Hacking Tesla - Smart Car Security Analysis

>Summary: Tesla cars have always been concerned by hackers, and many security researchers have tried to exploit the vulnerabilities of Tesla cars. The main reason is that Tesla is a pure electric car and has a network connection, which can control the car through the network, and Tesla itself is very dependent on the electronic control system. This article will analyze the problems that Tesla has experienced. 
<div class="content-detail" style="margin: 0px; padding: 40px 0px; color: #333333; text-transform: none; line-height: 32px; text-indent: 0px; letter-spacing: normal; overflow: hidden; font-family: PingFangSC, 'helvetica neue', 'hiragino sans gb', arial, 'microsoft yahei ui', 'microsoft yahei', simsun, sans-serif; font-size: 16px; font-style: normal; font-weight: normal; word-spacing: 0px; white-space: normal; position: relative; word-wrap: break-word; box-sizing: border-box; orphans: 2; widows: 2; background-color: #ffffff; font-variant-ligatures: normal; font-variant-caps: normal; -webkit-text-stroke-width: 0px;">
<blockquote style="margin: 0px 0px 20px; padding: 10px 20px; font-size: 16px; border-left-color: #eeeeee; border-left-width: 5px; border-left-style:solid; box-sizing: border-box;">
Tesla cars have always attracted the attention of hackers, and many security researchers have tried to find vulnerabilities in Tesla cars. The main reason is Yes, Tesla is a pure electric car and has a network connection, which can control the car through the network, and Tesla itself is very dependent on the electronic control system. This article will analyze the problems that Tesla has experienced. This vulnerability has been fixed, this article is just to let readers understand the principle of the vulnerability so that it can be applied to work to make cars safer. 
</blockquote>
Tesla has long been considered safer than other internet-enabled cars , can serve as a model for connected cars, although Tesla has been exposed to some small bugs from time to time. For example, at the DEFCON hacker conference in August 2015, security researchers Marc Rogers and Kevin Mahaffey shared their research results on the Tesla Model S. They found 6 problems during the research process. These small bugs can be used to solve problems. Control the car by means of physical intrusion (not remote intrusion). Next, we introduce the process of their research. 
<h2 id="1" style="margin: 20px 0px 10px; padding: 0px; color: inherit; line-height: 1.1; font-family: inherit; font-size: 30px; font-weight: 500; box-sizing: border-box;">1 System Architecture</h2>
Figure 1 shows the Tesla Model S infotainment architecture. <a style="color: #00c1de; text-decoration: none; box-sizing: border-box; transition: color 0.2s;" href=" /admin/blogs/javascript:;" target="_blank"><img style="border: 0px currentColor; vertical-align: middle; cursor: pointer; max-width: 100%; box-sizing: border-box; " title="" src="http://download.broadview.com.cn/Original/17111978762a599d9753" alt="" /></a> Figure 1 Tesla Model S infotainment system architecture (image source lookout.com)
 The entertainment and information system of Model S is isolated from the CAN network of the controller. Each module of the entertainment information system communicates through a local area network, while the various controllers of the car (such as power brakes, etc.) communicate through CAN, and the entertainment system communicates with the CAN network. connected through a gateway. 
First, let's take a look at several modules of the Model S infotainment system, namely the dashboard, central information display and gateway, The dashboard and the central information display both modules run an older version of the Ubuntu operating system, and the gateway runs FreeRTOS, an open source real-time operating system. 
 (1) The instrument system is also called instrument cluster IC (Instrument Cluster), which is located in front of the steering wheel An 8-inch screen, running Ubuntu Linux operating system, the processor is NVIDIA Tegra3, as shown in Figure 2. <a style="color: #00c1de; text-decoration: none; box-sizing: border-box; transition: color 0.2s;" href=" /admin/blogs/javascript:;" target="_blank"><img style="border: 0px currentColor; vertical-align: middle; cursor: pointer; max-width: 100%; box-sizing: border-box; " title="" src="http://download.broadview.com.
