Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Evaluation of the Tesla Model S

Posted by Soulskill on from the fob-it-off-on-somebody-else dept.

An anonymous reader writes: "Nitesh Dhanjani has written a paper outlining the security mechanisms surrounding the Tesla Model S, as well as its shortcomings, titled 'Cursory Evaluation of the Tesla Model S: We Can't Protect Our Cars Like We Protect Our Workstations.' Dhanjani says users are required to set up an account secured by a six-character password when they order the car. This password is used to unlock a mobile phone app and to gain access to the user's online Tesla account. The freely available mobile app can locate and unlock the car remotely, as well as control and monitor other functions.

The password is vulnerable to several kinds of attacks similar to those used to gain access to a computer or online account. An attacker might guess the password via a Tesla website, which Dhanjani says does not restrict the number of incorrect login attempts. Dhanjani said there is also evidence that Tesla support staff can unlock cars remotely, leaving car owners vulnerable to attackers impersonating them, and raising questions about the apparent power of such employees to locate and unlock any car with or without the owner's knowledge or permission. In his paper, Dhanjani also describes the issue of Tesla's REST APIs being used by third parties without Tesla's permission, causing Tesla owners' credentials to be sent to those third parties, who could misuse the information to locate and unlock cars."

7 of 93 comments (clear)

  1. Seen This One Before by rmdingler · · Score: 4, Interesting
    A disgruntled former employee (hardly ever see that) kept access to work computers at a tote-the-note car lot.

    They had taken advantage of remote tech to disable the vehicle and engage the horn from a keyboard... in case of nonpayment for the former and sometimes aiding location efforts for the latter.

    Poor chap was so disgruntled he killed vehicles and blew horns for most of a weekend before they deduced the antagonist. I am sure there are some repercussions for this kind of adventure, but hell, if there's even a chance you'll have a grandchild, do you want this story in your arsenal?

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

  2. OK, Tesla not qualified to do automatic driving by Animats · · Score: 4, Informative

    How to steal car:
    1. Guess username and password.
    2. Log in to "https://portal.vn.teslamotors.com".
    3. Send GET to "https://portal.vn.teslamotors.com/vehicles" to get list of vehicle IDs for that owner.
    4. Send GET to "https://portal.vn.teslamotors.com/vehicles/{id}/command/drive_state" to get vehicle latitude and longitude.
    5. Send GET to "https://portal.vn.teslamotors/vehicles//vehicles/{id}/command/door_unlock" to unlock doors.
    6. Get in car and plug laptop into onboard Ethernet, where car internals are exposed, unencrypted.
    ...

    And those guys think they're going to do automatic driving. Right.

  3. not limiting attempts by tompaulco · · Score: 4, Interesting

    Not limiting login attempts is not the end of the world, especially if they institute a delay between logins. If you screw up your password, it is going to take at least one second before you make your second attempt anyway, so why not enforce that one second delay on the server side? With a 6 digit password composed of numbers and letters, it would take 69 years to guarantee breaking a password. By them they will probably have a gen 2 Tesla that requires a 7 digit password.
    I've never seen a login delay enforced in the wild, but it pretty much neuters any brute force attack. At least , if they are attacking the server, it does. If they get ahold of the encrypted passwords, then they can brute force it at their whim.

    --
    If you are not allowed to question your government then the government has answered your question.
  4. Re:"Vulnerable"? by symbolset · · Score: 4, Insightful

    It is not like it is difficult to unlock almost any car.

    --
    Help stamp out iliturcy.
  5. Service can unlock by nsxdavid · · Score: 5, Informative

    I know service can unlock your car remotely, since I have one (model S) and they did it for me.

    The interesting thing is Elon made his fortune at PayPal. You think he'd know better.

    --
    David Whatley
  6. How to *actually* steal car: by fyngyrz · · Score: 5, Insightful

    1: Hold gun, knife or pipewrench in "I'm going to use it" position, threaten owner, drive away with car, possibly with the owner as well.

    Tools required: One. (may substitute inexpensive gun replica if low budget operation)

    Number of attempts required for success: One

    Technical knowhow required: Zero.

    Additional opportunities inherent in operation: Ransom money, rape subject, opportunistic beatings, petty theft, direct access to bank accounts.

    --
    I've fallen off your lawn, and I can't get up.
  7. Re:I had issue with this day one when we took deli by zwede · · Score: 4, Informative

    The article is a bit misleading. The Tesla account requires a MINIMUM of 6 characters for the password. You can use a much longer one. The password also allows special character. You're not brute-forcing mine this side of the end of the universe. It's a generated password, very long and all kinds of special characters.