By simply obtaining a password set when registering an online account on the company’s website, hackers can get into a Tesla electric vehicles.
The online account created by owners enables them to control the car from their iPhones. They can lock and unlock the car, flash the lights, honk the horn, change its status and track its location, said corporate security consultant and Tesla owner Nitesh Dhanjani.
While they wouldn’t be able to start the car, individuals with access to the password could track it down, unlock it and take what is inside.
The password set by Tesla owners when they create an account is six characters long, and it must contain at least one number and one letter.
This makes the password easy to obtain with brute-force attacks. Since it’s only 6 characters long, it’s not difficult to crack. Furthermore, there are no account lockout policies for incorrect login attempts.
Hackers can also use several other methods to obtain the credentials, including phishing attacks, malware, social engineering (of Tesla employees), by compromising the owner’s email account, or by relying on the fact that many people reuse the same password for multiple online services.
Another problem with Tesla’s security is the REST API. The API can query the location of the vehicle, which comes back in a latitude and longitude format.
Dhanjani said the API implicitly encourages the sharing of credentials with untrusted third parties.
“The Tesla iOS App uses a REST API to communicate and send commands to the car. Tesla has not intended for this API to be directly invoked by 3rd parties. However, 3rd party apps have already started to leverage the Tesla REST API to build applications,” he said.
Dhanjani reported his findings to Tesla. While the company hasn’t said anything about these specific issues, it claims to be working diligently on making sure its systems are secure against cyber threats.
“We protect our products and systems against vulnerabilities with our dedicated team of top-notch information security professionals, and we continue to work with the community of security researchers and actively encourage them to communicate with us through our responsible reporting process,” Tesla spokesperson Patrick Jones said.