(2) The central information display module CID (Central Information Display) is the 17-inch large screen in the center of the car, running Ubuntu Linux operating system, the processor is NVIDIA Tegra4, as shown in Figure 3 and Figure 4. <a style="color: #00c1de; text-decoration: none; box-sizing: border-box; transition: color 0.2s;" href=" /admin/blogs/javascript:;" target="_blank"><img style="border: 0px currentColor; vertical-align: middle; cursor: pointer; max-width: 100%; box-sizing: border-box; " title="" src="http://download.broadview.com.cn/Original/17116bb77b772d075c4a" alt="" /></a> Figure 3 Inside CID <a style="color: #00c1de; text-decoration:
 (3) Gateway (Gateway): connect infotainment system and controller network, integrate with CID, run FreeRTOS operating system. Figure 5 shows the architecture of the Model S entire network. <a style="color: #00c1de; text-decoration: none; box-sizing: border-box; transition: color 0.2s;" href=" /admin/blogs/javascript:;" target="_blank"><img style="border: 0px currentColor; vertical-align: middle; cursor: pointer; max-width: 100%; box-sizing: border-box; " title="" src="http://download.broadview.com.cn/Original/1711151a46efb264551a" alt="" /></a> Figure 5 Network architecture of Model S
 This kind of network architecture that isolates the car's controller network from the entertainment information system is a very good design, because the entertainment information system has rich network connections, and when hackers invade the entertainment system, they need to go through the gateway to control the key components of the car [ For example, driving safety-related components (such as electric steering, electronic brakes, etc.)]. 
<h2 id="2" style="margin: 20px 0px 10px; padding: 0px; color: inherit; line-height: 1.1; font-family: inherit; font-size: 30px; font-weight: 500; box- sizing: border-box;">2 information collection</h2>
First analyze the system to find out possible Attack vectors, and then study specific attack vectors, first physical attack vectors. The following possible physical attack vectors are found through analysis. 
 (1) CID has two removable memory cards. 
 (2) CID has a USB interface. 
 (3) A 4-pin Ethernet interface. 
 (4) Various test points and debugging diagnostic interfaces. 
Then test the found physical attack vector and other attack vectors. The test results are as follows. 
Browser: Not only the operating system that CID runs on is an old version of Ubuntu, but the browser it runs It is also an older version. The browser is based on WebKit 534.34. This version of the browser engine has several well-known vulnerabilities. These vulnerabilities can crash the browser without implementing code execution. 
Bluetooth: No vulnerability found. 
USB: CID can be restarted into NVIDIA Tegra Recovery mode through CID's USB interface, but the bootloader is Password protected, so there is no way to extract the firmware this way. 
Memory Cards: One of the memory cards has a file called carkeys.tar that contains this Model The OpenVPN authentication information of S, that is, an X509 standard certificate, an RSA private key, and an OpenVPN static key, are equivalent to car keys, so the keys of future cars may be based on cryptographic algorithms, as shown in Figure 6. <a style="color: #00c1de; text-decoration: none; box-sizing: border-box; transition: color 0.2s;" href=" /admin/blogs/javascript:;" target="_blank"><img style="border: 0px currentColor; vertical-align: middle; cursor: pointer; max-width: 100%; box-sizing: border-box; " title="" src="http://download.broadview.com.cn/Original/17114b925975d19d8786" alt="" /></a> Figure 6 carkeys file decompression result
Wi-Fi: No open ports were found after connecting Model S to Wi-Fi, but when Model S connected After connecting to Wi-Fi, it will first determine the network connectivity by initiating http requests to some servers. After determining the network connectivity, it will try to connect to the Tesla server (address is vpn.vn.teslamotors.com) through OpenVPN. Since OpenVPN is configured correctly, man-in-the-middle attacks are not possible. Figure 7 shows the configuration of Tesla VPN. <a style="color: #00c1de; text-decoration: none; box-sizing: border-box; transition: color 0.2s;" href=" /admin/blogs/javascript:;" target="_blank"><img style="border: 0px currentColor; vertical-align: middle; cursor: pointer; max-width: 100%; box-sizing: border-box; " title="" src="http://download.broadview.com.cn/Original/1711e71570d5532edaf6" alt="" /></a> Figure 7 Tesla VPN configuration
Tesla's OpenVPN uses UDP protocol with tls-auth enabled, which is the one included in CarKey.tar The use of static keys is to add HMAC (Keyed-Hashing for Message Authentication) to data packets for message authentication, to prevent DoS attacks, port scanning, unauthorized SSL/TLS handshake and initialization, etc. 
