Security Evaluation of the Tesla Model S

An anonymous reader writes: "Nitesh Dhanjani has written a paper outlining the security mechanisms surrounding the Tesla Model S, as well as its shortcomings, titled 'Cursory Evaluation of the Tesla Model S: We Can't Protect Our Cars Like We Protect Our Workstations.' Dhanjani says users are required to set up an account secured by a six-character password when they order the car. This password is used to unlock a mobile phone app and to gain access to the user's online Tesla account. The freely available mobile app can locate and unlock the car remotely, as well as control and monitor other functions.

The password is vulnerable to several kinds of attacks similar to those used to gain access to a computer or online account. An attacker might guess the password via a Tesla website, which Dhanjani says does not restrict the number of incorrect login attempts. Dhanjani said there is also evidence that Tesla support staff can unlock cars remotely, leaving car owners vulnerable to attackers impersonating them, and raising questions about the apparent power of such employees to locate and unlock any car with or without the owner's knowledge or permission. In his paper, Dhanjani also describes the issue of Tesla's REST APIs being used by third parties without Tesla's permission, causing Tesla owners' credentials to be sent to those third parties, who could misuse the information to locate and unlock cars."

In other news

[fyngyrz]

...trusted sources reported today that if a Tesla vehicle is dropped from orbit, the impact would be devastating. The NTSB is looking into this, and Fox News reports that Obama is responsible. Scientists confirm using actual math that the outcome is all but inevitable.

[camera shows stock shots of meteor crater in Arizona]

Tesla has not responded to our requests to comment, except to say that SpaceX cargo capacity is a privileged corporate information.

In financial news, Aluminium foil prices are up.

Re:

[fuzzyfuzzyfungus]

Is there a market for used or stolen Tesla cars or parts?

It wouldn't 100% shock me (though it'd have to be an export job, 'notable and uncommon', 'aggressively interacts with the vendor', and 'stolen' are not attributes that work well together); but it's probably not on the top of the list of cars that flip or chop easily.

On the other hand, its materials/recycle value is probably above average for vehicles of its size.

Re:

[mjwx]

Is there a market for used or stolen Tesla cars or parts?

It wouldn't 100% shock me (though it'd have to be an export job, 'notable and uncommon', 'aggressively interacts with the vendor', and 'stolen' are not attributes that work well together); but it's probably not on the top of the list of cars that flip or chop easily.

On the other hand, its materials/recycle value is probably above average for vehicles of its size.

I know /. is very US centric, but in Europe driving a stolen car over a border is trivial and a Tesla will fetch a good price even in Eastern Europe.

Re:

[fuzzyfuzzyfungus]

By the same token, though, I'd have to imagine that European law enforcement types have(formally or informally) had to adapt to the fact that "Eh, just report the details to border control and call it a day" doesn't work anywhere in the Schengen Area anymore. Most of Europe also has suitably compatible cellular operations, so I'd feel about as safe across a European 'national' border as I would across a US 'state' one.

Either way, once you get 'outside the country' whether literally (US) or figuratively(t

Re:

[nospam007]

"Is there a market for used or stolen Tesla cars or parts?"

Not very likely. Even the radio is dangerous for the ears, since the volume goes up to 11.

http://en.wikipedia.org/wiki/U... [wikipedia.org]

unlock the fire within

[turkeydance]

"Pioneers get slaughtered, and the settlers prosper." - Daymond John

Seen This One Before

[rmdingler]

A disgruntled former employee (hardly ever see that) kept access to work computers at a tote-the-note car lot.

They had taken advantage of remote tech to disable the vehicle and engage the horn from a keyboard... in case of nonpayment for the former and sometimes aiding location efforts for the latter.

Poor chap was so disgruntled he killed vehicles and blew horns for most of a weekend before they deduced the antagonist. I am sure there are some repercussions for this kind of adventure, but hell, if there's even a chance you'll have a grandchild, do you want this story in your arsenal?

Re:[citation needed]:Rocky's 5th best line

[rmdingler]

You lie to your friends and I'll lie to mine.

It goes without saying we'll both lie to the customer.

We'll just plain be honest with each other.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:"Vulnerable"?

[symbolset]

It is not like it is difficult to unlock almost any car.

Re:

[symbolset]

There is this magic thing called a Z-bar that can be used to open almost any car without breaking the windows. But brute force does still work and is quick.

Re: "Vulnerable"?

