Tesla cars' weak password protocol could allow remote unlock, locating

Share this article:
A researcher at Black Hat Asia highlighted security issues affecting Tesla Model S cars.
A researcher at Black Hat Asia highlighted security issues affecting Tesla Model S cars.

At Black Hat Asia 2014, a security researcher revealed how passwords for Tesla electric car owners can be easily cracked, allowing saboteurs to remotely locate and unlock vehicles.

On Friday, Nitesh Dhanjani, a Seattle-based researcher, presented his findings in Singapore and posted a blog post alerting Tesla owners of the security issues.

According to Dhanjani, the company's official iOS app for its Model S electric cars – which allows users to unlock the vehicle, check the car's location and charging status, among other tasks – required only a six character password for car owners to login and access car features.

In a Monday follow up interview, Dhanjani told SCMagazine.com that, since his presentation, it appears that Tesla has already added an additional protection measure to secure unauthorized individuals from easily cracking users' passwords.

Tesla changed the login protocol so that, after numerous failed attempts, a user would be locked out of the account.

“They've installed a lockout [feature] now, where if you enter your password wrong five times in a row, you are locked out,” Dhanjani said, adding that the move was “a step in the right direction,” but “still not good enough.”

Of the company's password authentication process, he said that he expected a much stronger protocol to be implemented.

“I would think that with a nearly $100,000 car, where people depend on it for their physical safety, [safety of their] belongings, as well as where it's located from a privacy perspective, that they would need to apply more than a six character [password], plus some sort of two-factor authentication method,” Dhanjani said.

The researcher explained that a number of scenarios, including brute force hacking accounts and phishing attacks via emails (to con users into giving up their credentials), were all potential attack methods.

In addition, the high incidence of password breaches further leaves users vulnerable, if they reuse credentials across numerous accounts, the blog post said.

On Monday, SCMagazine.com reached out to Tesla Motors but did not immediately hear back from the company.

In an interview, Dhanjani also warned users against using third-party apps marketed to Tesla users, as the company has yet to release a software development kit (SDK) for developers.

“In the meantime, there are third-party applications that have already started to crop up,” Dhanjani. “And they are asking Tesla drivers to submit their [account] credentials, so they can connect to the Tesla cloud on behalf of customers, which is never a good thing.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Tinba variant aimed at U.S., international banks

Tinba variant aimed at U.S., international banks

Researchers at AVAST have unlocked a Tinba variant and discovered it has been customized to target U.S. financial institutions.

Adobe makes delayed updates for Reader, Acrobat available

The Reader and Acrobat fixes were delayed a week due to issues found during testing.

Nigerian police search for ringleader in major bank heist

The suspect, Godswill Oyegwa Uyoyou, conspired with others to hack bank systems and divert 6.28 billion Naira to mule accounts.