A luxury Tesla Model S car, which (when maxed out with options and bells-and-whistles) is worth over $100,000.
You wouldn’t really expect the only thing to prevent a thief from unlocking it to be a simple six character password would you?
Security researcher Nitesh Dhanjani owns a Tesla vehicle, and discovered that if you can find out an owner’s password you can unlock their fully-electric vehicle.
All you need is the password and the handy Tesla Model S iPhone App.
– Check charging progress in real time and start or stop charge
– Heat or cool Model S before driving — even if it’s in a garage
– Locate Model S with directions or track its movement across a map
– Flash lights or honk the horn to find Model S when parked
– Vent or close the panoramic roof
– Lock or unlock from afar
So, if you’re unlucky enough to have your password stolen or cracked, a criminal can gain access to your Tesla car. In fact, they can unlock it “from afar” if they wish.
You can also have your movements tracked by a jealous partner or malicious stalker, or a prankster could make your car honk its horn or open the panoramic roof in the rain.
Oh, the jolly japes that could be had with this… especially as the vast majority of people either choose dumb, easy-to-guess passwords or re-use passwords in multiple places. Not to mention those folks who leave their unlocked iPhones just lying around for anyone to abuse.
Yes, you might be wondering why you would ever need an iPhone app to unlock your car, or to heat its seats, but stop being such a kill-joy. This is the “internet of things” and it’s progress ™.
Dhanjani’s research, which he revealed at a conference in Singapore, raised concerns about Tesla’s security, including that the Tesla website does not appear to lockout users after multiple incorrect login attempts – opening a window of opportunity for brute-force password cracking attacks.
Dhanjani further noted that anyone with temporary access to the Tesla owner’s email account could reset the password used to secure access to the car, without being required to answer any secret questions or provide additional information.
Worryingly, third-party apps may further expose Tesla car owners’ passwords. Dhanjani raises concerns about a Google Glass application called Tesla for Glass, which is supposed to allow gadget-lovers to monitor and control their Tesla vehicles.
However, the app demonstrates that malicious third-party applications could scoop up Tesla owners’ credentials in order to gain access to their vehicles. Until a proper SDK is released by Tesla, it might be sensible to avoid third-party apps.
The only real good news is that having the password, and control over the owner’s car via the Tesla Model S app, isn’t enough to allow hackers to actually drive off with your vehicle. For that they still need the key fob.
Djanjani’s research has been shared with the folks at Tesla, who gave an official response to Ubergizmo:
“We protect our products and systems against vulnerabilities with our dedicated team of top-notch information security professionals, and we continue to work with the community of security researchers and actively encourage them to communicate with us through our responsible reporting process.”
When I read that, I wondered how much Tesla had already done to secure its systems.
Unfortunately, as an independent computer security blogger I don’t have the funds to splash out on an expensive car to see how easy it is to unlock. But I can visit Tesla’s website and try to register an account…
Hmm. So, hats off to the Tesla security team. It appears that they have already taken *some* action at least. Now you need at least eight characters in your password, rather than six.
By the way, anyone else notice that “Tesla” is an anagram of “steal”?
Really? They only required 6 characters initially? My weakest password ever (that I long phased out) was 8 characters. Most of my passwords are 12+ and then there's the pass phrases that are much longer still (with non alphanumeric characters included, of course). Some of these would not work with keepass but then I have many other measures in place). That's off topic though, or at least off my topic that I'm leading to:
The concern is for services that are not operated by myself (as Ken Thompson rightly pointed out years ago, unless you can see the source code or equivalent unless you can ensure proper measures are in place, then you cannot be 100% confident of security. And even then, all it takes is 1 single mistake or bad decision.. so better stated is: you cannot be sure there is no foul play or no bad decisions – to the best of your knowledge – unless you yourself control it). For instance, how some some companies servers do not allow non alphanumerical characters in passwords. They then claim to take security seriously. No one is perfect and nothing is perfect so there's bound to be mistakes (as we are shown very often over the years) but why make it even worse when the standard character set has more than a-z, A-Z, 0-9, for years, is beyond me. And then there is the oxymoron yet reality of: "security questions". Even worse is when they don't allow you to specify your own question (worse for those who know better than to think that the normal choices offered are at all acceptable), seeing as how their choices are absolutely horrible.
Scary…. and very nice touch with the realisation that Tesla is an anagram of Steal. Quite ironic given the article in question.
This sort of thing is no big deal for Tesla to fix. They have already been aware of this issue from the time when Nitesh Dhanjani discovered the security flaw and reported it to Tesla himself. I'm sure that Tesla is currently working on an "over-the-air" software update that will fix the problem, and it will be pushed out to all Model S cars very soon.
I would think implementing two factor authentication would help solve this…