[corychristison]

My wife's family owns my towns only Locksmith company.

I spent some time working there, and let me tell you the best tool for breaking into cars is the correct tool for that vehicle. We had toolboxes of roughly 15 tools for various vehicles. Knowing which tool to use and how to use it is a skill I think everyone should learn.

My favourite was the slimjim. I even made my own because I wasn't fond of the one included in the kit. Its so versatile.

As an aside: We worked with CAA (Canadian version of AAA) and once

Re:

[sh00z]

As an aside: We worked with CAA (Canadian version of AAA) and once every month or so we'd get a fax to unlock a vehicle (usually a Ford for some reason) who's keyless entry fob's battery had died. We would arrive and they are holding their key in their hand, pressing the button to unlock it and they are getting frustrated the vehicle isn't unlocking. I would calmly ask to see their key, walk up to the door and stick it in the door's keyway and turn it. The look on their face was always priceless. I even had one lady confess she didn't know that was even possible.

But if the car has an alarm system and it's active, this doesn't help much. If I unlock my car with a physical key, there's a three-step process I need to do in order to disable the alarm and engine kill. If your owners didn't realize their keys would work, what's the likelihood they'd then remember everything else required before driving away?

Re:

[corychristison]

But if the car has an alarm system and it's active, this doesn't help much. If I unlock my car with a physical key, there's a three-step process I need to do in order to disable the alarm and engine kill. If your owners didn't realize their keys would work, what's the likelihood they'd then remember everything else required before driving away?

The alarm will also go off if I open it with a tool to bypass the lock... It's not my responsibility to know how to turn the alarm off. The point I was trying to make was these people did not know they could unlock their car, and gain access to their belongings, without their keyfob.

Of the three calls I handled in this in the situation I described, they were factory keys with the remote unlock buttons on the key itself.

I even had one case, where the passenger window was rolled down half way, allowing me to

OK, Tesla not qualified to do automatic driving

[Animats]

How to steal car:
1. Guess username and password.
2. Log in to "https://portal.vn.teslamotors.com".
3. Send GET to "https://portal.vn.teslamotors.com/vehicles" to get list of vehicle IDs for that owner.
4. Send GET to "https://portal.vn.teslamotors.com/vehicles/{id}/command/drive_state" to get vehicle latitude and longitude.
5. Send GET to "https://portal.vn.teslamotors/vehicles//vehicles/{id}/command/door_unlock" to unlock doors.
6. Get in car and plug laptop into onboard Ethernet, where car internals are exposed, unencrypted.
...

And those guys think they're going to do automatic driving. Right.

Re:

[pepty]

That opens the car; stealing the whole car would still require a truck to move it.

How to *actually* steal car:

[fyngyrz]

1: Hold gun, knife or pipewrench in "I'm going to use it" position, threaten owner, drive away with car, possibly with the owner as well.

Tools required: One. (may substitute inexpensive gun replica if low budget operation)

Number of attempts required for success: One

Technical knowhow required: Zero.

Additional opportunities inherent in operation: Ransom money, rape subject, opportunistic beatings, petty theft, direct access to bank accounts.

Re:

[rtb61]

Reality. At the end of the day, what will the insurance company accept as sufficient security so as to replace the vehicle upon claim of theft, nothing more and nothing less. As for the balance of easy usability vs number of features vs security implementation, with a modern electric computerised vehicle that might best be left to a consultation between the sales consultant and the end user, with features not wished by the end user disabled and or other features set up.

Re:

[firewrought]

Reality. At the end of the day, what will the insurance company accept as sufficient security...

No, the security only has to be sufficient enough to blame you [wired.com] for the theft.

the balance of easy usability vs number of features vs security implementation, with a modern electric computerised vehicle that might best be left to a consultation between the sales consultant and the end user

The salesman and customer are the least informed for making security tradeoffs, and the complications of having multiple security arrangements across a fleet of supported vehicle isn't worth the extra headache for the manufacturer.

The "balance" of this situation should not lie in the boneheaded territory of elementary security mistakes... if you're going to have a remotely accessible API, hire programmers who understand securi

Re:

[Anonymous Coward]

Except this'll get the police searching for you within minutes. Unlocking it remotely will probably give you hours before it's noticed, during which you have time to remove/disable the tracker, hide the car and change the plates, maybe even the colour. And with zero risk of setting the alarm off, which is its advantage over just breaking into any car on the street. Plus it lets you target expensive new cars since it even tells you where they are.

