For those of us who have spent a lifetime looking after IT systems and software at an interconnect level, with no hardware access this is a fascinating insight into the low level security issues makers and maintainers have to deal with and opens up all sorts of questions on how a real Right To Repair might work in practice. Great stuff whole team.

Interessant. Und inhaltlich so weit weg von den Meldungen der Presse, wie zu vermuten war.

Voltage glitching of the (credit card sized) Smart Cards was a very common attack on the Satellite TV systems (e.g. DirecTV and Dish Network) back in the 1990s; so nearly *30 years* (!) ago. Even then, it was automated via a PC's parallel or serial port, so one might leave it running while having dinner. The glitch module might try thousands, even tens of thousands, of combinations of timing and pulse before cracking the card, and presenting the channel menu. Nothing new under the Sun, eh?

super interesting, thank you for the research. thanks to ccc for uploading

00:32 🚗 Tesla's autopilot system and infotainment system have been rooted, and the speakers will discuss their findings. 02:59 📰 Recent Tesla autopilot news includes a recall of over 2 million vehicles and speculation about features like "Elon mode." 03:27 🧠 Overview of Tesla's digital architecture, highlighting the autopilot board's role and data storage mechanisms. 05:43 📷 Evolution of Tesla's autopilot hardware, from single-camera setups to custom FSD chips, and changes in data storage encryption. 06:50 🛡 Introduction to Tesla's custom FSD chip and its security subsystem, focusing on code verification and cryptographic signing by Tesla. 09:27 🧠 Analysis of the security subsystem, its role in firmware loading, and the importance of the certificate chain in verification. 12:32 ⚙ Explanation of fault injection attacks, specifically voltage glitching, as a method to induce faults in the security system. 14:32 📏 Identification of the power supply of the security system, focusing on voltage regulator circuits and their interruption for the glitching attack. 18:08 🛠 Description of the glitching setup, involving a Teensy microcontroller, MOSFETs, and removal of capacitors to achieve the desired voltage drop. 20:46 🔄 Timing analysis of the glitching attack, determining the critical time window for the root CA hash comparison and planning the fault injection. 23:20 🎬 Successful demonstration of the fault injection attack, glitching the system during the root CA hash comparison and achieving root access. 23:47 🚗 Successful glitch injection demonstrated using voltage drops, allowing access to Tesla Autopilot system. 25:06 📊 Autopilot utilizes various data, including camera, CAN bus, and machine learning models, creating a treasure trove for training and evaluation. 26:00 📸 Snapshot process involves monitoring incoming data for events, triggering snapshots for analysis, and uploading selected data to Tesla servers. 29:42 🔐 Authentication for connecting to Tesla's servers involves a key stored in the security subsystem, with root access enabling key extraction. 32:49 📹 Recovered video data from Autopilot system reveals seven camera angles, CAN bus data, speed, pedalpositions, and GPS information. 34:01 🛑 The research demonstrates a voltage fault injection attack on Tesla's Autopilot system, posing a threat to intellectual property but also enabling analysis by third parties. 36:04 💰 The cost of obtaining the boards for hacking is mentioned, around 400 euros on eBay, with the whole board computer priced at approximately 600-800 euros. 38:33 🕰 Introducing random delays before, during, or after the glitch would make the attack harder but not necessarily prevent it. 39:10 🛑 The hash of the root of trust is checked against the embedded hash in the chip, making it challenging for existing Teslas to exchange or modify the root. 40:22 ❓ Cutting power during the certificate check process interrupts it, but exact details on the interruption mechanism are unclear.

Sehr interessant, vielen Dank!

Titelblatt der FAZ vom 28. Dezember: "Trio aus Berlin hackt Autopiloten von Tesla" ... Den Artikel hat man dann gleich einem Nachbarn (offenbar als "Warnung") anonym in den Briefkasten geworfen. 😅

Thanks.

Segor rocks!

could someone explain it to me what was that UART interface and why didnt the safety core just reset the lockstepped CPUs?

I'm wondering if they managed to find some way to get persistence and/or a way to activate elon mode thru the service password menu.

Did they describe the payload of their attack? As far as I understood, they were spoofing the cert chain to tamper with the bootloader/autopilot linux image. But how could they change the encrypted firmware? Was part of it unencrypted and able to be replaced?

Bleibt die Frage ob bei der Möglichkeit diese Funktionen freizuschalten sind ob dort die Zulassung nicht hinfällig ist. Bei Sektor muss ich auch mal wieder reinschauen und mit dem heissen Kolben arbeiten.

I don't get @06:06 the Tesla Model 3 (HW3 / HW3.5 (highland)) has no Radar sensor at all, they are all vision only (only got cameras), it's one of the major reasons I'm getting an Audi e tron (Q4) over a Tesla Model 3 Highland.

You know what i hate about our university system: I wrote a BSc and MSc thesis and none of it reached this significanse and analysis. But i got a MSc for it and what did they get?

Clap

how does a voltage glitch trick the hash comparison to falsely compute "match"?

please upload private keys. Also what happened, why is commenting not disabled as usual?

very biased and technically weak talk. lost my respect for the speakers, nothing else. go do this research about german made vehicles, mercedes, vw and bmw.