Elon Musk and Tesla Motors Inc. may be fighting U.S. auto dealers at present, but they may soon be dealing with another kind of foe—hackers.
According to a recently released research, Tesla’s electric vehicles can be found and unlocked by criminals. Hackers can access the vehicles by simply cracking a six-character password through common hacking techniques.
Nitesh Dhanjani is the man behind the research. A corporate security consultant and author of books on hacking, he recently conducted a study of the Tesla Model S sedan and discovered a number of design flaws in its security system. However, he did not find software vulnerabilities in the vehicle’s major systems.
Dhanjani, who owns a Tesla, presented his study at the Black Hat Asia security conference in Singapore last Friday.
“We cannot be protecting our cars in the way we protected our [computer] workstations, and failed,” he said in the conference.
According to Dhanjani, while the Model S can only be driven with a key fob, the car can be unlocked by a command transmitted wirelessly through the Internet. If the password is cracked or stolen, someone else can locate and access the vehicle. Though that person cannot drive the Model S, he or she can take its contents.
When consumers order the Model S, they will be asked to set up an account protected by a six-character password. This password will be used to unlock the mobile phone app and to access the user’s online account with Tesla. The aforementioned app can find and unlock the Model S remotely. It can also control and monitor some of the car’s functions.
Dhanjani stressed that this password is just as vulnerable to different kinds of attacks as the passwords used to access a computer or online account. He also said that a criminal might be able to guess the password through the Tesla website, which as he pointed out, does not limit the number of incorrect login attempts.
According to Dhanjani, there are a number of ways attackers can gain access to a Tesla owner’s password. First, the attacker may obtain the password through a password-stealing virus. Second, the attacker may access other accounts that use the same password. Third, attackers may impersonate Tesla support staff to steal the information.
In his study, Dhanjani found that the Tesla support staff can unlock cars remotely. His research brings to light the possibility that the Palo Alto, California-based company’s employees could locate and unlock cars with or without the permission or knowledge of the owners.
Tesla is aware of Dhanjani’s study, as he sent his findings to the company. Tesla spokesman Patrick Jones did not comment on the findings, though he mentioned that the company does review research from security experts.
“We protect our products and systems against vulnerabilities with our dedicated team of top-notch information security professionals, and we continue to work with the community of security researchers and actively encourage them to communicate with us through our responsible reporting process,” said Jones.
Photo credit: teslamotors.com