Tesla Automatic Driving Under Scrutiny By US Regulators

August 16, 2021 by Al Williams 66 Comments

The US National Highway Traffic Safety Administration (NHTSA) has opened a formal investigation about Tesla’s automatic driving features (PDF), claiming to have identified 11 accidents that are of concern. In particular, they are looking at the feature Tesla calls “Autopilot” or traffic-aware cruise control” while approaching stopped responder vehicles like fire trucks or ambulances. According to the statement from NHTSA, most of the cases were at night and also involved warning devices such as cones, flashing lights, or a sign with an arrow that, you would presume, would have made a human driver cautious.

There are no details about the severity of those accidents. In the events being studied, the NHTSA reports that vehicles using the traffic-aware cruise control “encountered first responder scenes and subsequently struck one or more vehicles involved with those scenes.”

Despite how they have marketed the features, Tesla will tell you that none of their vehicles are truly self-driving and that the driver must maintain control. That’s assuming a lot, even if you ignore the fact that some Tesla owners have gone to great lengths to bypass the need to have a driver in control. Tesla has promised full automation for driving and is testing that feature, but as of the time of writing the company still indicates active driver supervision is necessary when using existing “Full Self-Driving” features.

We’ve talked a lot about self-driving car safety in the past. We’ve also covered some of the more public accidents we’ve heard about. What do you think? Are self-driving cars as close to reality as they’d like you to believe? Let us know what you think in the comments.

This Week In Security: John Deere, ProxyLogin Detailed, And Pneumatic Tubes

August 13, 2021 by Jonathan Bennett 14 Comments

We’ve covered the right-to-repair saga, and one of the companies that have become rather notorious is John Deere. The other side to the poorly managed interconnected mess is security issues. There’s a certain irony to how this story started: Somebody noticed that John Deere equipment didn’t have any CVEs at all. A normal person might think that this must mean their products are super secure, but a security researcher knows that something more interesting is afoot. Our old friends [Sick Codes], [John Jackson], and a host of others saw this as a sure sign that there were plenty of vulnerabilities to be found, and it seems they were correct.

Vulnerabilities included a handful of cross-site scripting attacks, an authentication bypass via request smuggling, misconfigured security, SQL injections, RCEs and more. Put together, these vulnerabilities allowed for full control of the John Deere system, including the ability to manipulate all the equipment connected to the system.

During the Defcon presentation, linked below, [Sick Codes] recalled the moment when they realized they were working on an important problem. Rather than complain about not getting paid for the vulnerabilities found, a contributor simply noted that he valued having food to eat. A coordinated attack on JD equipment could cause big problems for a bunch of farms across a country.

They ended up contacting CISA, due to a lack of serious response from the vendors. CISA took the threat seriously, and the problems starting getting fixed. This isn’t a problem limited to one company. Case had similar issues that have also been fixed, and it was implied that other vendors have similar problems that are still in the process of being addressed. Continue reading “This Week In Security: John Deere, ProxyLogin Detailed, And Pneumatic Tubes” →

No Hole In One: Perseverance Strikes Out On First Mars Core Attempt

August 13, 2021 by Dan Maloney 19 Comments

There’s a military adage that no plan survives first contact with the enemy. While we haven’t gone to war with Mars, at least not yet, it does seem to be a place where the best-laid scientific plans are tested in the extreme. And the apparent failure of Perseverance to retrieve its first Martian core sample is yet another example of just how hard it is to perform geotechnical operations on another planet.

To be sure, a lot about the first sampling operation went right, an especially notable feat in that the entire process is autonomous. And as we’ve previously detailed, the process is not simple, involving three separate robotic elements that have to coordinate their operations perfectly. Telemetry indicates that the percussive drill on the end of the 2.1 m robotic arm was able to use its hollow coring bit to drill into the rock of Jezero crater, and that the sample tube inside the coring bit was successfully twisted to break off the core sample.

But what was supposed to happen next — jamming of the small core sample inside the sample tube — appears not to have happened. This was assessed by handing the sample tube off to the Sample Handling Arm in the belly of Perseverance, where a small probe is used to see how much material was recovered — none, in this case. NASA/JPL engineers then began a search for the problem. Engineering cameras didn’t reveal the core sample on the Martian surface, meaning the sample handling robots didn’t drop it. The core sample wasn’t in the borehole either, which would have meant the camming mechanism designed to retain the core didn’t work. The borehole, though, looked suspicious — it appears not to be deep enough, as if the core sample crumbled to dust and packed into the bottom of the hole.

If this proves to be the cause of the failure, it will be yet another example of Martian regolith not behaving as expected. For InSight, this discovery was a death knell to a large part of its science program. Thankfully, Perseverance can pick up and move to better rock, which is exactly what it will be doing in September. They still have 42 unused sample tubes to go, so here’s to better luck next time.

[Featured images: NASA/JPL-Caltech]

Tesla’s Megapack Battery Burned For Days In Grid Storage Fire

August 12, 2021 by Lewin Day 174 Comments

Lithium rechargeable batteries have been heralded for their high-density energy storage, enabling all manner of technologies to come to fruition. From drones to practical electric cars to large-scale grid storage, the applications are endless.

The fire as seen from a drone overhead. Source: Twitter/@FireRescueVic

However, the lithium rechargeable battery has always had one major flaw–flammability. Pushed outside their operating range or otherwise tipped into thermal runaway, and they can burn ferociously as a result.