Re:

[fyngyrz]

Except this'll get the police searching for you within minutes.

Why would the police search until the driver is reported missing? Which might not happen for days, depending on the driver's social connections, but certainly won't happen for hours, by which time the car has either been disassembled or packed into a shipping container anyway.

Re:

[fyngyrz]

It was relevant to the thread. My point was it's a little ridiculous to worry about these complex electronic paths to stealing a car. Any thug can steal your car with little to no effort; practically speaking, all they need is the desire to do it and the opportunity.

I'll grant you that criminals are generally not the brightest people, but I don't think that predisposes them to do something via a significantly more complex method. The focus is on the wrong thing here.

Re:

[fyngyrz]

Ah, someone who doesn't understand the USA. Steal a car (and particularly a Tesla), you've *already* committed a felony; having done so and gotten caught as you suggest, you're going to jail and then most likely prison, not one, but *two* varieties of "assrape-land" as you put it, and when you get out, you will be unemployable, consequently if you want any of the supposedly "good" things in life, significantly profitable enterprises will be limited to things like, you guessed it: stealing cars, burglary, de

Re:

[fyngyrz]

No question, the optimum time is just as they approach the car. Once inside, or in motion, things become much more difficult.

obligatory xkcd

[jalvarez13]

https://xkcd.com/538/ [xkcd.com]

Re: Here it comes...

[loufoque]

Silicon is not made from oil.

Re:

[philip.paradis]

I believe the GP was referring to the plastic portions of laptops, which are largely synthesized from oil and natural gas, not silicon.

Re: Here it comes...

[loufoque]

Plastic is not computer-specific, and is not required at all for a computer. Some popular laptops are even made of aluminium.

Re:

[philip.paradis]

Please cite a source for any laptop which does not contain plastic.

Re:

[philip.paradis]

and is not required at all for a computer

You must have missed my earlier reply. As the GGP comment contained the excerpt "like your computer", I'm still eagerly awaiting a citation regarding a computer which contains no plastic components, presumably one available for purchase under the implicit assumption that you are in possession of such a machine. I'm looking forward to the opportunity to purchase this wonderful device for my own use, so please don't keep me waiting too long.

not limiting attempts

[tompaulco]

Not limiting login attempts is not the end of the world, especially if they institute a delay between logins. If you screw up your password, it is going to take at least one second before you make your second attempt anyway, so why not enforce that one second delay on the server side? With a 6 digit password composed of numbers and letters, it would take 69 years to guarantee breaking a password. By them they will probably have a gen 2 Tesla that requires a 7 digit password.
I've never seen a login delay enforced in the wild, but it pretty much neuters any brute force attack. At least , if they are attacking the server, it does. If they get ahold of the encrypted passwords, then they can brute force it at their whim.

Re:not limiting attempts

[nate_in_ME]

If the login delay is implemented based on the user ID and not the IP address, it wouldn't matter how many threads/machines you had attacking.

On a completely random note, I think the amount of time to do this attack, even with the current setup, would make it nonrealistic. Someone above listed the steps to break into a Tesla using this vulnerability (how accurate they were, I don't really know - or care for that matter). There's one big factor that is being overlooked, however. With relatively few Tesla cars on the road right now (I don't know the exact numbers at the moment, but compared to all other cars on the road, I think we can agree that "relatively few" is a safe estimate), this particular attack isn't one that could be done with the "normal" way that I imagine stealing a car goes:

"Hey that's a nice car...lets steal it!"

For this attack to work, it would have to be done one of two ways:

1. Break into "random" Tesla accounts until you found one in your area
2. Exploit this attack to steal the car

OR

1. Find a Tesla parked somewhere.
2. Somehow figure out that car's account
3. Break into that account
4. Use exploit to steal car

Basically, the time it takes to break into one Tesla account is irrelevant. The goal is to break into the RIGHT Tesla account, which I imagine, unless you already knew a lot about the owner of a particular car, would take a lot longer than this 69 year number being thrown around for breaking into a single Tesla account by brute force.

