Tesla ‘Hack’ Can Unlock Car Doors

Weaknesses in the way Tesla lets drivers control their cars could allow someone to easily open the doors to one of the super-efficient vehicles, a security researcher has warned.

Whilst praising the Tesla Model S for its innovation, Nitesh Dhanjani said the car manufacturer’s website did not appear to have any particular account lockout policy when large numbers of login attempts were made.

A brute force attempt on the login pages could therefore open up user accounts, he said. Similar tactics could be used to gain access to the iPhone app, which allows the user to unlock the car, determine its location and view its charge status.

Brute forcing Tesla logins

“Tesla should address the issue of using static passwords with low complexity requirements,” Dhanjani said in a blog post.

“Tesla owners should be aware of risks based on the current situation and take precautions.” Those precautions should include stronger passwords, added Dhanjani, who had presented his findings at BlackHat Asia.

He also warned of the potential for malicious third-party applications to connect to the Tesla application programming interface (API). It appeared, looking at the Google Glass app for Tesla, that those apps connecting to the API would handle logins for users, indicating usernames and passwords would be shared with the third-party software.

“Until Tesla announces an SDK and methods they are going to outline to sandbox applications, users should refrain from using third party applications,” he added.

“Given the serious nature of this topic, we know we can’t attempt to secure our vehicles the way we have attempted to secure our workstations at home in the past by relying on static passwords and trusted networks. The implications to physical security and privacy in this context have raised stakes to the next level.”

Tesla had not responded to a request for comment at the time of publication.

The car company has a responsible vulnerability disclosure programme and has hired various big name security professionals to ensure its cars are safe. That included the  “hacker princess” of Apple, Kristin Paget.

Are you a security pro? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago