times.
Great work, I love the tidbit about connecting a specific developer to some crazy example of security through obscurity. "Hey I know lets just bastardize the way SSIDs work for our product, that will be good enough!"
If you've got its VLAN firewalled and are not allowing it to access some of the things it wants to, that could explain why it keeps dropping off and reconnecting.
So the „Software Company, that also builds cars“ is using probably Linux and can’t configure DHCP correctly. Looks like they are as perfect in any area.
Love to see if broadcasting that SSID enables anything in the Tesla menus for autonomous charging. Be hilarious if that was the only authentication performed to enable the feature.
9:20 my wildest guess there would be that it's the way that the car speaks to superchargers, would be cool to do a capture at a supercharger location just to see if it's related...
@@jebw i mean, the password is very likely hardcoded in the firmware as is thr ssid so I'm pretty sure it could be recovered, but that would be useless if it's not actually used at a supercharger
monitor for wifi attempts to connect to that rando ssid, and you now have a tesla detector, lol. reminds me of bbc vans wardriving with df to find rogue unlicensed tv sets
Frequent disconnects and reconnect probably explains why it takes so long to install a rather small update over a wifi gateway that sits 12 feet away...
These may or may not be relevant: At 2:46 - we (programmers) lookup those A records from those domains because they use CDN's and depending on what IP is returned, I have a better idea of the area/region you are in. . I also do it to have a solid idea if we have network connectivity. At 9:30 - I have done this for some embedded system that I want to auto connect to a wifi access point I have setup. Example: Rent a car, we have various access points setup around the city at our locations, when a vehicle goes by one, it automatically checks in its its vehicle metrics (VIN, fuel, odometer, CEL, etc.)
(Obligatory not a Tesla engineer) In addition to coarse geo-location, looking up various known "good/available" hostnames is also a very easy way to know if the DNS server you are routed to is trustworthy, since those records should not all respond with the exact same resolution address (Either in a stack of A records, AAAA records, a DNAME or CNAME) and should, at least mostly, always respond with at least SOME resolution. If all of those response with the exact same host, one of the rfc1918, or seem to be resolving with only ever the same TTL no matter the variation of the poll due to network, wakeup and other latencies, then you can assume that the network is either malfunctioning or hostile. In this case, it is likely that the cellular network is being used as a cache of good lookups to compare to in the event that the main network lookup starts to seem suspicious, or if the responses coming from "Tesla" start to look wrong from the software point of view. If things start to look wrong, the car can query for those hostnames, trusting that cellular should be reasonably unmodified/trustworthy as an initial check that the domains still exist, and query the main network as a form of sanity check (We used to do this at a place where I worked in-application to do exactly this. In our case, it was a way of notifying the user that their VPN was malfunctioning and that they needed to reconnect to get the correct authoritative servers). To test the theory, you could start sinking the requests goin to www(dot)teslamotors(dot)com as an NX_DOMAIN and see if the car starts to fail over to the cellular, or starts to probe using the alternate sane domains to determine if the network is poisoned. That said, I wouldn't really recommend testing such a thing on a motor vehicle given the expense associated with an electric vehicle, so it might end up being just a theory until a Tesla engineer could confirm or deny.
@@TallPaulTech yea thats a strange on, could be sloppy programmer (we all do it) oh let me copy this string since I need some random chrs. or maybe the 1 in infinibillion chance a repeat lol - it got me stumped too
@@portblock i've got some serious "uninitialized pseudorandom generator" vibes from this. (without seed or similar rookie mistake) but that theory doesn't make too much sense as an SSID, most probably just some fixed "random number" he picked for the project as you suggested. My hunch is that this "magic number" could be some hidden SSID used by charging stations, tesla services, etc, which network only answering to "signed payloads" hence the need for TPM signature (like "i'm not a random device trying to connect to this network, I'm a tesla. I have a valid key in my TPM") It could be part of a handshake or something similar. Now the most strangest part that I discovered this exact number (if i'm getting this right) is part of some cipher's test suite inside the Botan crypto library (eg. last entry of the shacal2.vec file). You can use the Github Code Search to get quite a few matches (This function is still in a public beta, if i remember right ).
I would be very curious to find out what it would do if you provided it with a network with that SSID. You're right most software wouldn't let you set that, but I am sure there is something out there that can be convinced to.
I could try with hostapd if I ever get keen. I know some people have trouble with SSIDs that are foreign characters but they still exist, so it must be possible. Right at this morning I can't be fucked trying.
That SSID broadcast must be some dumb hack to "authenticate" the charger, I bet if you spammed that from any other device near by and presuming there isn't some other authentication built into the physical charger iteself, you could get a third party car charging. Probably there is some upper limit for other cars..?
I mean you would still need the password not just the ssid :D But yes that sounds like a last minute hack, I guess the older cars don't support wifi direct or something along those lines :D
I wish you had a GM Onstar vehicle to do this to. My truck has Onstar and I’d love to see where things are going and what I can change to control my data. Aside from that, keep up the great videos. I’m learning so much from you, especially on the Home Assistant and SDR side.