Re: not limiting attempts

[Anonymous Coward]

Break into any account, find position of car, go there, steal car.

brute force attack takes a minute or so

[dutchwhizzman]

If you have a botnet, you can have tens of thousands of computers do a log on attempt almost simultaneously. It'd take just a few days at full speed (tesla would notice) and a few weeks at moderate speed to get a significant amount of Tesla car accounts cracked. Once you have that, you can use the account details to find the exact location of those cars. At those numbers, the chance of finding one near you is actually high enough for thieves to be able to drive to one near by so they can unlock it and get

Re:

[fyngyrz]

What if I have 1000 threads trying different passwords? 10,000? 100,000?

Then, in a well designed system, you'd have 1000, 10000 or 100000 responses that all say "It has not yet been one minute since the last failed login to this account. Your login attempt was not accepted."

Re:

[Anaerin]

Doesn't much matter. 1,000 threads hammering an account that will only accept an attempt every second will take just as long as 10,000 threads, or even 1. It's tied to the account, not the IP.

Re:

[Frosty Piss]

With a 6 digit password composed of numbers and letters, it would take 69 years to guarantee breaking a password...

guarantee. Statistically.

On the other hand, most users don't use random strings for passwords.

Option?

[ArcadeMan]

Is it even possible to buy a Tesla without all that online, password-protected, cellphone-enabled stuff?

Re:

[pepty]

You can do it by phone and fax.

Re:

[zwede]

Yes. The remote access to the car has to be turned on by the owner. When the car is delivered it is turned off. Tesla still has remote access even if the user-level access is off, but that would prevent access via the REST API and mobile app.

Re:I had issue with this day one when we took deli

[zwede]

The article is a bit misleading. The Tesla account requires a MINIMUM of 6 characters for the password. You can use a much longer one. The password also allows special character. You're not brute-forcing mine this side of the end of the universe. It's a generated password, very long and all kinds of special characters.

Service can unlock

[nsxdavid]

I know service can unlock your car remotely, since I have one (model S) and they did it for me.

The interesting thing is Elon made his fortune at PayPal. You think he'd know better.

Re:

[Jeremi]

Given that Tesla, Inc. knows the position of all its cars at all times, what is the benefit of stealing one? If you then drive it for any length of time, the police will track it to your location and arrest you. OTOH, you could try to sell it for parts, but I doubt the Tesla parts market is large enough to do that anonymously; most likely anyone interested in buying said parts would know they were stolen and would report you to the police.

Is it THAT bad?

[bussdriver]

How does one steal these cars? Is anybody even trying and succeeding at stealing them yet?

Ok, so you take the quite likely insured car... How do you get away? Drive like mad for... 300 miles then wait for many many hours to recharge? (NO, instant battery swap requires ID, quickcharger stations talk to the computer probably ID the car too, slow charging is the probably the only secure way and that takes TIME.) Naturally all this is after you rip out wherever their cell modem's antennae is.

They don't need m

Re:

[timeOday]

The interesting thing is Elon made his fortune at PayPal. You think he'd know better.

If only he'd spent more time sitting around absorbing the endless stream of "what could possibly go wrong..." posts on slashdot, instead of building an empire.

Re:

[account_deleted]

Comment removed based on user account deletion

Questions:

[Alain Williams]

* Can the owner switch off the remote control/access to their car ?

* Can the owner switch off the remote control/access to their car by Tesla as well as the owner ?

* 6 character password. Is that the minimum length or the length it must be (Ie can't set a longer one) ?

* It mentions an iPhone app. What if I don't have (or want) an iPhone ?

* What cars made by companies other than Tesla have similar systems ?

Re:Questions:

[zwede]

* Can the owner switch off the remote control/access to their car ?

Yes.

* Can the owner switch off the remote control/access to their car by Tesla as well as the owner ?

No.

* 6 character password. Is that the minimum length or the length it must be (Ie can't set a longer one) ?

Minimum. The password can also contain special character.

* It mentions an iPhone app. What if I don't have (or want) an iPhone ?

There's an official android app. I think there's an unofficial winphone app too. There's an unoffical chrome plugin and stand-alone JAVA app.

* What cars made by companies other than Tesla have similar systems ?

No one has anything as comprehensive. Closest is probably on-star.

The guy describes gives some bad advice

[gurps_npc]

He makes some good points, but his suggestions are honestly not that relevant.

His major mistake is not comparing the electronic security to current security.

He complains about static, short complexity passwords, but does not recognize that most of the time longer, more complex passwords decrease security.

Many current car locks can be picked by by a guy with a bump key. The electronic security he lists is in fact far more secure than the standard key lock/ignition. More importantly, cars have side windo