Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Evaluation of the Tesla Model S

Posted by Soulskill on from the fob-it-off-on-somebody-else dept.

An anonymous reader writes: "Nitesh Dhanjani has written a paper outlining the security mechanisms surrounding the Tesla Model S, as well as its shortcomings, titled 'Cursory Evaluation of the Tesla Model S: We Can't Protect Our Cars Like We Protect Our Workstations.' Dhanjani says users are required to set up an account secured by a six-character password when they order the car. This password is used to unlock a mobile phone app and to gain access to the user's online Tesla account. The freely available mobile app can locate and unlock the car remotely, as well as control and monitor other functions.

The password is vulnerable to several kinds of attacks similar to those used to gain access to a computer or online account. An attacker might guess the password via a Tesla website, which Dhanjani says does not restrict the number of incorrect login attempts. Dhanjani said there is also evidence that Tesla support staff can unlock cars remotely, leaving car owners vulnerable to attackers impersonating them, and raising questions about the apparent power of such employees to locate and unlock any car with or without the owner's knowledge or permission. In his paper, Dhanjani also describes the issue of Tesla's REST APIs being used by third parties without Tesla's permission, causing Tesla owners' credentials to be sent to those third parties, who could misuse the information to locate and unlock cars."

17 of 93 comments (clear)

  1. Seen This One Before by rmdingler · · Score: 4, Interesting
    A disgruntled former employee (hardly ever see that) kept access to work computers at a tote-the-note car lot.

    They had taken advantage of remote tech to disable the vehicle and engage the horn from a keyboard... in case of nonpayment for the former and sometimes aiding location efforts for the latter.

    Poor chap was so disgruntled he killed vehicles and blew horns for most of a weekend before they deduced the antagonist. I am sure there are some repercussions for this kind of adventure, but hell, if there's even a chance you'll have a grandchild, do you want this story in your arsenal?

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

  2. OK, Tesla not qualified to do automatic driving by Animats · · Score: 4, Informative

    How to steal car:
    1. Guess username and password.
    2. Log in to "https://portal.vn.teslamotors.com".
    3. Send GET to "https://portal.vn.teslamotors.com/vehicles" to get list of vehicle IDs for that owner.
    4. Send GET to "https://portal.vn.teslamotors.com/vehicles/{id}/command/drive_state" to get vehicle latitude and longitude.
    5. Send GET to "https://portal.vn.teslamotors/vehicles//vehicles/{id}/command/door_unlock" to unlock doors.
    6. Get in car and plug laptop into onboard Ethernet, where car internals are exposed, unencrypted.
    ...

    And those guys think they're going to do automatic driving. Right.

    1. Re:OK, Tesla not qualified to do automatic driving by pepty · · Score: 2

      That opens the car; stealing the whole car would still require a truck to move it.

  3. not limiting attempts by tompaulco · · Score: 4, Interesting

    Not limiting login attempts is not the end of the world, especially if they institute a delay between logins. If you screw up your password, it is going to take at least one second before you make your second attempt anyway, so why not enforce that one second delay on the server side? With a 6 digit password composed of numbers and letters, it would take 69 years to guarantee breaking a password. By them they will probably have a gen 2 Tesla that requires a 7 digit password.
    I've never seen a login delay enforced in the wild, but it pretty much neuters any brute force attack. At least , if they are attacking the server, it does. If they get ahold of the encrypted passwords, then they can brute force it at their whim.

    --
    If you are not allowed to question your government then the government has answered your question.
    1. Re:not limiting attempts by nate_in_ME · · Score: 3, Insightful
      If the login delay is implemented based on the user ID and not the IP address, it wouldn't matter how many threads/machines you had attacking.

      On a completely random note, I think the amount of time to do this attack, even with the current setup, would make it nonrealistic. Someone above listed the steps to break into a Tesla using this vulnerability (how accurate they were, I don't really know - or care for that matter). There's one big factor that is being overlooked, however. With relatively few Tesla cars on the road right now (I don't know the exact numbers at the moment, but compared to all other cars on the road, I think we can agree that "relatively few" is a safe estimate), this particular attack isn't one that could be done with the "normal" way that I imagine stealing a car goes:

      "Hey that's a nice car...lets steal it!"

      For this attack to work, it would have to be done one of two ways:

      1. Break into "random" Tesla accounts until you found one in your area
      2. Exploit this attack to steal the car

      OR

      1. Find a Tesla parked somewhere.
      2. Somehow figure out that car's account
      3. Break into that account
      4. Use exploit to steal car

      Basically, the time it takes to break into one Tesla account is irrelevant. The goal is to break into the RIGHT Tesla account, which I imagine, unless you already knew a lot about the owner of a particular car, would take a lot longer than this 69 year number being thrown around for breaking into a single Tesla account by brute force.

    2. Re:not limiting attempts by fyngyrz · · Score: 2

      What if I have 1000 threads trying different passwords? 10,000? 100,000?