Any car that uses internet connection should have manual switch to turn the network features off, so that users/drivers can activate them only when _they_ want. Companies are so greedy for user data, they hoard them in petabytes "just in case" and for what? Advertising? There is not even enough evidence that this data collection really increases efficiency of advertising to the level that would really make it justifiable. It puts customer safety at risk, while scamming the advertisers at the same time.
Well if you look at the previous video about their shitty service, you'll see the screen issue it's now having. They said they can look through the logs at the time it happens if I note the time. The thing is, I can't look at the logs, only them. In a normal world, you'd be able to look at your own logs first to maybe figure something out, before having to reach out to service. But, that of course means they wouldn't be able to steal as much money from you and ... well, they can't have that.
Would like to see it redone with something not as old. 2017 might not seem old but back then Tesla was using mostly off the shelf parts from 3rd parties, these third parties are notorious for not updating their shiet.
Would be relatively simple to use SSID probe requests as a low bandwidth encrypted sideband communication. That code could just be an Identification Friend of Foe (IFF) signal (to use military terminology). Would be interested to see what else happens if you set up something to respond to that probe.
Is that the SSID they use at Tesla service centres for vehicles to automatically connect to? Would not be surprised if some junior dev just googled "32 bit random hex" and copy/pasted whatever they found because the JIRA said make the SSID something random and long.
I've not looked into this in some time, but some telemetry cellular data plans have a min block size, So if you send 1 byte within X timeframe they charge you for the data usage of 1 block, and the block size might be 32KB or something. So they might be doing some tricks to minimize getting excessive data charges for periodically sending a very small amount of data.
I would assume that tesla has some fleet plan that covers all their data and usage in one bill, a bit like an unlimited data plan? That contract could of course also include conditions on sending to many small packets. But that would not apply on the WiFi network?
Wonder what you can capture if you spoof the ppp0 as host in your DNS. On second note, i wonder if we can trigger any known glibc buffer overflows by exploiting the dns lookup
I don't know if you can do it by exploiting dns, but i think it was vulnerable to a buffer overflow. Saw a video a few months ago about it, so don't remember exactly
@@Maarten_vd Service center was for a log time "Tesla Service" and is now "tesla-vehicle". The SSID is publicly announced, you can see it with your phone and the car displays that it is connecting to that and preventing you from disconnecting or deleting the network 🤣
PPP0 is often your routers login session, to your local internet fabric (xDSL, fibre, etc). Interesting about the hard coded long wifi name - at as guess, I'd suggest the autonomous charge stations will all broadcast that SSID, so the car knows when it is quite close. Really interesting topic.
Perhaps some of it is supposed for charging stations? That ppp0 might try to get talking to some on site thing?? Same for those random bytes, that you yourself found to be related to a charging company.
Conclusion? So they smash dns requests, they are trying to connect to a wifi network associated with an ev charging company, they only use wifi bgn at 54mbps, and they connect through port 443 to grab/push data. Anything else I missed? (Sorry I know nothing about networks)
this first curl after DHCP could easily be for a SPLITDNS setup. A man in the middle to break the SSL would be so nice to see :P About splitdns: imagine the car beeing inside a tesla factory/servicecenter, obtaining not your ISPs DNS server, instead a tesla DNS server which answers the same domain with different records from within tesla's network. common use case in the field :)
The risk of information leak and unplanned network security issues is why I turn off UPnP whenever I see it. It may be convenient, but it's also a pretty large risk.
Yeah, I don't let that shit out, and keep this car on its own VLAN. I just forgot to stop it coming out of the IPv6 link local on a server, because it was just a bridge adaptor and I forgot about it.
The silently dropped connection is probably a java app that is using finalizers, which causes the app to leave the connection open in the kernel until garbage collection runs and cleans up the network object. Yea java is rubbish
matlab function rnd vs random (i cant remember which one) would always present the same random number. it was documented. Also, the 2 minute thing - could this be a system safety element? like a watch dog timer- if something critical isnt there then it will be time to take remedial actions?
maybe one day we will have an open source OS for teslas so you could set up your own network connections, personally ensure there's no bloat-ware, and replace the self driving with openpilot
@@TallPaulTech with an open source vehicle you could remove the LIDAR or cameras and the programs to run them if you wanted so it wouldnt waste power and subsequently range
@TallPaulTech much enjoyed this video. don't have an explanation at hand for the strange probe request, but I can give a guess about Wi-Fi 3. Since the very first MCU (nvidia tegra based, eMMC) has been designed around 2010 to 2012, they probably went for the then cheap Wi-Fi 3 module even though Wi-Fi 4 was available. The intel atom based MCU2 comes with Wi-Fi 4 and does feature a 5GHz radio (*indoor channels are not supported, only outdoor channels can be used).
Embedded devices do sometimes double check if the dns response is the same when querying a public DNS, like Google. Or maybe as a fallback. But since the wifi DNS did reply I think it's more like a sanity check. But the target, nyt, netflix queries are just stupid.
