One deep dark night on a dirt road on a remote mountain of an even more remote island, I rode swiftly downhill, passenger of a pickup truck. The driver shut our lights off. We sat in silence as the truck skidded and careened along the dusty road.

I barely could see the driver’s hands rolling quickly back and forth on the steering wheel to keep us from driving off the cliff ledge to our left. He didn’t slow down after lights-out, and when I turned my head more towards him he said warmly l’appel du vide or something like that and smiled broadly at the barely visible road ahead.

While the road itself is seen better with headlamps, by shutting them off we actually expanded our visibility further and were safer overall. And of course we revealed ourselves less dramatically (noise and dust still were emitted), which can reduce blindness in oncoming vehicles.

With so many experiences like this in the past, I often see lights as pollution and wonder how much longer we must accept theories of Victorian street-lamps as safer?

Apparently, the original lighting in London was so poor in 1763 that James Boswell was able to have sex with a prostitute on Westminster Bridge. The shadows and gloom of the pre-electrified world not just provided privacy for Mr Boswell’s actions but it was also a haven for crime.

To be fair I have seen couples having sex in the broad daylight on the eastbound platform at Charlton Station (CTN) in London, so it might not just be about visibility. Anyway, developing better vision integrated directly into the windshield, or our glasses seems like a much more sane and modern idea than trying to increase lumens everywhere. We wear sunglasses while driving, why not a night glass?

We save immense amounts of energy when we choose to leverage starlight and ambient heat, and reveal so much more…fortunately the US military is a big investor in technology along these lines and the latest iteration sounds quite nice:

The BNVD amplifies the small amount of existing light emitted by stars, the moon’s glow or other ambient light sources, and uses the light to clearly display objects in detail in very dark conditions. The COTI uses heat energy from the Marine’s surroundings to add a thermal overlay which allows the image to be viewed more clearly.

This seems light years ahead of driving with a common joint electronics Portable Visual Detecting or Range and Bearing, Search (AN/PVS)

Many moons ago you may remember this introduction to one of my car-hacking posts:

First, you need a Vehicle Identification Number (VIN). You can ask your friends or family for their VIN. You can walk into a parking lot, especially a Jeep dealer’s, and look at the VIN. Or you can search craigslist for a VIN. I used the SF bay area site but you can search anywhere using a simple URL modification…

The VIN is a token, a fairly important one, that requires manufacturers to use threat models to think about adversarial usage. Alas it sits in plain view both in person and online.

We interrupt this PSA about credential management to bring you a hot story about a brand new cutting edge technology Model 3 Tesla being stolen.

…a regular at the Trevls EV-only rent-a-car company in Minnesota was the key suspect in stealing a Model 3 rental car owned by the agency. According to the owner of Trevls, John Marino, the man simply walked up to the Model 3, opened it, got in, started it and drove off. Bloomington police are saying that “the man somehow manipulated the Tesla app to unlock and start the car, disabling the GPS before leaving town.”

The key here for the key suspect, puns intended, seems to be that this Tesla was rented before. The suspect had the VIN associated with his account and used the application, so was a temporary valid driver. A VIN has to be associated with an account to run the application, and I think most Tesla owners would not want any path for their public VINs to be “matched” to someone else’s account.

Alas, a rental company does exactly that, putting a VIN in random people’s accounts. The rental company claims they remove the VIN from a customer account after their rental, thus denying any further authorization. However, this driver likely realized since he was authenticated as a driver of that car at least once he probably could contact Tesla support and somehow convince them to add the VIN back to his account without authorization of the rental company. Or maybe the removal process wasn’t clean. Deprovisioning is notoriously hard in any credential system.

I’m going to go out on a limb here and say the Tesla application and driver support system wasn’t sufficiently threat modeled for the kind of VIN use that rental companies require, let alone social engineering talent of rental customers.

It reminds me once of sitting down with an automobile manufacturer and telling them while I enjoyed hacking cars I wasn’t about to start inserting USB into my rentals…and they interrupted me with a disgusted look on their face to say “WHY NOT?” I meekly explained I thought a lab was more appropriate as it would be dangerous for others to be renting cars I had been hacking on, especially when rental use wasn’t in the threat models (it wasn’t).

Police were scrambling for clues when this Tesla disappeared because, after the suspect reportedly disabled GPS, all the usual tracking signals (e.g. NFC/RFID scanning) on Interstate roads weren’t being helpful. The Tesla owner (rental company), on the other hand, noticed the stolen car being connected to the charging network and 1,000 miles from the scene of the crime (Minnesota to Texas in two days). Police simply went to the charging station and there they found the lazy thief, who despite noticing a loophole in authorization and means to disable GPS failed to think about other ways he could be charged.

And yes I wrote this entire thing just for the puns. You’re welcome.

Update Sept 15: Telsa has pushed an update (2018.34.1) that offers a “PIN to drive” security option to limit use of a key.

No word yet on the “forgot PIN, enter credentials to drive” flow resilience to social engineering. More to the point this update does not seem to leverage PIN to drive when using the mobile application with “keyless driving”…perhaps because if you can enter credentials for keyless driving you could start the car with the same credentials in the forgot PIN screen.

Well I have to say I was wrong twelve years ago about diesel motorcycles. No matter how patient I was for those Kawasaki to arrive, in the back of my head it was clear that hackers around me loved the zero-power-curve of electric bikes more than the long-distance of diesel.

At one point many years ago I was stuck in a long car ride around rural France (ask me another time about war-driving) with an aeronautical engineer and to kill time I opined about the benefits of light motorcycles with batteries easily outperforming gasoline. Only a few months later, back stateside, I received an email thanking me because he had built one himself and now was commuting effortlessly and with a smile.

I was gruntled, yet still awaited news of a diesel. Something about the plug-in/range didn’t suit my sense of riding.

With Harley, king of the long-haul open-road bikes, making a major electric research announcement like this, I officially give up on diesel bikes making it to civilian life:

Harley-Davidson, Inc. (NYSE: HOG) announced today it will establish a new research and development facility in Northern California to support its future product portfolio, including the company’s first complete line of electric vehicles.

Many, many years ago I worked on Cabletron switches, which in a bizarre twist led me to Milwaukee, WI. Unbeknownst to many, if not most, Harley was at that time doing cutting edge IT deployments. Also I attended wedding parties there of Harley workers that ended with the couple describing Harleys they would ride to California. I mean high-tech Harleys in California does make sense, in spite of their oil-splattered tinkering owners group heritage.

Until now my heart still ached for that Kawasaki diesel dual-sport we were promised. Oh well. The time has come to say diesel bikes aren’t going to make headlines. Perhaps electric range soon will be less of an issue as Harley clearly thinks about that spectrum. But will HOGs be able to keep their tinkering ways or is DRM also coming?