      Then, in a well designed system, you'd have 1000, 10000 or 100000 responses that all say "It has not yet been one minute since the last failed login to this account. Your login attempt was not accepted."

      --
      I've fallen off your lawn, and I can't get up.
  4. Option? by ArcadeMan · · Score: 3, Interesting

    Is it even possible to buy a Tesla without all that online, password-protected, cellphone-enabled stuff?

    --
    Get free satoshi (Bitcoin) and Dogecoins
    1. Re:Option? by zwede · · Score: 2

      Yes. The remote access to the car has to be turned on by the owner. When the car is delivered it is turned off. Tesla still has remote access even if the user-level access is off, but that would prevent access via the REST API and mobile app.

  5. Re:"Vulnerable"? by symbolset · · Score: 4, Insightful

    It is not like it is difficult to unlock almost any car.

    --
    Help stamp out iliturcy.
  6. Re:[citation needed]:Rocky's 5th best line by rmdingler · · Score: 2
    You lie to your friends and I'll lie to mine.

    It goes without saying we'll both lie to the customer.

    We'll just plain be honest with each other.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

  7. Service can unlock by nsxdavid · · Score: 5, Informative

    I know service can unlock your car remotely, since I have one (model S) and they did it for me.

    The interesting thing is Elon made his fortune at PayPal. You think he'd know better.

    --
    David Whatley
  8. How to *actually* steal car: by fyngyrz · · Score: 5, Insightful

    1: Hold gun, knife or pipewrench in "I'm going to use it" position, threaten owner, drive away with car, possibly with the owner as well.

    Tools required: One. (may substitute inexpensive gun replica if low budget operation)

    Number of attempts required for success: One

    Technical knowhow required: Zero.

    Additional opportunities inherent in operation: Ransom money, rape subject, opportunistic beatings, petty theft, direct access to bank accounts.

    --
    I've fallen off your lawn, and I can't get up.
    1. Re:How to *actually* steal car: by firewrought · · Score: 3, Informative

      Reality. At the end of the day, what will the insurance company accept as sufficient security...

      No, the security only has to be sufficient enough to blame you for the theft.

      the balance of easy usability vs number of features vs security implementation, with a modern electric computerised vehicle that might best be left to a consultation between the sales consultant and the end user

      The salesman and customer are the least informed for making security tradeoffs, and the complications of having multiple security arrangements across a fleet of supported vehicle isn't worth the extra headache for the manufacturer.

      The "balance" of this situation should not lie in the boneheaded territory of elementary security mistakes... if you're going to have a remotely accessible API, hire programmers who understand security and have them design the damn thing to be secure from the ground up. It's not impossible or mystical or some big unknown.

      --
      -1, Too Many Layers Of Abstraction
  9. Re:Question by fuzzyfuzzyfungus · · Score: 2

    Is there a market for used or stolen Tesla cars or parts?

    It wouldn't 100% shock me (though it'd have to be an export job, 'notable and uncommon', 'aggressively interacts with the vendor', and 'stolen' are not attributes that work well together); but it's probably not on the top of the list of cars that flip or chop easily.

    On the other hand, its materials/recycle value is probably above average for vehicles of its size.

  10. Re:I had issue with this day one when we took deli by zwede · · Score: 4, Informative

    The article is a bit misleading. The Tesla account requires a MINIMUM of 6 characters for the password. You can use a much longer one. The password also allows special character. You're not brute-forcing mine this side of the end of the universe. It's a generated password, very long and all kinds of special characters.

  11. Re:Questions: by zwede · · Score: 3, Informative

    * Can the owner switch off the remote control/access to their car ?

    Yes.

    * Can the owner switch off the remote control/access to their car by Tesla as well as the owner ?

    No.

    * 6 character password. Is that the minimum length or the length it must be (Ie can't set a longer one) ?

    Minimum. The password can also contain special character.

    * It mentions an iPhone app. What if I don't have (or want) an iPhone ?

    There's an official android app. I think there's an unofficial winphone app too. There's an unoffical chrome plugin and stand-alone JAVA app.

    * What cars made by companies other than Tesla have similar systems ?

    No one has anything as comprehensive. Closest is probably on-star.

  12. Re: "Vulnerable"? by corychristison · · Score: 2

    My wife's family owns my towns only Locksmith company.

    I spent some time working there, and let me tell you the best tool for breaking into cars is the correct tool for that vehicle. We had toolboxes of roughly 15 tools for various vehicles. Knowing which tool to use and how to use it is a skill I think everyone should learn.

    My favourite was the slimjim. I even made my own because I wasn't fond of the one included in the kit. Its so versatile.

    As an aside: We worked with CAA (Canadian version of AAA) and once every month or so we'd get a fax to unlock a vehicle (usually a Ford for some reason) who's keyless entry fob's battery had died. We would arrive and they are holding their key in their hand, pressing the button to unlock it and they are getting frustrated the vehicle isn't unlocking. I would calmly ask to see their key, walk up to the door and stick it in the door's keyway and turn it. The look on their face was always priceless. I even had one lady confess she didn't know that was even possible.