Interesting that a lot of data from the mobile network is spilling over to the WiFi side (DNS, I think a lot of mobile data goes over PPP as well). Are you sure that 'server' is a result of your 'server', or it was just a generic name coded into the car?
After a previous video of yours about phy rates, I disabled G on all of my APs only to find all of the dumb IoT devices that still don't support N. Amazing that anything for sale now doesn't support at least 2.4Ghz N.
Glad I found your channel - good work here! Every time I run a sniffer to try to debug things I get so depressed at the state of software, and looks like Tesla is no exception. If they miss this easy stuff, what about the hard stuff? I'd be *shocked* to find out that a Tesla can be hacked! /s
The whole Rocsys saga is quite fascinating. I wonder if you agree to be a datasource for third parties when bought this car? I think that when you open a Gmail account you agree to share data for it being a free service but when you buy an object I would like to know more. And the fact that it bypasses your Pi-hole is disturbing a bit, maybe it had a hickup/delay of some sort but you should be the ruling admin in that case.
Nice video could show how you captured it ? The first is doing port mirroring and sniffing or? The second is new for me I started studying automotive computing and we are just learning about network technology and tools
Well, they do drive well out of cell range and they drive fine. You don't have to have the sim activated but I guess Tesla will still utilise it, there's just some some stuff you can't access without the sim activated.
How many brands can connect to a WiFi AP I wonder? Both my new Toyota and Audi cannot, therefore rendering all the smart features useless at my cell service delinquent home location.
2:50 Looks like you have the head unit? Try to analyze with the head unit disconnected, xor with the back unit (ADAS) disconnected. Tip: If you ever have a Mercedes (doesn't use DHCP), look at the VLANs and connect to the multicast groups of each of the networks on there.
Well, we'll all leave our computer screens and Teslas alone now and go and watch something on our nice safe Samsung TVs, because they couldn't be doing anything peculiar either, could they?
I refused the bullshit T&C that sends it sends data to some third party I've never heard of. This turns off most of the bullshit. The other thing people are doing it dumbing down their TV on some models by purchasing the version of the board that is used for shop displays.
Great video! I especially appreciate how you don't jump to conclusions, and mostly just share the facts. I'd sub, but your name reminds me too much of someone I strongly dislike.
Thanks for the informative video, I'm glad it got suggested to me. I'm not old or anti tech, but I fail to see how any of that is necessary for making a car go down a road. Just reaffirms why if I ever have to own electric, it'll be an engine swap with open source hardware.
You know what, I like your approach. I'm sick of crap being allowed because of the notion that only old people or non "tech savvy" don't want it. Most of the people who I know who are most against this shit are right in the tech industry. It's not like we don't know how things work, we just know it's bullshit!
I assume they're collecting data to detect faults sooner, improve future designs, and train self-driving cars. But it's reasonable to question whether they have any right to use your personal data like that, and whether they're protecting it adequately. Anonymous data is often quite easy to de-anonymize.
@@kjetilho yeah I could get the SIM card out and remove the WiFi but I shouldn't have to do surgery on a new car just so it respects my privacy. I'm also going to assume that voids the warranty. Not that the warranty is worth much to begin with. For the kind of money they ask, there are batteries, contractors, motors, etc. available. If I already have to do surgery to ameliorate my car, I'd rather spend a few weekends electric swapping something older, prettier, and fully my own.
very interestng, thanks for this !! how did you capture the GSM packets ? edit: just realized it's getting the dns from the gsm link and trying it over the net
Hi Paul, very good work you are doing here. I saw the same you did with Tesla. I’m sure your audiences would be interested to compare what all these high tech cars from different countries are doing in terms of infringing into personal data
As a swede I am currently entertained by seeing Elon trying to go up against IF Metall, one of the largest unions of workers in the country. They have a strike fund reserve counted in billions, large enough to strike for as long as they could possibly need to. Workshops have started to deny service to Tesla cars. Elon will have to fold to their demands or leave Sweden. It's not even a question. It has happened in the past with Toys R Us and McDonalds. Sweden is union strong.
You say that a car making requests to netflix etc is not a car thing, but I would put it to you that a car interfacing with any network is not a car thing. lol. Who wants one of the mobile spy stations in your garage? You already carry one of those around in your pocket most likely.
Maybe the use of 802.11g is a way of throttling the network demands from the car. It’s usually much harder to throttle a device that wants to download lots of data without support from the router.
No the network was advertising stuff to the car and the car tried to follow up But yes, put all things on their own private part and only give them access to to watch they need access to
@@computersales an easy consumer friendly way is to make a guest network and set it so that guest can only connect to the internet and not each other. Then connect all smart stuff that needs internet to this network. This is an option in a lot of decent AP’s I have seen. Doesn’t work if you want to have your phone connect directly to the thing. But works for things that want to use the internet and you don’t want to look in your internal network. If you want to jump into the deep end. Set up packetfence.
What's this?.... is it that funky hex ssid coming from a Raspberry Pi AP? :)
pasteboard.co/OvAjbi9vmRvK.png
Wait wait, so this super fancy autonomous charging robot startup is using default settings on a Raspberry Pi AP for connectivity?
