←back to thread

Tesla said it didn't have key data in a fatal crash, then a hacker found it

(www.washingtonpost.com)
650 points clcaev | 5 comments | 29 Aug 25 11:15 UTC | HN request time: 0.216s | source
Show context
clipclopflop ◴[29 Aug 25 12:45 UTC] No.45063380[source]
Years back I bought a model3 infotainment unit on eBay to hack on - it’s absolutely insane at the amount of data contained on them. After gaining access to the system I was able to get the VIN of the car and find the salvage auction from the car it came out of - it had been wrecked. I then was able to get all the location data that gets logged, showing a glimpse of the previous owners life (house, work, stores they went to, etc) as well as the final resting place of the car. The last gps locations logged were at the end of a “T” intersection in North Carolina - google street view gave a nice look at the trees the car most likely hit :>
replies(2): >>45063831 #>>45063943 #
foobarian ◴[29 Aug 25 13:26 UTC] No.45063831[source]
Neat! What's the hardware like, a Linux-ish computer with SD cards? Or SSD? Which filesystem?
replies(2): >>45063926 #>>45064556 #
1. clipclopflop ◴[29 Aug 25 14:24 UTC] No.45064556[source]
HW wise, the older units were intel atom based cpu (latest gen is amd I believe?) - the hardware is typical embedded stuff - cpu + eMMC + bt/wifi mcu + cellular daughter card. OS is linux + QT UI stuff. I would expect things have changed for newer HW revisions, but the previous gen did not utilize encryption (dmcrypt) so all data was unprotected at rest.
replies(1): >>45064927 #
2. clipclopflop ◴[29 Aug 25 14:52 UTC] No.45064927[source]
Following up on this - the actual 'self driving' part of the HW stack is an entirely separate board with 2x custom ARM chips on it. The HW/SW is much more locked down and the OS/Data is not accessible. I believe a lot of the self-driving info gleaned by types like green were built up from the first generation of Model S cars where the 'self driving' HW was much less defensible and it was much easier to gain access to it.
replies(1): >>45065875 #
3. pas ◴[29 Aug 25 16:05 UTC] No.45065875[source]
what does locked down mean here? this is almost the same situation that happened with DRM stuff like HDCP and the BluRay (?) encryption key (that was then posted all over the net), right?

at best the decryption key is somehow custom to each car, not reproducible (eg. it's made by some random manufacturing process), and then Tesla reads this and encrypts everything in a way so that only that key can open it.

but then do they keep every bit of decrypted data "on die"? (or they encrypt RAM too?)

replies(2): >>45066154 #>>45067312 #
4. bdamm ◴[29 Aug 25 16:27 UTC] No.45066154{3}[source]
It is now sort of common for embedded chips to generate on-die encryption keys for external processes (flash) and there could even be a one-time encryption key for the ROM (pushed to the on-die ROM and then wiped from manufacturing). Encryption RAM is basically free because the chip can generate a key internally at each boot. There can even be deeper lock-downs although obviously the deeper you go the less common it is. Getting to the on-die key can be pretty much impossible unless you can find some bootloader attacks, and then you're very much into dangerous territory. In some cases even looking for a bootloader attack can be paramount to disruption of international arms treaties, legally.

I'd expect them to also have fleet keys for stuff like navigation data. And of course, public-key based firmware signing. That's just table stakes these days.

5. clipclopflop ◴[29 Aug 25 17:54 UTC] No.45067312{3}[source]
Locked down meaning the storage devices are encrypted and decrypted on-the-fly via the SoC/CPU using a key programmed into the Fuses/OTP (this is usually per device keys), bootrom/loader requiring signed firmware images, limited exposure of external interfaces (attack surface) - from my memory even the Uart interface attached to the SoC was disabled very early on in the boot loader, exposing only one or two messages. I would not expect that ram is encrypted - I cannot think of a single time I have seen that implemented in a device. Maybe it’s time to dig that board out of storage and poke at it a bit more invasively, my understanding is they are not very robust when faced with fault injection :>