Many moons ago you may remember this introduction to one of my car-hacking posts:

First, you need a Vehicle Identification Number (VIN). You can ask your friends or family for their VIN. You can walk into a parking lot, especially a Jeep dealer’s, and look at the VIN. Or you can search craigslist for a VIN. I used the SF bay area site but you can search anywhere using a simple URL modification…

The VIN is a token, a fairly important one, that requires manufacturers to use threat models to think about adversarial usage. Alas it sits in plain view both in person and online.

We interrupt this PSA about credential management to bring you a hot story about a brand new cutting edge technology Model 3 Tesla being stolen.

…a regular at the Trevls EV-only rent-a-car company in Minnesota was the key suspect in stealing a Model 3 rental car owned by the agency. According to the owner of Trevls, John Marino, the man simply walked up to the Model 3, opened it, got in, started it and drove off. Bloomington police are saying that “the man somehow manipulated the Tesla app to unlock and start the car, disabling the GPS before leaving town.”

The key here for the key suspect, puns intended, seems to be that this Tesla was rented before. The suspect had the VIN associated with his account and used the application, so was a temporary valid driver. A VIN has to be associated with an account to run the application, and I think most Tesla owners would not want any path for their public VINs to be “matched” to someone else’s account.

Alas, a rental company does exactly that, putting a VIN in random people’s accounts. The rental company claims they remove the VIN from a customer account after their rental, thus denying any further authorization. However, this driver likely realized since he was authenticated as a driver of that car at least once he probably could contact Tesla support and somehow convince them to add the VIN back to his account without authorization of the rental company. Or maybe the removal process wasn’t clean. Deprovisioning is notoriously hard in any credential system.

I’m going to go out on a limb here and say the Tesla application and driver support system wasn’t sufficiently threat modeled for the kind of VIN use that rental companies require, let alone social engineering talent of rental customers.

It reminds me once of sitting down with an automobile manufacturer and telling them while I enjoyed hacking cars I wasn’t about to start inserting USB into my rentals…and they interrupted me with a disgusted look on their face to say “WHY NOT?” I meekly explained I thought a lab was more appropriate as it would be dangerous for others to be renting cars I had been hacking on, especially when rental use wasn’t in the threat models (it wasn’t).

Police were scrambling for clues when this Tesla disappeared because, after the suspect reportedly disabled GPS, all the usual tracking signals (e.g. NFC/RFID scanning) on Interstate roads weren’t being helpful. The Tesla owner (rental company), on the other hand, noticed the stolen car being connected to the charging network and 1,000 miles from the scene of the crime (Minnesota to Texas in two days). Police simply went to the charging station and there they found the lazy thief, who despite noticing a loophole in authorization and means to disable GPS failed to think about other ways he could be charged.

And yes I wrote this entire thing just for the puns. You’re welcome.

Update Sept 15: Telsa has pushed an update (2018.34.1) that offers a “PIN to drive” security option to limit use of a key.

No word yet on the “forgot PIN, enter credentials to drive” flow resilience to social engineering. More to the point this update does not seem to leverage PIN to drive when using the mobile application with “keyless driving”…perhaps because if you can enter credentials for keyless driving you could start the car with the same credentials in the forgot PIN screen.

Well I have to say I was wrong twelve years ago about diesel motorcycles. No matter how patient I was for those Kawasaki to arrive, in the back of my head it was clear that hackers around me loved the zero-power-curve of electric bikes more than the long-distance of diesel.

At one point many years ago I was stuck in a long car ride around rural France (ask me another time about war-driving) with an aeronautical engineer and to kill time I opined about the benefits of light motorcycles with batteries easily outperforming gasoline. Only a few months later, back stateside, I received an email thanking me because he had built one himself and now was commuting effortlessly and with a smile.

I was gruntled, yet still awaited news of a diesel. Something about the plug-in/range didn’t suit my sense of riding.

With Harley, king of the long-haul open-road bikes, making a major electric research announcement like this, I officially give up on diesel bikes making it to civilian life:

Harley-Davidson, Inc. (NYSE: HOG) announced today it will establish a new research and development facility in Northern California to support its future product portfolio, including the company’s first complete line of electric vehicles.

Many, many years ago I worked on Cabletron switches, which in a bizarre twist led me to Milwaukee, WI. Unbeknownst to many, if not most, Harley was at that time doing cutting edge IT deployments. Also I attended wedding parties there of Harley workers that ended with the couple describing Harleys they would ride to California. I mean high-tech Harleys in California does make sense, in spite of their oil-splattered tinkering owners group heritage.

Until now my heart still ached for that Kawasaki diesel dual-sport we were promised. Oh well. The time has come to say diesel bikes aren’t going to make headlines. Perhaps electric range soon will be less of an issue as Harley clearly thinks about that spectrum. But will HOGs be able to keep their tinkering ways or is DRM also coming?

Israelis have successfully shrunken the ATV to micro-size with a new electric “Raider”, unless you want to believe they have enlarged the electric skateboard to giant-size…or is it a stretched segway?

I want to believe four-wheeling has advantages, yet in every action scene above I found myself imagining a two-wheeler doing it more efficiently (further and faster) on same charge. Sure, two-wheels requires training yet we’re talking about a highly trained operator in this market, right? If nothing else I would fiddle with a two-wheeler that splits wheels and extends axles into four, rather than be stuck all the time in a four-wheel mode.

Ok, one advantage I will grant is that if the Raider can be configured as driver-less then it’s far, far easier to manufacture and operate than two-wheels. Real advantages there. Someone could hit the panic button and their Raider would be like a medic drone and return them to safety. Or if you wanted the Raider to drop you off and then secretly make its own way to a pickup zone, also better than two-wheel options.