@@Portablesoundswel the rpi is a super fancy small little cheap computer, why not use it?
@@Keneo1using it isn't a problem. Leaving things at defaults is an invitation to get hacked though. Even if this particular exploit doesn't lead anywhere, it shows a sloppiness that is worrisome.
I think you may have missed something @@Portablesounds
@@eshwayri Paul set up this rpi with that ssid to see what the tesla does when it can connect to it.
In a blazer talking about network traffic, classy af
Somebody has to lift the standard up in this IT game.
9:19 The crazy SSID could be car service center SSID. We did a similar thing for Volvo - the idea was that while the driver is driving into the service center, it would search for predefined SSID from time to time, if it found it, it would authenticate and send diagnostics data, so the service center can approach the customer with info about any problems in the car.
Edit: Ow, ok, watched a few more seconds - it's probably trying to authenticate with that charger.
Yo when you turn to the camera and say "you don't find that suspicious?" hahaha made me laugh my ass off! Thank you for this!
Well it's true!
@@TallPaulTech Just one more reason to isolate all IoT on a separate VLAN and block all access to other networks.
This just reminds me of "unknown" data streams from Huawei cell base stations that one of my mates back in UK told me about 20+ years ago when they were setting those up for the first 3G network there.
Yeah, it lives on its own VLAN, don't worry about that!
802.11g = cheap and reliable - decent speed over the longest range of any existing protocol. Thanks for showing us the noise!
And as this is probably an MCU1 tesla, the mcu board design probably dates back to 2010-12 where most people didnt have modern aps in the garage and some engineer probably figured cheap and reliable wifi is better than expensive and flaky
When your own Tesla brake checked you I knew that was Elon warning you not to go any further with your investigations. I love these types of videos and want to see more - stay safe!
Don't laugh, the way things are going...
Yeah it's actually pretty scary. Maybe start a separate channel for this type of investigation or do it via proxy
Elon supplements his revenue by selling your data to data brokers. I’m laughing yet not laughing.
keep doing what you are doing. loving it
I'll do what I want mother fucker!
Tall Paul coming in with the big Tesla automated charging scoop. Watch out Murdoch! 😂
Tesla couldn't automate a fucking toaster
@@TallPaulTech certainly not based off that capture nonsense
Does the DHCP flooding come from the factory or do you need to pay extra for it? 😂
This is quality. Thanks for doing this.
I love it.. it's exactly the kind of thing I would do... and actually I do to other things I own. Love Paul's videos... even though he'd probably call me a cunt 😀
Surely the seemingly random sites like nytimes, bing, etc would be from the infotainment system?
Or maybe they get used to check internet connectivity, my router does the same thing
They could very well be used to check if the network can access the wider internet.
Love the new style. Looking like the senior network engineer for the Italian mafia Lolol
Odds of randomly generating that same 32 character hex string: 1 in 340,282,366,920,938,500,000,000,000,000,000,000,000.
Seems legit.
My concern is that it sounds like its listening for things that has nothing to do with it... It doesnt sound like anything malicious now but i could easily see it going that way in the future.
Elon “Tesla” data leak shown the video recording of people having sex in their cars. Including “18 and below” fucking in car. All the cameras footage gets sent to Tesla regardless.
Or you know if a threat actor found a way to exploit it.
Guessing it's doing a full DHCP association every time because it's shutting down the radio to save power, I did something similar on a weather sensor that reports over wifi on the minutes scale and is in deep sleep at all other times.
2:48 Thank you very much for featuring us!
Haha, no worries. It did the job.
Love the TPM sleuthing. It seems like an intentional design decision to kill and restart the leases so frequently.
Yeah, that TPM stuff was a bit of a surprise
@@TallPaulTech I guess you need to snoop the SSID at the SuperCharger station.
There are data pins in the charger you know.
Great work, I love the tidbit about connecting a specific developer to some crazy example of security through obscurity. "Hey I know lets just bastardize the way SSIDs work for our product, that will be good enough!"
If you've got its VLAN firewalled and are not allowing it to access some of the things it wants to, that could explain why it keeps dropping off and reconnecting.
So the „Software Company, that also builds cars“ is using probably Linux and can’t configure DHCP correctly.
Looks like they are as perfect in any area.
Love to see if broadcasting that SSID enables anything in the Tesla menus for autonomous charging. Be hilarious if that was the only authentication performed to enable the feature.
9:20 my wildest guess there would be that it's the way that the car speaks to superchargers, would be cool to do a capture at a supercharger location just to see if it's related...
Although it wouldn't be easy you could setup an access point with that semi random SSID to do some sniffing.
@@jebw i mean, the password is very likely hardcoded in the firmware as is thr ssid so I'm pretty sure it could be recovered, but that would be useless if it's not actually used at a supercharger
monitor for wifi attempts to connect to that rando ssid, and you now have a tesla detector, lol. reminds me of bbc vans wardriving with df to find rogue unlicensed tv sets
Frequent disconnects and reconnect probably explains why it takes so long to install a rather small update over a wifi gateway that sits 12 feet away...
Sounds like somebody developing the charging handshake might have copied from a forum post lol.
