(Adds comment from Tesla spokesman)
By Jeremy Wagstaff
SINGAPORE, March 28 Tesla Motors Inc's
electric vehicles can be located and unlocked by criminals
remotely simply by cracking a six-character password using
traditional hacking techniques, according to newly released
research.
Nitesh Dhanjani, a corporate security consultant, Tesla
owner and author of books on hacking, said at a conference in
Singapore on Friday that he recently conducted a study of the
Tesla Model S sedan and found several design flaws in its
security system. He said his review did not uncover any hidden
software vulnerabilities in the car's major systems.
"We cannot be protecting our cars in the way we protected
our (computer) workstations, and failed," he said during a
presentation at the Black Hat Asia security conference in
Singapore.
Dhanjani said he has passed on his findings to Tesla.
Tesla spokesman Patrick Jones declined to comment on
Dhanjani's findings, though he said that the carmaker does
carefully review research it receives from security experts.
"We protect our products and systems against vulnerabilities
with our dedicated team of top-notch information security
professionals, and we continue to work with the community of
security researchers and actively encourage them to communicate
with us through our responsible reporting process," Jones said
via email.
Tesla's Model S car can only be driven when a key fob is
present, but it can be unlocked via a command to the car
transmitted wirelessly over the Internet, according to Dhanjani.
If a password is stolen or cracked, someone could locate and
gain access to the car and steal its contents, but not drive it,
Dhanjani said.
Users are required to set up an account secured by a
six-character password when they order the car. This password is
used to unlock a mobile phone app and to gain access to the
user's online Tesla account.
The freely available mobile app can locate and unlock the
car remotely, as well as control and monitor other functions.
The password is vulnerable to several kinds of attacks similar
to those used to gain access to a computer or online account,
Dhanjani said.
An attacker might guess the password via a Tesla website,
which Dhanjani says does not restrict the number of incorrect
login attempts.
Attackers could try to gain access to the password from the
user's computer via password-stealing viruses, or gain access to
other accounts that might use the same password.
"It's a big issue where a $100,000 car should be relying on
a six-character static password," he said.
Dhanjani said there is also evidence that Tesla support
staff can unlock cars remotely, leaving car owners vulnerable to
attackers impersonating them, and raising questions about the
apparent power of such employees to locate and unlock any car
with or without the owner's knowledge or permission.
(Additional reporting by Jim Finkle; Editing by Peter Galloway
and Steve Orlofsky)