A luxury Tesla Model S car, which (when maxed out with options and bells-and-whistles) is worth over $100,000.
You wouldn't really expect the only thing to prevent a thief from unlocking it to be a simple six character password would you?
Security researcher Nitesh Dhanjani owns a Tesla vehicle, and discovered that if you can find out an owner's password you can unlock their fully-electric vehicle.
All you need is the password and the handy Tesla Model S iPhone App.
- Check charging progress in real time and start or stop charge
- Heat or cool Model S before driving — even if it's in a garage
- Locate Model S with directions or track its movement across a map
- Flash lights or honk the horn to find Model S when parked
- Vent or close the panoramic roof
- Lock or unlock from afar
So, if you're unlucky enough to have your password stolen or cracked, a criminal can gain access to your Tesla car. In fact, they can unlock it "from afar" if they wish.
You can also have your movements tracked by a jealous partner or malicious stalker, or a prankster could make your car honk its horn or open the panoramic roof in the rain.
Oh, the jolly japes that could be had with this... especially as the vast majority of people either choose dumb, easy-to-guess passwords or re-use passwords in multiple places. Not to mention those folks who leave their unlocked iPhones just lying around for anyone to abuse.
Yes, you might be wondering why you would ever need an iPhone app to unlock your car, or to heat its seats, but stop being such a kill-joy. This is the "internet of things" and it's progress (tm).
Dhanjani's research, which he revealed at a conference in Singapore, raised concerns about Tesla's security, including that the Tesla website does not appear to lockout users after multiple incorrect login attempts - opening a window of opportunity for brute-force password cracking attacks.
Dhanjani further noted that anyone with temporary access to the Tesla owner's email account could reset the password used to secure access to the car, without being required to answer any secret questions or provide additional information.
Worryingly, third-party apps may further expose Tesla car owners' passwords. Dhanjani raises concerns about a Google Glass application called Tesla for Glass, which is supposed to allow gadget-lovers to monitor and control their Tesla vehicles.
However, the app demonstrates that malicious third-party applications could scoop up Tesla owners' credentials in order to gain access to their vehicles. Until a proper SDK is released by Tesla, it might be sensible to avoid third-party apps.
The only real good news is that having the password, and control over the owner's car via the Tesla Model S app, isn't enough to allow hackers to actually drive off with your vehicle. For that they still need the key fob.
Djanjani's research has been shared with the folks at Tesla, who gave an official response to Ubergizmo:
"We protect our products and systems against vulnerabilities with our dedicated team of top-notch information security professionals, and we continue to work with the community of security researchers and actively encourage them to communicate with us through our responsible reporting process."
When I read that, I wondered how much Tesla had already done to secure its systems.
Unfortunately, as an independent computer security blogger I don't have the funds to splash out on an expensive car to see how easy it is to unlock. But I can visit Tesla's website and try to register an account...
Hmm. So, hats off to the Tesla security team. It appears that they have already taken *some* action at least. Now you need at least eight characters in your password, rather than six.
By the way, anyone else notice that "Tesla" is an anagram of "steal"?