These may or may not be relevant:
At 2:46 - we (programmers) lookup those A records from those domains because they use CDN's and depending on what IP is returned, I have a better idea of the area/region you are in. . I also do it to have a solid idea if we have network connectivity.
At 9:30 - I have done this for some embedded system that I want to auto connect to a wifi access point I have setup. Example: Rent a car, we have various access points setup around the city at our locations, when a vehicle goes by one, it automatically checks in its its vehicle metrics (VIN, fuel, odometer, CEL, etc.)
Now tell me why it's the same random hex from a TPM. Also, every AP that I've played with so far won't let you set arbitrary hex values for the SSID.
(Obligatory not a Tesla engineer)
In addition to coarse geo-location, looking up various known "good/available" hostnames is also a very easy way to know if the DNS server you are routed to is trustworthy, since those records should not all respond with the exact same resolution address (Either in a stack of A records, AAAA records, a DNAME or CNAME) and should, at least mostly, always respond with at least SOME resolution. If all of those response with the exact same host, one of the rfc1918, or seem to be resolving with only ever the same TTL no matter the variation of the poll due to network, wakeup and other latencies, then you can assume that the network is either malfunctioning or hostile.
In this case, it is likely that the cellular network is being used as a cache of good lookups to compare to in the event that the main network lookup starts to seem suspicious, or if the responses coming from "Tesla" start to look wrong from the software point of view. If things start to look wrong, the car can query for those hostnames, trusting that cellular should be reasonably unmodified/trustworthy as an initial check that the domains still exist, and query the main network as a form of sanity check (We used to do this at a place where I worked in-application to do exactly this. In our case, it was a way of notifying the user that their VPN was malfunctioning and that they needed to reconnect to get the correct authoritative servers).
To test the theory, you could start sinking the requests goin to www(dot)teslamotors(dot)com as an NX_DOMAIN and see if the car starts to fail over to the cellular, or starts to probe using the alternate sane domains to determine if the network is poisoned. That said, I wouldn't really recommend testing such a thing on a motor vehicle given the expense associated with an electric vehicle, so it might end up being just a theory until a Tesla engineer could confirm or deny.
@@TallPaulTech yea thats a strange on, could be sloppy programmer (we all do it) oh let me copy this string since I need some random chrs. or maybe the 1 in infinibillion chance a repeat lol - it got me stumped too
@@portblock i've got some serious "uninitialized pseudorandom generator" vibes from this. (without seed or similar rookie mistake) but that theory doesn't make too much sense as an SSID, most probably just some fixed "random number" he picked for the project as you suggested. My hunch is that this "magic number" could be some hidden SSID used by charging stations, tesla services, etc, which network only answering to "signed payloads" hence the need for TPM signature (like "i'm not a random device trying to connect to this network, I'm a tesla. I have a valid key in my TPM") It could be part of a handshake or something similar.
Now the most strangest part that I discovered this exact number (if i'm getting this right) is part of some cipher's test suite inside the Botan crypto library (eg. last entry of the shacal2.vec file). You can use the Github Code Search to get quite a few matches (This function is still in a public beta, if i remember right ).
I would be very curious to find out what it would do if you provided it with a network with that SSID. You're right most software wouldn't let you set that, but I am sure there is something out there that can be convinced to.
I could try with hostapd if I ever get keen. I know some people have trouble with SSIDs that are foreign characters but they still exist, so it must be possible. Right at this morning I can't be fucked trying.
I just did... see pinned comment :)
That SSID broadcast must be some dumb hack to "authenticate" the charger, I bet if you spammed that from any other device near by and presuming there isn't some other authentication built into the physical charger iteself, you could get a third party car charging. Probably there is some upper limit for other cars..?
I mean you would still need the password not just the ssid :D
But yes that sounds like a last minute hack, I guess the older cars don't support wifi direct or something along those lines :D
I wish you had a GM Onstar vehicle to do this to. My truck has Onstar and I’d love to see where things are going and what I can change to control my data.
Aside from that, keep up the great videos. I’m learning so much from you, especially on the Home Assistant and SDR side.
You can't generate clicks with GM.
Any car that uses internet connection should have manual switch to turn the network features off, so that users/drivers can activate them only when _they_ want. Companies are so greedy for user data, they hoard them in petabytes "just in case" and for what? Advertising? There is not even enough evidence that this data collection really increases efficiency of advertising to the level that would really make it justifiable. It puts customer safety at risk, while scamming the advertisers at the same time.
any thing that uses anything should have turn offable
even worse I saw some Chinese ev car, where the manufactor was bankrupt, the cars do not start anymore cause they need to talk to some server...
Well if you look at the previous video about their shitty service, you'll see the screen issue it's now having. They said they can look through the logs at the time it happens if I note the time. The thing is, I can't look at the logs, only them. In a normal world, you'd be able to look at your own logs first to maybe figure something out, before having to reach out to service. But, that of course means they wouldn't be able to steal as much money from you and ... well, they can't have that.
