Security Evaluation of the Tesla Model S

An anonymous reader writes: "Nitesh Dhanjani has written a paper outlining the security mechanisms surrounding the Tesla Model S, as well as its shortcomings, titled 'Cursory Evaluation of the Tesla Model S: We Can't Protect Our Cars Like We Protect Our Workstations.' Dhanjani says users are required to set up an account secured by a six-character password when they order the car. This password is used to unlock a mobile phone app and to gain access to the user's online Tesla account. The freely available mobile app can locate and unlock the car remotely, as well as control and monitor other functions.

The password is vulnerable to several kinds of attacks similar to those used to gain access to a computer or online account. An attacker might guess the password via a Tesla website, which Dhanjani says does not restrict the number of incorrect login attempts. Dhanjani said there is also evidence that Tesla support staff can unlock cars remotely, leaving car owners vulnerable to attackers impersonating them, and raising questions about the apparent power of such employees to locate and unlock any car with or without the owner's knowledge or permission. In his paper, Dhanjani also describes the issue of Tesla's REST APIs being used by third parties without Tesla's permission, causing Tesla owners' credentials to be sent to those third parties, who could misuse the information to locate and unlock cars."

Re:"Vulnerable"?

[symbolset]

It is not like it is difficult to unlock almost any car.

Re:not limiting attempts

[nate_in_ME]

If the login delay is implemented based on the user ID and not the IP address, it wouldn't matter how many threads/machines you had attacking.

On a completely random note, I think the amount of time to do this attack, even with the current setup, would make it nonrealistic. Someone above listed the steps to break into a Tesla using this vulnerability (how accurate they were, I don't really know - or care for that matter). There's one big factor that is being overlooked, however. With relatively few Tesla cars on the road right now (I don't know the exact numbers at the moment, but compared to all other cars on the road, I think we can agree that "relatively few" is a safe estimate), this particular attack isn't one that could be done with the "normal" way that I imagine stealing a car goes:

"Hey that's a nice car...lets steal it!"

For this attack to work, it would have to be done one of two ways:

1. Break into "random" Tesla accounts until you found one in your area
2. Exploit this attack to steal the car

OR

1. Find a Tesla parked somewhere.
2. Somehow figure out that car's account
3. Break into that account
4. Use exploit to steal car

Basically, the time it takes to break into one Tesla account is irrelevant. The goal is to break into the RIGHT Tesla account, which I imagine, unless you already knew a lot about the owner of a particular car, would take a lot longer than this 69 year number being thrown around for breaking into a single Tesla account by brute force.

How to *actually* steal car:

[fyngyrz]

1: Hold gun, knife or pipewrench in "I'm going to use it" position, threaten owner, drive away with car, possibly with the owner as well.

Tools required: One. (may substitute inexpensive gun replica if low budget operation)

Number of attempts required for success: One

Technical knowhow required: Zero.

Additional opportunities inherent in operation: Ransom money, rape subject, opportunistic beatings, petty theft, direct access to bank accounts.