Because both the Tesla server and the car's certificate chain are issued by the same root certificate authority, So if the configuration is not good, there may be vulnerabilities. Figure 8 shows Tesla's certificate chain. <a style="color: #00c1de; text-decoration: none; box-sizing: border-box; transition: color 0.2s;" href=" /admin/blogs/javascript:;" target="_blank"><img style="border: 0px currentColor; vertical-align: middle; cursor: pointer; max-width: 100%; box-sizing: border-box; " title="" src="http://download.broadview.com.
Tesla has a root certificate authority (root CA), and a Policy CA (policy CA) is linked below the root certificate authority Certificate Authority, whose own certificate is issued by the root CA), then Policy CA also issued an Issuing CA (issuing CA), and finally this CA is used to issue the server's certificate and the car's certificate (the car's certificate is used for The server authenticates the car), since both the server and the client are issued by the same CA, if the certification of the certificate only checks the issuing CA of the certificate, there will be security problems. x509v3EKU (Extended Key Usage is an extended standard that specifies the use of public keys) specifies the use of a public key in a certificate, that is, a certificate can only be used for a specific purpose, such as a VPN server certificate can only be used Used for server authentication, while CarKey's certificate can only be used for client authentication. OpenVPN can set whether to verify the use of the key specified in the EKU, so our problem is that in case the Tesla car does not open this pair of public keys (such as those contained in CarKey.tar and the VPN server) when configuring OpenVPN What about the purpose of the public key contained in the incoming certificate)? So if you make a fake server FauxpenVPN (remember we said about attack in the middle), when the car communicates with our fake FauxpenVPN, it sends hello to FauxpenVPN, then the fake server takes the certificate in the car's CarKey.tar Return to the cart, as shown in Figure 9. <a style="color: #00c1de; text-decoration: none; box-sizing: border-box; transition: color 0.2s;" href=" /admin/blogs/javascript:;" target="
The certificate in the CarKey is the same as the certificate chain of the real VPN server, if Tesla is configuring the OpenVPN service Without checking the use of the EKU certificate mentioned earlier (because we sent the server a certificate extracted from a file called CarKey.tar in the car, and this certificate is used for client authentication), then the car will trust FauxpenVPN , a man-in-the-middle attack can be performed, as shown in Figure 10. <a style="color: #00c1de; text-decoration: none; box-sizing: border-box; transition: color 0.2s;" href=" /admin/blogs/javascript:;" target="_blank"><img style="border: 0px currentColor; vertical-align: middle; cursor: pointer; max-width: 100%; box-sizing: border-box; " title="" src="http://download.broadview.com.cn/Original/1711caf5781a378a47dc" alt="" /></a> Figure 10 Schematic diagram of using client certificate to forge server
Since the Model S verifies the server EKU, the certificate in CarKey.tar (for client authentication) cannot be used ) to forge the server (since a certificate for server-side authentication is required) to interact with the car. If you can find a certificate issued by the Issuing CA and the EKU of this certificate is specified for server-side authentication, it is possible to forge a VPN server to perform a man-in-the-middle attack. 
Ethernet interface: As shown in Figure 11, the Ethernet interface was first discovered by a Tesla owner And posted it on the Tesla owner forum. Before that, everyone thought this interface was strange because it was different from the regular Ethernet interface. <a style="color: #00c1de; text-decoration: none; box-sizing: border-box; transition: color 0.2s;" href=" /admin/blogs/javascript:;" target="_blank"><img style="border: 0px currentColor; vertical-align: middle; cursor: pointer; max-width: 100%; box-sizing: border-box; " title="" src="http://download.broadview.com.
This interface can communicate with the car's infotainment system network. After connecting to the infotainment system network, use tools such as Nmap to Intranet scan can find 3 devices, one is CID, one is IC, and the other is gateway. These three devices send a large number (about 1000 packets per second) of UDP broadcast packets (destination address 192.168.90.255), and use different ports according to different data types, which is very similar to the CAN bus mechanism. Each node broadcasts data to the network, and the node that needs the data receives the required data. Guess the port number here is similar to the CAN message ID. Some open ports and corresponding services were also found through scanning, as shown in Table 1. <a style="color: #00c1de; text-decoration: none; box-sizing: border-box; transition: color 0.2s;" href=" /admin/blogs/javascript:;" target="_blank"><img style="border: 0px currentColor; vertical-align: middle; cursor: pointer; max-width: 100%; box-sizing: border-box; " title="" src="http://download.broadview.com.cn/Original/171147b5b74ef5a29c74" alt="" /></a> Two of the scanned services are old versions that have been exposed to vulnerabilities, namely DNS Proxy: runs dnsmasq 2.58 and HTTP Service: mini_httpd 1.19. 