The ppp stuff will be related to the 4/5g module. It used to be a common way of connecting to those modules.
weird a tesla from 2017 would be trying to reach a website that appears to have gone down in 2016
You mean the HTTP? There's a web server there, as it got an HTTP response. It just got told that / has nothing for it.
Thanks Paul! This is super informative video and I loved all the details and your thoughts! I wonder if my 2023 M3P is just as talkative
There's only one way to find out.
Would like to see it redone with something not as old. 2017 might not seem old but back then Tesla was using mostly off the shelf parts from 3rd parties, these third parties are notorious for not updating their shiet.
Everyone should make their passwords so secure that they're confident to show their four-way handshakes openly.
hahaha
Would be relatively simple to use SSID probe requests as a low bandwidth encrypted sideband communication. That code could just be an Identification Friend of Foe (IFF) signal (to use military terminology). Would be interested to see what else happens if you set up something to respond to that probe.
the most intresting traffic is gonna be on celluar
Is that the SSID they use at Tesla service centres for vehicles to automatically connect to? Would not be surprised if some junior dev just googled "32 bit random hex" and copy/pasted whatever they found because the JIRA said make the SSID something random and long.
Hahaha... but hang on, aren't they supposed to be super experts?! LOL... as if
ah, the fair dice resulting in 4 from XCKD obligatory
@@TallPaulTechtheres always junior/lazy Devs especially at big companies
@@TallPaulTech no
Reminds me of the networking labwork we did at UofGlasgow. Thank you for the video and discussion!
I've not looked into this in some time, but some telemetry cellular data plans have a min block size, So if you send 1 byte within X timeframe they charge you for the data usage of 1 block, and the block size might be 32KB or something.
So they might be doing some tricks to minimize getting excessive data charges for periodically sending a very small amount of data.
Good point!!
I would assume that tesla has some fleet plan that covers all their data and usage in one bill, a bit like an unlimited data plan?
That contract could of course also include conditions on sending to many small packets.
But that would not apply on the WiFi network?
Wonder what you can capture if you spoof the ppp0 as host in your DNS. On second note, i wonder if we can trigger any known glibc buffer overflows by exploiting the dns lookup
I don't know if you can do it by exploiting dns, but i think it was vulnerable to a buffer overflow. Saw a video a few months ago about it, so don't remember exactly
TL;DR: Network stack was written by some second year college interns...
Thanks though, very informative and well explained!
Another great video. Hope the court thing ends soon for you.
haha, steady on!
Could the random SSID be a fixed SSID that Tesla superchargers use?
Could be, or a service center SSID?
@@Maarten_vd Service center was for a log time "Tesla Service" and is now "tesla-vehicle". The SSID is publicly announced, you can see it with your phone and the car displays that it is connecting to that and preventing you from disconnecting or deleting the network 🤣
@@zahlex Cool, thanks for your info :)
thanks for your analysis, was a charm watching
Wireless g has better wall penetration, ie, garage walls, and I bet car doesn't use much data for updates.
I could make a whole video (or many) on why that comment lacks understanding.
PPP0 is often your routers login session, to your local internet fabric (xDSL, fibre, etc). Interesting about the hard coded long wifi name - at as guess, I'd suggest the autonomous charge stations will all broadcast that SSID, so the car knows when it is quite close. Really interesting topic.
No, I did some testing today... might make a follow up video
Perhaps some of it is supposed for charging stations? That ppp0 might try to get talking to some on site thing?? Same for those random bytes, that you yourself found to be related to a charging company.
Conclusion? So they smash dns requests, they are trying to connect to a wifi network associated with an ev charging company, they only use wifi bgn at 54mbps, and they connect through port 443 to grab/push data. Anything else I missed? (Sorry I know nothing about networks)
802.11g, not 802.11n
this first curl after DHCP could easily be for a SPLITDNS setup.
A man in the middle to break the SSL would be so nice to see :P
About splitdns: imagine the car beeing inside a tesla factory/servicecenter, obtaining not your ISPs DNS server, instead a tesla DNS server which answers the same domain with different records from within tesla's network. common use case in the field :)
if you do ssl pinning it won't work, if the software requests it
The risk of information leak and unplanned network security issues is why I turn off UPnP whenever I see it.
It may be convenient, but it's also a pretty large risk.
Yeah, I don't let that shit out, and keep this car on its own VLAN. I just forgot to stop it coming out of the IPv6 link local on a server, because it was just a bridge adaptor and I forgot about it.
The silently dropped connection is probably a java app that is using finalizers, which causes the app to leave the connection open in the kernel until garbage collection runs and cleans up the network object. Yea java is rubbish
I wonder if that TPM is using a bad RNG, like the Debian openssl RNG bug from a decade ago.
No trying to man-in-the-middle the TLS tunnel ?
I guess I'll have to buy a Tesla and do it myself to see what happens
matlab function rnd vs random (i cant remember which one) would always present the same random number. it was documented.
Also, the 2 minute thing - could this be a system safety element? like a watch dog timer- if something critical isnt there then it will be time to take remedial actions?
None of that makes sense.
