A recent blog post by Nitesh Dhanjani, a respected security researcher and author, explains why Tesla needs to rethink many of its security standards. By cracking a user’s login credentials, a hacker can unlock the doors of a Tesla Model S, track the vehicle through GPS, and operate the roof, lights and horn.
To understand the full extent of this issue, it helps to know how basic password cracking works. There are many ways to obtain a target’s password. Dictionary attacks cycle through a list of words found in a dictionary file until the correct password is found. This rudimentary method can be thwarted by simply using an original combination of characters.
Brute force attacks take dictionary attacks to the next level by inputting any alpha-numeric combinations possible (e.g. aaaa1, aaaa2, …… zdh3sl8, zdh3l9). Rainbow table attacks make an attempt to crack the encrypted password that the system receives and take less time than cracking the actual password. Malware can even record the user’s password entries and send them back to the software developer.
The Tesla Model S is vulnerable to many different types of attacks due to the simplicity of its user management system and its password requirements in particular. Tesla’s password requirements are minimal at best, requiring only 6 characters with at least one number. More advanced systems require 8 characters with at least one number, symbol and sometimes even an upper case letter thrown in, making attacks require a much longer time to complete.
Moving beyond the issues with the password format, Tesla has placed no limit on the number of attempts the user can enter a password. Many companies have placed a limit of 3 attempts before the account is locked out to prevent brute force and dictionary attacks.
Additionally, if a user’s email is compromised, there are no additional security measures to reset a password. The familiar “Reset your password” link sends an email to the account, allowing an immediate reset. Other third parties applications are also allowed access to login credentials through Tesla’s REST API, which allows applications to interact together. If these third party companies are hacked, password information could be leaked causing a potential threat.
If the multiple vulnerabilities outlined by Dhanjani are exploited, it could cause a serious concern for the tens of thousands of Tesla drivers all over the world. While the car cannot be turned on with these login credentials, the car can be tracked and unlocked, leaving any valuables inside up for grabs.
Many of the shortfalls of the system can be fixed by increasing the requirements for password choices and including a secondary authentication process. This authentication can be performed by a number of methods from security questions to biometric options like retina or fingerprint scans. It is impossible to be complete secure in this world of gadgets that we live in but for something as simple as a few characters, can Tesla really afford to not fully charge their attempts?