Also, as the scans show, both the CID and IC are running X11 servers and don't have any Authentication, so you can change the display content at will, as shown in Figure 12. <a style="color: #00c1de; text-decoration: none; box-sizing: border-box; transition: color 0.2s;" href=" /admin/blogs/javascript:;" target="_blank"><img style="border: 0px currentColor; vertical-align: middle; cursor: pointer; max-width: 100%; box-sizing: border-box; " title="" src="http://download.broadview.com.cn/Original/17114e0b56f5582596bd" alt="" /></a><
Finally, they also found two programs ic-updater and cid-updater running on IC and CID respectively, Literally understand that these two programs are the upgrade programs of IC and CID respectively. The function is to obtain diagnostic information, upload files or firmware. Most of the commands of these two programs are protected by authentication, but some of them are not, such as ‘ status’, these two programs will print out many key information of the infotainment system when inputting the status command ‘status’, which is an information disclosure vulnerability. Figure 13 shows the information displayed by ic-updater status. <a style="color: #00c1de; text-decoration: none; box-sizing: border-box; transition: color 0.2s;" href=" /admin/blogs/javascript:;" target="_blank"><img style="border: 0px currentColor; vertical-align: middle; cursor: pointer; max-width: 100%; box-sizing: border-box; " title="" src="http://download.broadview.com.cn/Original/171140a18becae6b7030" alt="" /></a> In fact, the breakthrough point of the whole research later is caused by this vulnerability, which is given in the information printed through this vulnerability. URL to download firmware. 
<h2 id="3" style="margin: 20px 0px 10px; padding: 0px; color: inherit; line-height: 1.1; font-family: inherit; font-size: 30px; font-weight: 500; box-sizing: border-box;">4 frustrations in testing</h2>
While Marc Rogers was doing his research, other researchers found that ethernet port, which Tesla had via a remote upgrade. The port has added an authentication mechanism. Originally, it was possible to communicate with the intranet by connecting the Internet cable, but now it can’t. However, because we know that the IC and CID are both on the intranet, we can directly connect the network cable to the CID or the Ethernet interface of the IC. Enter the intranet, as shown in Figure 14. <a style="color: #00c1de; text-decoration: none; box-sizing: border-box; transition: color 0.2s;" href=" /admin/blogs/javascript:;" target="_blank"><img style="border: 0px currentColor; vertical-align: middle; cursor: pointer; max-width: 100%; box-sizing: border-box; " title="" src="http://download.broadview.com.cn/Original/1711b203a75a1528c92c" alt="" /></a> Figure 14 Directly connect the network cable to the CID
<h2 id="4" style="margin: 20px 0px 10px; padding: 0px; color: inherit; line-height: 1.1; font-family: inherit; font-size: 30px; font-weight: 500; box-sizing: border-box;">5 测试中的突破</h2>
The information printed by the status command of the cid-updater service contains a special URL: firmware_download_url=hxxp ://firmware-bundles.vn.teslamotors.com:4567/… which literally means the URL to download the firmware. Since Tesla's OpenVPN configuration has been figured out when trying to conduct a man-in-the-middle attack on OpenVPN before, and the Tesla client's certificate and key have been found from the CarKeys.tar file in the memory card, it is possible to communicate with Tesla. service to establish a VPN connection to download firmware. The downloaded firmware is about more than 600 megabytes, which is a SquashFS file system. After decompressing, I tried to find the private key and Shadow file (the file that stores the user name and password hash and other related information in the Linux system), and found the Shadow file of IC. The next step is to try to crack the Shadow file to obtain the password (such as rainbow table, dictionary, brute force cracking, etc.). The password set by Tesla is a weak password and can be easily cracked. In fact, several accounts cracked through the Shadow file are weak passwords. After you have the secret code and account, you can access the IC through SSH, and the account with the broken password is sudoer (although it is not root, you can execute commands with root authority through sudo), and thus obtain the root authority of the IC, such as shown in Figure 15. <a style="color: #00c1de; text-decoration: none; box-sizing: border-box; transition: color 0.2s;" href=" /admin/blogs/javascript:;" target="_blank">
IC root permission has been done, the next step is to obtain CID root permission, because there is no CID shadow file, so Only by continuing to analyze the firmware, it is found by analyzing the firmware that the CID will obtain a security token (Security Token) from a server named mothership every 24 hours, and then set the password of an account named tesla1 to this security token. The CID will also issue the security token to the IC, and the IC will store the security token in plaintext. By finding this security token in the IC's file system, you can log in to the tesla1 account on the CID, and this tesla1 account is also a sudoer. In this way, the root permissions of the IC and the CID are all done. 
