Tesla cars' weak password protocol could allow remote unlock, locating
A researcher at Black Hat Asia highlighted security issues affecting Tesla Model S cars.
At Black Hat Asia 2014, a security researcher revealed how passwords for Tesla electric car owners can be easily cracked, allowing saboteurs to remotely locate and unlock vehicles.
On Friday, Nitesh Dhanjani, a Seattle-based researcher, presented his findings in Singapore and posted a blog post alerting Tesla owners of the security issues.
According to Dhanjani, the company's official iOS app for its Model S electric cars – which allows users to unlock the vehicle, check the car's location and charging status, among other tasks – required only a six character password for car owners to login and access car features.
In a Monday follow up interview, Dhanjani told SCMagazine.com that, since his presentation, it appears that Tesla has already added an additional protection measure to secure unauthorized individuals from easily cracking users' passwords.
Tesla changed the login protocol so that, after numerous failed attempts, a user would be locked out of the account.
“They've installed a lockout [feature] now, where if you enter your password wrong five times in a row, you are locked out,” Dhanjani said, adding that the move was “a step in the right direction,” but “still not good enough.”
Of the company's password authentication process, he said that he expected a much stronger protocol to be implemented.
“I would think that with a nearly $100,000 car, where people depend on it for their physical safety, [safety of their] belongings, as well as where it's located from a privacy perspective, that they would need to apply more than a six character [password], plus some sort of two-factor authentication method,” Dhanjani said.
The researcher explained that a number of scenarios, including brute force hacking accounts and phishing attacks via emails (to con users into giving up their credentials), were all potential attack methods.
In addition, the high incidence of password breaches further leaves users vulnerable, if they reuse credentials across numerous accounts, the blog post said.
On Monday, SCMagazine.com reached out to Tesla Motors but did not immediately hear back from the company.
In an interview, Dhanjani also warned users against using third-party apps marketed to Tesla users, as the company has yet to release a software development kit (SDK) for developers.
“In the meantime, there are third-party applications that have already started to crop up,” Dhanjani. “And they are asking Tesla drivers to submit their [account] credentials, so they can connect to the Tesla cloud on behalf of customers, which is never a good thing.”