Hackers Can Unlock Tesla Cars by Stealing Owners’ Passwords

A security consultant has presented his findings at a recent conference in Singapore

By on March 31st, 2014 13:40 GMT

Corporate security consultant and Tesla owner Nitesh Dhanjani has demonstrated that hackers can open Tesla electric vehicles if they can obtain the password set when registering an online account on the company’s website.

The online account that’s created by owners enables them to control the car from their iPhones. They can lock and unlock the car, flash the lights, honk the horn, change its status and track its location.

While they wouldn’t be able to start the car, individuals with access to the password could track it down, unlock it and steal the valuable items they might find inside.

The password that’s set by Tesla owners when they create an account is six characters long, and it must contain at least one number and one letter.

This makes the password easy to obtain with brute-force attacks. Since it’s only 6 characters long, it’s not difficult to crack. Furthermore, there are no account lockout policies for incorrect login attempts.

Hackers can also use several other methods to obtain the credentials, including phishing attacks, malware, social engineering (of Tesla employees), by compromising the owner’s email account, or by relying on the fact that many people reuse the same password for multiple online services.

Another problem with Tesla’s security is the REST API. The API can be used to query the location of the vehicle, which is returned in a latitude and longitude format.

Furthermore, according to Dhanjani, the API implicitly encourages the sharing of credentials with untrusted third parties.

“The Tesla iOS App uses a REST API to communicate and send commands to the car. Tesla has not intended for this API to be directly invoked by 3rd parties. However, 3rd party apps have already started to leverage the Tesla REST API to build applications,” the expert explained.

One example of such an app is one that allows Google Glass users to monitor and control their Teslas from Glass. Malicious third-party applications or an insecure infrastructure of the app developer could expose the credentials.

Dhanjani has reported his findings to Tesla. While the company hasn’t said anything about these specific issues, it claims to be working diligently on making sure its systems are secure against cyber threats.

“We protect our products and systems against vulnerabilities with our dedicated team of top-notch information security professionals, and we continue to work with the community of security researchers and actively encourage them to communicate with us through our responsible reporting process,” Tesla spokesperson Patrick Jones told Ubergizmo.

1 Comment