Can’t believe Tesla would ship something with anything resembling a default password. At first glance, I assumed this would be a clear violation of the requirements of CA SB-327 (goes into effect Jan 1).
Reread the bill, and it actually says: “The preprogrammed password is unique to each device manufactured.” If the default is based on the serial number, I guess it’s “unique” under the letter, but certainly not the spirit.
This is amazing. It is all completely plausible, and clearly includes only the most easily explained horrors, with anything that would require explanation just omitted.
It is worse than I would have been able to invent.
IMHO, these stories aren’t unexpected from a tech company that grows 80% year over year, developing and expanding as fast as technology and market forces allow. Yes, there are mistakes and unfortunate incidents in the organization of people and tech priorities here, but this is inevitable in an engineering org that moves this fast. You really need to measure this up against Tesla’s achievements:
Growing high double digits each year for more than a decade in a brutally competitve space, developed 4 hugely successful vehicles, first US auto company to succeed (knock on wood) or grow to significant size (>700,000 cars sold) since Ford, production constrained continuously, did this with almost zero paid marketing, built global networks of dealers, service and chargers, improved the state of battery tech by a multiple and doubled global li-ion battery pack output, built 3 car factories, made electric cars economically viable, incidentally seriously wounded the car dealership model, succeeded with qualitatively different software approach with OTA updates and tight software integration, designed cars with hitherto unparalleled performance in their class, and others that I couldn’t come up with on the spot.
This is only controversial because this is safety-critical tech and it’s uncomfortable to see the development pains of consumer grade software affect it. There’s no evidence that the approach have led to more injuries or deaths than cars do in general, quite the opposite. Tesla cars are safer than competition, the argument can be made that fast deployment is a net win regarding safety. Even in the absence of any other things they have achieved.
I believe there’s also an element of envy, or misunderstood beliefs that the best tech approach is taking things slowly. Yes, in isolation. But then market forces will crush you because someone else was faster, or because you missed the window of opportunity for making things so dramatically better that you manage to unbalance the local maximum of the status quo.
[Edit: To everyone who downvotes this: For the sake of enlightening discussion, could you please express your disagreement in words rather than the downvote button? Note that I'm talking about GP's linked commentary on Tesla's engineering mishaps in general, not this specific vulnerability].
>For the sake of enlightening discussion, could you please express your disagreement in words rather than the downvote button?
I'll give it a try: maybe it's because someone made an off-hand comment about Tesla shipping a default password, and you chimed in with an apologetic post that reads a lot like astro-turfing?
>did this with almost zero paid marketing
Traditional marketing. Tesla spends millions on marketing annually, it's right there in their financials. Just recently a pile of pro-Tesla Twitter bot accounts were banned. Did you know that Tesla is paying people to post messages on social media?
I am not affiliated with Tesla or paid by them in any way, if you're implying that. Was also not making apologies for shipping devices with guessable passwords, that's obviously a serious screwup that needs to be fixed - ideally at a level of changing the engineering culture if that's what it takes. But the rest of this thread treats that subject in depth, and I wouldn't contribute anything material to that discussion beyond piling on, which is a bad use of time and brain power. Thought I made it quite clear in my comment that I was specifically adressing the discussion of sub-par software engineering practices, and how this is a very common consequence of extreme growth.
I know Tesla has a marketing budget and marketing people, that's obvious enough, so traditional marketing was indeed what I meant. Maybe I could have made that more clear.
Wasn't aware that they're paying people to astroturf though; first I hear of this. Do you have proof of it?
> Traditional marketing. Tesla spends millions on marketing annually, it's right there in their financials. Just recently a pile of pro-Tesla Twitter bot accounts were banned. Did you know that Tesla is paying people to post messages on social media?
Umm what? I can assure you that most pro-Tesla Twitter accounts are happy owners. I know cause I am one. The amount of FUD on Twitter directed against Tesla is insane!
I created my Twitter account in February 2008 and it has pretty much stayed dormant for the most part. Until I bought a Model S and discovered the TSLAQ trolls and often challenge their B.S. claims with actual sources. Case in point: https://twitter.com/teslahistorian
> Just recently a pile of pro-Tesla Twitter bot accounts were banned.
> Did you know that Tesla is paying people to post messages on social media?
Yes, while reading this initially I, too had the same reaction: Typical tech startup bootstrapping seat-of-the-pants stuff. But upon smelling the coffee, and remembering a few conversations I have had with ostensibly reasonable people, this sounds totally batshit.
>Growing high double digits each year for more than a decade in a brutally competitve space, developed 4 hugely successful vehicles, first US auto company to [...] grow to significant size (>700,000 cars sold) since Ford
People get in this product and they don't see the startup culture making wins and beating the odds to deliver a Ludicrous! Tesla Model S with heated leather seats. They see a finished product who's origin, to them, may as well have been a Star Trek replicator. To this point, I have encountered people who argued strongly that Teslas are "Self-Driving Cars" already. They really give stuff the benefit of the doubt sometimes.
