Weaknesses in the way Tesla lets drivers control their cars could allow someone to easily open the doors to one of the super-efficient vehicles, a security researcher has warned.
Whilst praising the Tesla Model S for its innovation, Nitesh Dhanjani said the car manufacturer’s website did not appear to have any particular account lockout policy when large numbers of login attempts were made.
A brute force attempt on the login pages could therefore open up user accounts, he said. Similar tactics could be used to gain access to the iPhone app, which allows the user to unlock the car, determine its location and view its charge status.
“Tesla should address the issue of using static passwords with low complexity requirements,” Dhanjani said in a blog post.
“Tesla owners should be aware of risks based on the current situation and take precautions.” Those precautions should include stronger passwords, added Dhanjani, who had presented his findings at BlackHat Asia.
He also warned of the potential for malicious third-party applications to connect to the Tesla application programming interface (API). It appeared, looking at the Google Glass app for Tesla, that those apps connecting to the API would handle logins for users, indicating usernames and passwords would be shared with the third-party software.
“Until Tesla announces an SDK and methods they are going to outline to sandbox applications, users should refrain from using third party applications,” he added.
“Given the serious nature of this topic, we know we can’t attempt to secure our vehicles the way we have attempted to secure our workstations at home in the past by relying on static passwords and trusted networks. The implications to physical security and privacy in this context have raised stakes to the next level.”
Tesla had not responded to a request for comment at the time of publication.
The car company has a responsible vulnerability disclosure programme and has hired various big name security professionals to ensure its cars are safe. That included the “hacker princess” of Apple, Kristin Paget.
Are you a security pro? Try our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…