Forgot your password?
typodupeerror
Transportation Security

Security Evaluation of the Tesla Model S 93

Posted by Soulskill
from the fob-it-off-on-somebody-else dept.
An anonymous reader writes: "Nitesh Dhanjani has written a paper outlining the security mechanisms surrounding the Tesla Model S, as well as its shortcomings, titled 'Cursory Evaluation of the Tesla Model S: We Can't Protect Our Cars Like We Protect Our Workstations.' Dhanjani says users are required to set up an account secured by a six-character password when they order the car. This password is used to unlock a mobile phone app and to gain access to the user's online Tesla account. The freely available mobile app can locate and unlock the car remotely, as well as control and monitor other functions.

The password is vulnerable to several kinds of attacks similar to those used to gain access to a computer or online account. An attacker might guess the password via a Tesla website, which Dhanjani says does not restrict the number of incorrect login attempts. Dhanjani said there is also evidence that Tesla support staff can unlock cars remotely, leaving car owners vulnerable to attackers impersonating them, and raising questions about the apparent power of such employees to locate and unlock any car with or without the owner's knowledge or permission. In his paper, Dhanjani also describes the issue of Tesla's REST APIs being used by third parties without Tesla's permission, causing Tesla owners' credentials to be sent to those third parties, who could misuse the information to locate and unlock cars."
This discussion has been archived. No new comments can be posted.

Security Evaluation of the Tesla Model S

Comments Filter:
  • by Animats (122034) on Saturday March 29, 2014 @07:24PM (#46612127) Homepage

    How to steal car:
    1. Guess username and password.
    2. Log in to "https://portal.vn.teslamotors.com".
    3. Send GET to "https://portal.vn.teslamotors.com/vehicles" to get list of vehicle IDs for that owner.
    4. Send GET to "https://portal.vn.teslamotors.com/vehicles/{id}/command/drive_state" to get vehicle latitude and longitude.
    5. Send GET to "https://portal.vn.teslamotors/vehicles//vehicles/{id}/command/door_unlock" to unlock doors.
    6. Get in car and plug laptop into onboard Ethernet, where car internals are exposed, unencrypted.
    ...

    And those guys think they're going to do automatic driving. Right.

  • Service can unlock (Score:5, Informative)

    by nsxdavid (254126) <dwNO@SPAMplay.net> on Saturday March 29, 2014 @11:33PM (#46613031) Homepage

    I know service can unlock your car remotely, since I have one (model S) and they did it for me.

    The interesting thing is Elon made his fortune at PayPal. You think he'd know better.

  • by firewrought (36952) on Sunday March 30, 2014 @01:06AM (#46613259)

    Reality. At the end of the day, what will the insurance company accept as sufficient security...

    No, the security only has to be sufficient enough to blame you [wired.com] for the theft.

    the balance of easy usability vs number of features vs security implementation, with a modern electric computerised vehicle that might best be left to a consultation between the sales consultant and the end user

    The salesman and customer are the least informed for making security tradeoffs, and the complications of having multiple security arrangements across a fleet of supported vehicle isn't worth the extra headache for the manufacturer.

    The "balance" of this situation should not lie in the boneheaded territory of elementary security mistakes... if you're going to have a remotely accessible API, hire programmers who understand security and have them design the damn thing to be secure from the ground up. It's not impossible or mystical or some big unknown.

  • by zwede (1478355) on Sunday March 30, 2014 @09:24AM (#46614425)
    The article is a bit misleading. The Tesla account requires a MINIMUM of 6 characters for the password. You can use a much longer one. The password also allows special character. You're not brute-forcing mine this side of the end of the universe. It's a generated password, very long and all kinds of special characters.
  • Re:Questions: (Score:4, Informative)

    by zwede (1478355) on Sunday March 30, 2014 @09:30AM (#46614449)

    * Can the owner switch off the remote control/access to their car ?

    Yes.

    * Can the owner switch off the remote control/access to their car by Tesla as well as the owner ?

    No.

    * 6 character password. Is that the minimum length or the length it must be (Ie can't set a longer one) ?

    Minimum. The password can also contain special character.

    * It mentions an iPhone app. What if I don't have (or want) an iPhone ?

    There's an official android app. I think there's an unofficial winphone app too. There's an unoffical chrome plugin and stand-alone JAVA app.

    * What cars made by companies other than Tesla have similar systems ?

    No one has anything as comprehensive. Closest is probably on-star.

"Out of register space (ugh)" -- vi

Working...