In addition, after the aforementioned Ethernet result is added to the authentication mechanism, this token is actually used for authentication, and the gateway (here Refers to the "gateway" responsible for authentication between the Ethernet interface and the infotainment network) every 30 seconds, the device that accesses the infotainment network through this Ethernet interface will be authenticated. The device calculates a hash value based on the token, VIN, and a salt and sends it by broadcasting. Figure 16 shows the automatic authentication code. <a style="color: #00c1de; text-decoration: none; box-sizing: border-box; transition: color 0.2s;" href=" /admin/blogs/javascript:;" target="_blank"><img style="border: 0px currentColor; vertical-align: middle; cursor: pointer; max-width: 100%; box-sizing: border-box; " title="" src="http://download.broadview.com.cn/Original/171108a7a426ae3759fb" alt="" /></a> Figure 16 Ethernet interface automatic authentication code
<h2 id="5" style="margin: 20px 0px 10px; padding: 0px; color: inherit; line-height: 1.1; font-family: inherit; font-size: 30px; font-weight: 500; box- sizing: border-box;">6 control the car</h2>
After obtaining the root permission of IC and CID, Next, let’s look at how to control the car. The Model S’s intranet data transmission rate is high, about 500~1000 UDP packets per second. It is difficult to find out which packets contain control data, so it is judged by the analysis program. Which data is displayed through the operation of the mobile phone application or the button on the CID can quickly figure out which data controls which functions. After figuring out the data that controls some functions, it is also necessary to figure out which service sends these data. Since it is controlled through the touch screen of the CID, use the strace system call monitoring command on the CID to analyze which service sends these data. data, it turns out that a service called QtCarVehicle sent those control packets. 
QtCarVehicle contains a class called Gateway Message Sender, a class for sending messages through a gateway, and then Methods that perform various functions of this class. At this point, you can execute the preset function by calling this service. 
It is worth noting that after reverse analysis, it is also found that Model S does not send CAN raw data packets directly through the infotainment system To control the car, the method of API call is adopted, that is, the CID requests the gateway to perform an operation of a certain function through the function call interface. These function operations are all predefined and permitted operations. 
It is very important that the entertainment system requests the gateway to perform a specific operation through the functional interface (here refers to the CID requesting through the API) Gateway), this design can ensure that after the infotainment system is hacked, the original CAN data cannot be sent directly to the CAN bus, and only the pre-set "allowed" functions can be executed. Of course, this is on the premise that the gateway is not compromised (for example, in the Jeep case, the attacker flashed the modified firmware into the V850). 
After testing, I found a series of preset function calls, the most influential of which may be to close the car ( VAPIPoweroff) this function, when the car is driving at a speed lower than 5 miles, calling this function will make the car brake suddenly and stop, and calling this function when it is higher than 5 miles will make the car not accelerate, but brake and steer All are under the normal control of the driver. Other functions that can be controlled via the CID's touchscreen can also be controlled. 
In order to achieve remote control, establish an SSH tunnel connection between the CID and a control server, and then use the previously found The token accesses the CID through SSH, as shown in Figure 17. <a style="color: #00c1de; text-decoration: none; box-sizing: border-box; transition: color 0.2s;" href=" /admin/blogs/javascript:;" target="_blank"><img style="border: 0px currentColor; vertical-align: middle; cursor: pointer; max-width: 100%; box-sizing: border-box; " title="" src="http://download.broadview.com.cn/Original/1711fbcdda9f50425c9c" alt="" /></a> Figure 17 Access CID
After accessing the CID, calling the functions provided by the QtCarVehicle service can control some functions of the car, such as turning off the power, as shown in Figure 18 Show. <a style="color: #00c1de; text-decoration: none; box-sizing: border-box; transition: color 0.2s;" href=" /admin/blogs/javascript:;" target="_blank"><img style="border: 0px currentColor; vertical-align: middle; cursor: pointer; max-width: 100%; box-sizing: border-box; " title="" src="http://download.broadview.com.cn/Original/1711847eb46d2d824db6" alt="" /></a> Figure 18 Execute the power-off script
You can also control the following functions. 