Very interesting, thanks for sharing!
maybe one day we will have an open source OS for teslas so you could set up your own network connections, personally ensure there's no bloat-ware, and replace the self driving with openpilot
Seems like a lotta hoops to jump through just to go to Wendy's
Open pilot is a lot worse than Tesla AP tho
@@jerasaurus1926 howso?
I'd like it if it had nothing 'auto'.
@@TallPaulTech with an open source vehicle you could remove the LIDAR or cameras and the programs to run them if you wanted so it wouldnt waste power and subsequently range
@TallPaulTech much enjoyed this video. don't have an explanation at hand for the strange probe request, but I can give a guess about Wi-Fi 3. Since the very first MCU (nvidia tegra based, eMMC) has been designed around 2010 to 2012, they probably went for the then cheap Wi-Fi 3 module even though Wi-Fi 4 was available. The intel atom based MCU2 comes with Wi-Fi 4 and does feature a 5GHz radio (*indoor channels are not supported, only outdoor channels can be used).
Tesla has bad code? What a shock, wow. That's unexpected 😮😂😂
How about setting up a Esp8266 to accept that probe request? Is it security by obscurity?
You missed something I said about being able to do that.
Why does it have to be Esp8266?
That random SSID = Supercharger WiFi/auth network?
No, it's more likely shitty leaky code.
@@TallPaulTech "We use TPM for security!"
*the TPM*
**tpm_random_bytes = "blah" // Change for production**
Haha@@NikoBelliGaming
*2:20** Probably been said. All 8's is Google. Possibly Chrome doing stuff.*
Embedded devices do sometimes double check if the dns response is the same when querying a public DNS, like Google. Or maybe as a fallback. But since the wifi DNS did reply I think it's more like a sanity check. But the target, nyt, netflix queries are just stupid.
Interesting that a lot of data from the mobile network is spilling over to the WiFi side (DNS, I think a lot of mobile data goes over PPP as well). Are you sure that 'server' is a result of your 'server', or it was just a generic name coded into the car?
I wondered that too, but the time of its lookup was too close to the announcement from mine. True though, I can't be 100% sure.
On mobile devices, that much searching for connections leads to a dead battery over night if you don't shut off the wifi when in sleep mode.
After a previous video of yours about phy rates, I disabled G on all of my APs only to find all of the dumb IoT devices that still don't support N. Amazing that anything for sale now doesn't support at least 2.4Ghz N.
Yeah, all the ESP stuff that I have is 802.11n, and they're simple things.
802.11g on a "modern" device is absolutely wild
fun fact G standard has the highest broadcast range of the wifi.
Glad I found your channel - good work here! Every time I run a sniffer to try to debug things I get so depressed at the state of software, and looks like Tesla is no exception. If they miss this easy stuff, what about the hard stuff? I'd be *shocked* to find out that a Tesla can be hacked! /s
Go ahead show us how you can hack a Tesla. You can make big dollars legally.
I reckon there's some more digging to be done ;) any more thoughts on the contents of the dhcp request ids ?
Oh, there will be more digging :)
Reallllly weird with that tpm rando. You need to keep digging there for sure.
I've already dug enough to know it's a heap of shit.
The whole Rocsys saga is quite fascinating. I wonder if you agree to be a datasource for third parties when bought this car? I think that when you open a Gmail account you agree to share data for it being a free service but when you buy an object I would like to know more. And the fact that it bypasses your Pi-hole is disturbing a bit, maybe it had a hickup/delay of some sort but you should be the ruling admin in that case.
Great analysis, thanks
Great content! Funny to see all Tesla ecosystem oddities. I was wondering ; maybe it is using NTP servers passed in the DHCP options?
I'd reckon it's just DNS servers being contacted for every connection
10:58 LMAO I love it
Nice video could show how you captured it ? The first is doing port mirroring and sniffing or? The second is new for me
I started studying automotive computing and we are just learning about network technology and tools
since my router is just a linux box with 2 ethernet ports, i could just run tcpdump right on that, no mirroring needed
DId you try with ssl offloading to see the contents of all the api calls etc?
What happens if you don't let a Tesla have Internet access at all? No wifi, no cell/sim? Will it refuse to let you drive it?
Well, they do drive well out of cell range and they drive fine. You don't have to have the sim activated but I guess Tesla will still utilise it, there's just some some stuff you can't access without the sim activated.
It will let you drive normally
All cars connected to the network constantly "doing something" :)
Regarding tesla, its a price of autonomous cars (pilot) etc. It will more.
The car is just DDOS’ing the inferior equipment on your network. Lol
Great stuff brother. Thank you so much
How many brands can connect to a WiFi AP I wonder? Both my new Toyota and Audi cannot, therefore rendering all the smart features useless at my cell service delinquent home location.
Well that one's going to require more detailed information (ie, packet captures) before we can say anything.
2:50 Looks like you have the head unit? Try to analyze with the head unit disconnected, xor with the back unit (ADAS) disconnected. Tip: If you ever have a Mercedes (doesn't use DHCP), look at the VLANs and connect to the multicast groups of each of the networks on there.