This came to pass in late July, at the Victorian Big Battery in Geelong, Australia, and it took significant effort to extinguish the blaze. Let’s take a look at the project and see how this came to occur.

Grid-Scale Storage

The Victorian Big Battery is a grid storage project similar in construction to the Hornsdale Power Reserve in neighboring South Australia. However, where the Hornsdale facility fields 194 MWh of capacity and 150MW peak power delivery, the new project aims to go much further. The Victorian project aims to install 450 MWh of capacity and deliver a peak power output of 300 MW.

Continue reading “Tesla’s Megapack Battery Burned For Days In Grid Storage Fire” →

Review: Mini AMG8833 Thermal Camera

August 12, 2021 by Jenny List 29 Comments

In our ceaseless quest to bring you the best from the cheaper end of the global electronics markets, there are sometimes gadgets that we keep an eye on for a while because when they appear they’re just a little bit too pricey to consider cheap.

Today’s subject is just such a device, it’s a minimalist infra-red camera using the 8 pixel by 8 pixel Panasonic AMG8833 thermal sensor. This part has been around for a while, but even though any camera using it has orders of magnitude less performance than more accomplished models it has remained a little too expensive for a casual purchase. Indeed, these mini cameras were somewhere above £50 ($70) when they first came to our attention, but have now dropped to the point at which they can be found for somewhere over £30 ($42). Thirty quid is cheap enough for a punt on a thermal camera, so off went the order to China and the expected grey parcel duly arrived.

The interface on this camera is about as simple as it gets.

It’s a little unit, 40 mm x 35 mm x 18 mm, constructed of two laser-cut pieces of black plastic held together by brass stand-offs that hold a PCB between them, and on the front is a cut-out for the sensor while on the rear is one for the 35mm OLED display.At the side on the PCB is a micro USB socket which serves only as a power supply. It’s fair to say that this is a tiny unit.

Applying power from a USB battery bank, the screen comes up with a square colour thermal picture and a colour to temperature calibration stripe to its left. The colours adapt to the range of temperatures visible to the sensor, and there is a crosshair in the centre of the picture for which the temperature in Celsius is displayed below the picture. It’s a very straightforward and intuitive interface that requires no instruction, which is handy because the device has none. Continue reading “Review: Mini AMG8833 Thermal Camera” →

Permanent Artificial Hearts: Long-Sought Replacements May Not Be Far Away

August 9, 2021 by Dan Maloney 44 Comments

The number of artificial prosthetic replacement parts available for the human body is really quite impressive. From prosthetic eyes to artificial hips and knees, there are very few parts of the human body that can’t be swapped out with something that works at least as well as the original, especially given that the OEM part was probably in pretty tough shape in the first place.

But the heart has always been a weak spot in humans, in part because of the fact that it never gets to rest, and in part because all things considered, we modern humans don’t take really good care of it. And when the heart breaks down past the point where medicine or surgery can help, we’re left with far fewer alternatives than someone with a bum knee would face. The fact is that the best we can currently hope for is a mechanical heart that lets a patient live long enough to find a donor heart. But even then, tragedy must necessarily attend, and someone young and healthy must die so that someone else may live.

A permanent implantable artificial heart has long been a goal of medicine, and if recent developments in materials science and electrical engineering have anything to say about it, such a device may soon become a reality. Heart replacements may someday be as simple as hip replacements, but getting to that point requires understanding the history of mechanical hearts, and why it’s not just as simple as building a pump.

Continue reading “Permanent Artificial Hearts: Long-Sought Replacements May Not Be Far Away” →

This Week In Security: Insecure Chargers, Request Forgeries, And Kernel Security

August 6, 2021 by Jonathan Bennett 13 Comments

The folks at Pen Test Partners decided to take a look at electric vehicle chargers. Many of these chargers are WiFi-connected, and let you check your vehicle’s charge state via the cloud. How well are they secured? Predictably, not as well as they could be.

The worst of the devices tested, Project EV, didn’t actually have any user authentication on the server side API. Knowing the serial number was enough to access the account and control the device. The serial numbers are predictable, so taking over every Project EV charger connected to the internet would have been trivial. On top of that, arbitrary firmware could be loaded remotely onto the hardware was possible, representing a real potential problem.

The EVBox platform had a different problem, where an authenticated user could simply specify a security role. The tenantadmin role was of particular interest here, working as a superadmin that could see and manage multiple accounts. This flaw was patched within an impressive 24 hours. The ~~EVBox charger~~, as well as several other devices they checked had fundamental security weaknesses due to their use of Raspberry Pi hardware in the product. Edit: The EVBox was *not* one of the devices using the Pi in the end product.

Wait, What About the Raspberry Pi?

Apparently the opinion that a Raspberry Pi didn’t belong in IoT hardware caught Pen Test Partners some flack, because a few days later they published a follow-up post explaining their rationale. To put it simply, the Pi can’t do secure boot, and it can’t do encrypted storage. Several of the flaws they found in the chargers mentioned above were discovered because the device filesystems were wide open for inspection. A processor that can handle device encryption, ideally better than the TPM and Windows Bitlocker combination we covered last week, gives some real security against such an attack. Continue reading “This Week In Security: Insecure Chargers, Request Forgeries, And Kernel Security” →