Tesla Model S electric sedans can be located and unlocked by criminals remotely simply by cracking a six-character password using traditional hacking techniques, according to a newly released research.
Tesla owner and author of books on hacking Nitesh Dhanjani, said at a conference in Singapore on that he recently conducted a study of the Tesla Model S sedan and found several design flaws in its security system.
Dhanjani said he has passed on his findings to Tesla. He said his review did not uncover any hidden software vulnerabilities in the car’s major systems.
Model S can only be driven when a key fob is present, but it can be unlocked via a command to the car transmitted wirelessly over the Internet, according to Dhanjani.
If a password is stolen or cracked, someone could locate and gain access to the car and steal its contents, but not drive it, Dhanjani said.
Users are required to set up an account secured by a six-character password when they order the car. This password is used to unlock a mobile phone app and to gain access to the user’s online Tesla account.
“The Tesla Model S is a great car and a fantastic product of innovation. Owners of Tesla as well as other cars are increasingly relying on information security to protect the physical safety of their loved ones and their belongings. Given the serious nature of this topic, we know we can’t attempt to secure our vehicles the way we have attempted to secure our workstations at home in the past by relying on static passwords and trusted networks. The implications to physical security and privacy in this context have raised stakes to the next level,” Nitesh Dhanjani said during a presentation at the Black Hat Asia security conference in Singapore.
Tesla has demonstrated innovation leaps and beyond other car manufacturers. It is hoped that this document will encourage owners to think deeply about doing their part as well as for Tesla to have an open dialogue with it’s owners on what they are doing to take security seriously.
You can read Dhanjani’s findings here.