Tesla owner scans Model S’ internal ethernet network, receives security call from Tesla

Interesting | April 6th, 2014 by 2
mevjypdtd2jxhvtfxyjy 750x500

A member of Tesla Motor Club Forum puts his white hacker hat on and connects his laptop to a white 4 pin connector on the …

A member of Tesla Motor Club Forum puts his white hacker hat on and connects his laptop to a white 4 pin connector on the left of the dashboard of his Model S. The port turned out to be an ethernet port, the kind used in computer networking.

Here is a summary of what he discovered:

“The car’s internal 100 Mbps, full duplex ethernet network consists of 3 devices with assigned IP addresses in the subnet, the center console, dashboard/nav screen and one more unknown device. Some ports and services that were open on the devices were 22 (SSH), 23 (telnet),53 (open domain), 80 (HTTP), 111 (rpcbind), 2049 (NFS), 6000 (X11). Port 80 was serving up a web page with the image or media of the current song being played. The operating system is modified version of Ubuntu using an ext3 filesystem.”

mevjypdtd2jxhvtfxyjy 750x422

But this type of white hacker behavior attracted the attention of the Tesla’s security department:

This evening I got a call from service center

They told me Tesla USA engineers seen a tentative of hacking on my car…

I explained it was me because I tried to connect the diagnosis port to get some useful data (speed, power, etc…). They told me it can be related to industrial espionage and advised me to stop investigation, to not void the warranty….
Don’t know if they really seen something in the log, because I just sniffed the network. Or maybe they seen the port scanning with nmap ? Or maybe they just read this topic ?

So it seems like the internal computer of the Model S follows most of the guidelines found today in operating systems and networking, and opens the door to many jailbreak opportunities. The question remains if this will void the car’s warranty.

Here the full discovery:


The ethernet network of the car contains 3 peripherals :
– The center console, IP Address
– The dashboard/navigation screen, IP Address
– An unknown peripheral, IP Address

These 3 peripheral send of lot of data in broadcast UDP, to broadcat address. Different UDP ports are used depending of data type.

In fact they use the same principle a CAN bus use :

– Everyone send data on the network
– Anyone who need it listen for this data.

The data shared on the netword seem to be in clear. I can see a Ascii header which define the type of the frame. Some data are in binary format thus it will need some reverse engineering to understand the data.

I also tested the openeds ports of the 3 peripherals :

– Central console :

22/tcp open ssh
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
2049/tcp open nfs
6000/tcp open X11
MAC Address: FA:9E:70:EA:xx:xx (Unknown)

– Dashboard screen :

22/tcp open ssh
111/tcp open rpcbind
6000/tcp open X11
MAC Address: 36:C4:1F:2A:xx:xx (Unknown)

– Unknown device :

23/tcp open telnet
1050/tcp open java-or-OTGfileshare
MAC Address: 00:00:A7:01:xx:xx (Network Computing Devices)

[Source: Tesla Motor Club via Jalopnik]