Thanks Paul! Brilliant video
Well, we'll all leave our computer screens and Teslas alone now and go and watch something on our nice safe Samsung TVs, because they couldn't be doing anything peculiar either, could they?
Yeah, same shit everywhere... th-cam.com/video/8mHXwmULOvk/w-d-xo.html
I refused the bullshit T&C that sends it sends data to some third party I've never heard of. This turns off most of the bullshit.
The other thing people are doing it dumbing down their TV on some models by purchasing the version of the board that is used for shop displays.
Going to guess this is an MCU 1 car?
Would some of this (the external HTTP) before the entertainment system?
Great video! I especially appreciate how you don't jump to conclusions, and mostly just share the facts.
I'd sub, but your name reminds me too much of someone I strongly dislike.
Thanks for the informative video, I'm glad it got suggested to me. I'm not old or anti tech, but I fail to see how any of that is necessary for making a car go down a road. Just reaffirms why if I ever have to own electric, it'll be an engine swap with open source hardware.
You know what, I like your approach. I'm sick of crap being allowed because of the notion that only old people or non "tech savvy" don't want it. Most of the people who I know who are most against this shit are right in the tech industry. It's not like we don't know how things work, we just know it's bullshit!
I assume they're collecting data to detect faults sooner, improve future designs, and train self-driving cars. But it's reasonable to question whether they have any right to use your personal data like that, and whether they're protecting it adequately. Anonymous data is often quite easy to de-anonymize.
it is not necessary, you can rip out the SIM card of the car if you like. obviously then you will lose mobile app control (remote unlock etc.)
@@kjetilho yeah I could get the SIM card out and remove the WiFi but I shouldn't have to do surgery on a new car just so it respects my privacy. I'm also going to assume that voids the warranty. Not that the warranty is worth much to begin with. For the kind of money they ask, there are batteries, contractors, motors, etc. available. If I already have to do surgery to ameliorate my car, I'd rather spend a few weekends electric swapping something older, prettier, and fully my own.
@@adamgarlow5347 - no you don't have to do that, it will not collect data unless you agree to it.
Updating the apps on the screen. Like Netflix and TH-cam lol
AKA, bloated shit, preventing the car from operating basic controls the way is used to.
very interestng, thanks for this !! how did you capture the GSM packets ? edit: just realized it's getting the dns from the gsm link and trying it over the net
There you go :)
Hi Paul, very good work you are doing here. I saw the same you did with Tesla. I’m sure your audiences would be interested to compare what all these high tech cars from different countries are doing in terms of infringing into personal data
Very interesting, thanks for sharing!
How did you sniff the Telstra traffic if it goes over mobile phone network?
Cheers,
Chris
This is just the Wi-Fi traffic. There's no telling what the car is communicating via its LTE connection.
As a swede I am currently entertained by seeing Elon trying to go up against IF Metall, one of the largest unions of workers in the country. They have a strike fund reserve counted in billions, large enough to strike for as long as they could possibly need to. Workshops have started to deny service to Tesla cars. Elon will have to fold to their demands or leave Sweden. It's not even a question. It has happened in the past with Toys R Us and McDonalds. Sweden is union strong.
Scary how socialistic Europe is, and how rapidly USA is heading that way…
@@bartwaggoner2000 in my country unions are corrupted through and through so they are useless to working class.
@@bartwaggoner2000 how is a union scary?
@@darkzone1606 reading comprehension
It’s almost as though the code running on the car is shit.
You say that a car making requests to netflix etc is not a car thing, but I would put it to you that a car interfacing with any network is not a car thing. lol. Who wants one of the mobile spy stations in your garage? You already carry one of those around in your pocket most likely.
Can confirm, my cars are all from the normal car era (contrast with the home theater on wheels era) and don't even have network interfaces!
4:32 why be polite and close the toilet seat, they also must have infinite server power in their TLS terminator router
I'm sure those completely random numbers being identical is a complete and utter coincidence.
Anyway, back to selling bridges to folk.
Maybe the use of 802.11g is a way of throttling the network demands from the car. It’s usually much harder to throttle a device that wants to download lots of data without support from the router.
No. Just, no.
If you have a decently capable router you can simply set a download and upload speed for specific devices.
I suspect a rugged, cheap wifi chip that just works.
Anyone asked why we see Tall Paul in handsome suits now? :)
That is kind of alarming if I understand correctly. The car is scanning my netwotk? Might have to put my car on its own private part of my network. 🤔
No the network was advertising stuff to the car and the car tried to follow up
But yes, put all things on their own private part and only give them access to to watch they need access to
@@Keneo1 I need to learn how to lock down my network one of these days. 🙈
@@computersalesMake a IoT wifi vlan
@@computersales an easy consumer friendly way is to make a guest network and set it so that guest can only connect to the internet and not each other. Then connect all smart stuff that needs internet to this network.
This is an option in a lot of decent AP’s I have seen.
Doesn’t work if you want to have your phone connect directly to the thing. But works for things that want to use the internet and you don’t want to look in your internal network.
If you want to jump into the deep end. Set up packetfence.
You didn't understand correctly.
Great video.