Tesla Hackers Are Fighting Digital Extortion

Fight to Repair is a reader-supported publication. Sign up to receive updates in your inbox. (It’s free!) Or become a premium subscriber for access to exclusive content and live events!

A group of security researchers announced last week that they skipped the $300 fee from Tesla to activate its rear seat-warmers—opting to hack the car instead. By exploiting a known vulnerability on a custom-built microcontroller on the Tesla’s media control unit and injecting their own code, hackers at the noted cybersecurity conference Black Hat signaled that automakers’ efforts to cordon off features behind paywalls won’t go unchallenged by technically adept vehicle owners.

The group responsible for the jailbreak made use of a discovery presented at last year’s Black Hat Briefings: a so-called “voltage glitch attack” that allowed the attackers to execute custom payloads on the Tesla’s AMD-based media control unit (MCU).

The seat-warmer hack is part of a bigger backlash against companies, Tesla included, for their use of software as a means of tacking on extra costs to their products in perpetuity. Tesla, for example, has introduced subscriptions for the use of seat warmers that are built into late-model vehicles. It is also alleged to have disabled the “trailer mode” safety feature on Tesla vehicles that do not use a Tesla-branded trailer.

Subscriptions Could Increase Demand for Hardware Hacks

Attempts to jailbreak devices and free them from constrained and expensive vendor ecosystems are growing. At the Pwn2Own conference, security researchers successfully gained root access to a Tesla’s system and claimed full control of the vehicle, showing once again how the power and control that companies hold over devices can be reclaimed.

The company caught a flurry of criticisms in 2022 for attempting to charge a customer $4,500 by using software to lock the final 80 miles of range in his battery pack. The company claimed it was a fix for a configuration error, while the customer, a third owner of the vehicle who had bought it as a Model S 90, was told he needed to pay to regain the locked capacity.

With the Internet of Things (IoT) growing at a rapid pace, access and connectivity have become flashpoints, as companies are caught disabling features or devices with little or no warning or bricking devices entirely, rendering functional hardware useless absent a working connection to management servers and software. Legislation proposed in previous sessions of Congress, like the Fair Repair Act, seek to outlaw such practices, but legal action from companies and lack of access to these tools remain significant hurdles.

More News

EPA refutes Ag Equipment Makers’ Clean Air arguments: In a letter to the National Farmers Union, the Environmental Protection Agency (EPA) tossed cold water on longstanding arguments by agricultural equipment makers that restrictions on owner and independent repair of agricultural equipment are needed to prevent tampering with emissions monitoring systems. “The Clean Air Act makes no distinction between repair by a manufacturer versus another party,” the letter from EPA Administrator Michael Regan, dated August 4th, 2023, reads. “Actions that qualify as repair or replacement are allowed under the Clean Air Act regardless of who makes them. Moreover, nothing in the Clean Air Act or the EPA’s regulations limits a manufacturer’s ability to provide service tools and information to consumers and independent repair facilities for the purpose of repairing their equipment,” Regan wrote.

Stopping Google’s autonomous vehicles with only traffic cones: Safe Street Rebel has gained attention with a viral TikTok video that highlights the negative impacts of Google’s Waymo and GM’s Cruise autonomous vehicles in San Francisco, including their disruption of traffic and emergency vehicles, as well as concerns about surveillance and privacy. The video encourages opponents of autonomous vehicles to place traffic cones on the vehicles’ hoods as a form of protest and attention-grabbing. The group aims to raise awareness about the lack of public consent for robotaxis, arguing that the false promises of companies will be similar to that of Uber and Lyft, which ultimately led to increased congestion and emissions.

DEF CON presentation liberates robot vacuums: Amazon’s attempts to buy the robot vacuum maker iRobot led to immediate speculation that the online retail giant was looking to use the vacuums to spy on customers’ homes, as new robot vacuums are equipped with smart-phone like features such as video recording, and voice control. Now a researcher at Northeastern University is advocating for users to have more control over their robot vacuums, even enabling hacking to disconnect from the cloud and repair devices independently. Dennis Giese, a PhD student, used a talk at the DEF CON conference to tell users to wipe data and perform factory resets before selling or disposing of robot vacuums to prevent data extraction.

Repairability of Apple’s new MacBook Pros: YouTuber Hugh Jeffreys is skeptical about the repairability of newer models of MacBook Pros. He highlights difficult repairs in a recent video due to soldered components, glued batteries, inaccessible calibration software, and proprietary hardware. He gives the laptops a low 4 out of 10 repairability score due to limited third-party repair options and challenges associated with fixing internal components.

Right to Repair bills get bipartisan support in statehouses: Legislation that gives consumers greater flexibility in repairing products from smartphones to farm equipment is uniting Republicans and Democrats at the state level. Political gridlock at the federal level has hindered efforts to compel manufacturers to disclose technical details and make parts more available for repairs. By contrast, more than 30 states considered such right-to-repair bills in 2023—states as diverse as Texas and Hawaii.