(1) Close the car. 
(2) Start the car. 
 (3) Open and close the door. 
 (4) Switch the skylight. 
 (5) Switch the front and rear trunks. 
 (6) Control the headlights. 
(7) Control the shock absorber. 
(8) Control the air conditioner. 
7 本文小结</h2>
图19所示为整个研究过程的总结图。 <a style="color: #00c1de; text-decoration: none; box-sizing: border-box; transition: color 0.2s;" href="/admin/blogs/javascript:;" target="_blank"><img style="border: 0px currentColor; vertical-align: middle; cursor: pointer; max-width: 100%; box-sizing: border-box;" title="" src="http://download.broadview.com.cn/Original/171161ece026eca8a7c7" alt="" /></a> Figure 19 Flow chart of the entire research process
<h3 id="7" style="margin: 20px 0px 10px; padding: 0px; color: inherit; line-height: 1.1; font-family: inherit; font-size: 24px; font-weight: 500; box- sizing: border-box;">7.1 Tesla does a better job</h3>
(1) Remote upgrade: When there is a security vulnerability, Tesla only needs to push the patch remotely, without the need to recall or send a USB stick like the Jeep Uconnect vulnerability. 
 (2) VPN configuration is correct: The VPN used by Tesla is configured correctly, there will be no common Vulnerabilities (such as man-in-the-middle attacks due to configuration flaws). 
 (3) Timely update of account keys: Tesla's keys are updated every 24 hours once. 
 (4) Isolation of the controller network and the infotainment system: Model S uses a gateway to isolate the car's controller network (CAN) and the infotainment system, and the gateway only allows preset function calls. 
<h3 id="8" style="margin: 20px 0px 10px; padding: 0px; color: inherit; line-height: 1.1; font-family: inherit; font-size: 24px; font-weight: 500; box- sizing: border-box;">7.2 areas for improvement</h3>
 (1) Wi-Fi static password : The Wi-Fi of Tesla Service Center called Tesla Service (Tesla will automatically connect to Wi-Fi) uses a static password shared between cars. use the same static key. 
 (2) Border security model: Model S has very strong border security, but intranet security Not very robust, designers should assume that an attacker can gain access to the infotainment system network, although getting into the network won't have much impact. 
 (3) Store authentication information in plain text: VPN keys and security tokens are stored in plain text In the file system, it is safer to store these critical information in a hardware security module (such as TPM, Trusted Platform Module). 
(4) Communication between nodes on the infotainment system network is not encrypted, and some are not authenticated: nodes on the network Communication between them is not encrypted, so attackers can analyze all traffic on the network. In addition, only a small number of services use an authentication mechanism. If node-level security is to be achieved, all nodes on the network must not have any trust in the network, and any communication between nodes should be encrypted and authenticated. 
The above is excerpted from <a style="color: #00c1de; text-decoration: none; box-sizing: border -box; transition: color 0.2s;" href="http://www.broadview.com.cn/book/2594">"Smart Vehicle Security Attack and Defense"</a>, click this link to view the blog post Check out this book on the official website. <a style="color: #00c1de; text-decoration: none; box-sizing: border-box; transition: color 0.2s;" href=" /admin/blogs/javascript:;" target="_blank"><img style="border: 0px currentColor; vertical-align: middle; cursor: pointer; max-width: 100%; box-sizing: border-box; " title="picture description" src="http://img.blog.csdn.
 If you want to get more exciting articles in time, you can search for "blog post viewpoint" in WeChat or scan the QR code below and follow. <a style="color: #00c1de; text-decoration: none; box-sizing: border-box; transition: color 0.2s;" href=" /admin/blogs/javascript:;" target="_blank"><img style="border: 0px currentColor; vertical-align: middle; cursor: pointer; max-width: 100%; box-sizing: border-box; " title="picture description" src="http://img.blog.csdn.net/20161128135240324" alt="picture description" /></a>
 
</div></div>

Original link

Hacking Tesla - Smart Car Security Analysis

Guess you like