Traditional hacking techniques can be used by criminals to remotely locate and unlock Tesla Model S electric vehicles simply by cracking a six-character password, claims a new report.
According to Nitesh Dhanjani, a corporate security consultant, Tesla owner and author of books on hacking, the Model S has several design flaws in its security system. However, he said his review didn’t find any hidden software vulnerabilities in the car’s major systems.
“We cannot be protecting our cars in the way we protected our workstations, and failed,” Dhanjani was quoted by Reuters during a presentation at the Black Hat Asia security conference in Singapore.
The Tesla Model S can only be driven when a key fob is present, but it can be unlocked via a command sent wirelessly over the Internet. Dhanjani said that if a password is stolen on cracked, a Model S vehicle can be located and unlocked, but not driven.
When users order the car, they are required to set up an account secured by a six-character password, which is used to unlock a mobile phone app and gain access to the user’s online Tesla account. This freely available mobile app can locate and unlock the car remotely, as well as control and monitor other functions. Dhanjani found that the password is vulnerable to attacks similar to those used to crack a computer or online account.
“It’s a big issue where a $100,000 car should be relying on a six-character static password,” he said. For example, an attacker might guess the password via Tesla’s website, which does not restrict the number of incorrect login attempts.
In addition, attackers could try to gain access to the password from the user’s computer via password-stealing viruses, or gain access to other accounts that might use the same password. Dhanjani added that he has passed on his findings to Tesla.
By Dan Mihalascu
PHOTO GALLERY