So many issues attested to in that engineer's report need to have been already handled. It is amazing that they have created this manufacturing line out of nothing, I mean they build these things in tents, really bucking the odds here, but it causes me much pause. I would have hoped Elon would have worked out bootstrapping this manufacturing process, I think he discounted what it takes to pull off consistent manufacturing quality on many levels. This was Toyota's innovation a lifetime ago, shame that Tesla didn't seem to hire up any of that greying industry knowledge.
I now feel a deeper understanding of Tesla's icing-out of the repair/aftermarket. Seems obvious in retrospect.
>I believe there’s also an element of envy, or misunderstood beliefs that the best tech approach is taking things slowly. Yes, in isolation. But then market forces will crush you
>There’s no evidence that the approach have led to more injuries or deaths than cars do in general, quite the opposite. Tesla cars are safer than competition, the argument can be made that fast deployment is a net win regarding safety.
Get with the program. This is not an electric toothbrush with a subscription model, people are going to die. When product safety and manufacturing quality take a back seat to business whims, you are going to get trouble. Sporting this Boeing-esque reasoning is going to get people killed.
I think the problem is that the software model is being used in other industries. Not just in production (e.g. Tesla "move fast and break things" on things that are life/death, or merely very expensive) but also in valuation: Tesla, WeWork, and a ton of others are/were valued as technology companies even if they are clearly not.
When this happen you start getting comically bad results (see: all the summon feature failures on Twitter) and catastrophic valuation corrections (see: almost all the recent "technology" IPOs).
The whole VC market seems to be built on this built-in assumption that everything will be able to scale and have the margin of software companies, even when it is obvious that it is impossible. I am not sure why there is such a gap between reality and VC/investors in general, but it's probably going to seem obvious in retrospect.
Fanboism that kills is generally frowned upon, by all those who work in majured safety relevant industries.
We do hop all the safety hurdles every day, for very good reasons- and to call these proofen right processes slow by someone who lives only because they exist- it has a certain sting to it.
Speedy development is all fun and games, until your luck runs out and you toast a whole highway filled with familys in one afternoon.
After that, nobody is going to hold cheery fanbois liable who enabled this culture. No, it will be engineers, who where forced to make fast decisions. Remember Toyota-Bar - why dont you justify your senseless optimism, in the face of physical danger and accidents, to the victims of sloppy development?
Why is the burden of proof not on you? After all that blood at least should be on your hands.
Reminds me of a time when an ISP would provide their customers routers where their default Wifi passwords could be derived from their SSIDs. A free app would allow you to connect instantly to practically any Wifi network in the city.
An ISP around here still ships consumer routers with passwords consisting of a random 8 digit hex number, i.e. that could be cracked in a day on a GTX 970m (tested hash rate against my parent's wifi).
They also ship with default SSIDs, numbered 100 to 999, so given 900 GPU days of precomputation you could create rainbow tables that allow for cracking every default password/ssid pair.
I can tell you from the wifi passwords I have been given by friends that many people are not changing them.
At least you need to capture a handshake to use your rainbow table...
I disagree. The spirit of the law is to ensure that logins cannot be automated. Unless the serial number can be read over the internet without authentication, using it is completely within the spirit of the law.
>Unless the serial number can be read over the internet without authentication
As I said in my post below, I just checked mine and the full serial number is included in the device hostname. Since tons of regular PW installs are going to average joe residential sites which will heavily be using crappy outdated ISP provided routers with default passwords and entirely flat unmonitored LANs, possibly with infected machines to boot, it's fair to say that yes in fact the serial number will be able to be read over the internet without any authentication. Anyone who can see hostnames of devices on the LAN can get the whole serial.
Although I also doubt any such network will have any real rate limiting or notice any hammering either, and the serials look utterly trivial to brute force. So I'm not sure the fact that they're all broadcast for everyone even ultimately makes much difference.
I had a very similar thought regarding gaining API keys for Tesla vehicles after realizing I can get generate API key knowing only my Tesla Account user name and password only.
Honeypot free WiFi at a Tesla Super Charger with a legit looking login page: “Free WiFi for Tesla Customers, Login to your Tesla account to access.”
API End points include vehicle unlocking, speed limit settings, etc. Some are not available while the vehicle is motion, so at least there’s that.
Yes, but the only time that this would be an issue is if someone, somehow decides to install it themselves or the Tesla technicians installing it forget to change the password which is very unlikely considering it's part of the standard process that you have to sign for upon install. You have to choose your own password either way or accept that you didn't.
So you can change the password to the management portal and prevent access to the API / admin panel which provides access to all of the mentioned settings?
Exactly. If the SSID was “Password=BSSID MAC” and the password _was_ the MAC address of the BSSID device, I suppose it would technically be unique. This is barely more secure than that, IMO.
Reread the bill, and it actually says: “The preprogrammed password is unique to each device manufactured.” If the default is based on the serial number, I guess it’s “unique” under the letter, but certainly not the spirit.
Link to bill: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...