Inviting the internet into our cars and security systems.

Car thieves are using CAN injection attacks to steal cars, Nexx may not patch critical vulnerabilities in its smart security devices, and Tesla employees apparently admit to sharing pictures (sometimes explicit) collected from Tesla cars owned by private citizens.

Electronic lockpicks for electronic locks. 

Ian Tabor, an automotive security expert of EDAG group decided to do a forensic analysis to find out how his car was stolen, reports SecurityWeek. He discovered that his headlight had been destroyed and the wires had been pulled out. The Register writes that Tabor investigated and found that “various systems had seemingly failed or suffered faults,... the faults were generated as the thieves broke into a front headlamp and tore out the wiring, and used those exposed connections to electrically access the CAN bus.” He concluded that the thieves probably used a hacking device that uses the car’s controller area network (CAN) bus to inject false codes to start the car and open the door. SecurityWeek reports that “Such hacking devices can be acquired on dark web sites for up to €5,000 ($5,500), and they are often advertised as ‘emergency start’ devices that can be used by vehicle owners who have lost their keys or automotive locksmiths.” These devices seem to be specific to car makes, which limits the thief (or locksmith) who uses them to one brand of cars. For this method car thieves still have to make physical contact with the car, and so experts recommend taking proper physical security measures. This leads to another story.

Nexx security devices may have security flaws. 

When purchasing a smart security system, buyers assume that the security of the system itself can be assumed as a given. There is always, however, an inherent risk associated with connecting security devices to the larger Internet. Sam Sebetan, an independent cyber security analyst working with CISA (the US Cybersecurity and Infrastructure Security Agency), posted on this issue. “I discovered a series of critical vulnerabilities in Nexx’s smart device product line, which encompasses Smart Garage Door Openers, Alarms, and Plugs,” he writes. “These vulnerabilities enabled remote attackers to open and close garage doors, take control of alarms, and switch smart plugs on and off for any customer.” This is the last thing users would expect when installing a security device. Sebetan’s blog explains the vulnerability, noting that Nexx’s servers “fail to verify if the bearer token in the Authorization header corresponds to the alarm trying to connect...” He further explains that the mac address for each device is the same as the device’s serial number, which means that “an attacker can register an already registered device and effectively take control of it.” Nexx has not so far patched the vulnerability. Sebetan recommends that Nexx users deactivate their devices and write the company requesting a fix. 

Tesla employees reportedly shared images and videos from Teslas in the wild. 

Several former Tesla employees admitted that they used to share pictures and videos from cameras installed in Tesla electric vehicles from 2019-2022 as reported by Reuters on 6 April. This media ranged from videos of naked Tesla owners walking to their cars to an image of users’ garages. (Why one would approach one’s car naked isn’t explained.) Among the higher profile images captured include shots of a “James Bond submersible car” allegedly captured inside Elon Musk’s garage. These cameras are installed to enable driver safety and automated driving. 

It’s no secret, formally at least, that Teslas collect and report images. Tesla states in its Customer Privacy Notice, “We want to be very clear that in order for Fleet Learning camera recordings to be shared with Tesla, your consent for Data Sharing is required and can be controlled through the vehicle’s touchscreen at any time by navigating to Software> Data Sharing. Even if you choose to opt-in, the camera recordings are limited to 30 seconds and remain anonymous, ensuring it’s not linked to you or your vehicle.” 

Reuters reports that “the computer program they (Tesla employees) used at work could show the location of recordings,” which would seem to provide less anonymity than customers might expect. Knowing how a company uses your data is important, and experts recommend that, as onerous as slogging through the documents may be, users read terms of service and privacy notices.