Security Evaluation of the Tesla Model S

An anonymous reader writes: "Nitesh Dhanjani has written a paper outlining the security mechanisms surrounding the Tesla Model S, as well as its shortcomings, titled 'Cursory Evaluation of the Tesla Model S: We Can't Protect Our Cars Like We Protect Our Workstations.' Dhanjani says users are required to set up an account secured by a six-character password when they order the car. This password is used to unlock a mobile phone app and to gain access to the user's online Tesla account. The freely available mobile app can locate and unlock the car remotely, as well as control and monitor other functions.

The password is vulnerable to several kinds of attacks similar to those used to gain access to a computer or online account. An attacker might guess the password via a Tesla website, which Dhanjani says does not restrict the number of incorrect login attempts. Dhanjani said there is also evidence that Tesla support staff can unlock cars remotely, leaving car owners vulnerable to attackers impersonating them, and raising questions about the apparent power of such employees to locate and unlock any car with or without the owner's knowledge or permission. In his paper, Dhanjani also describes the issue of Tesla's REST APIs being used by third parties without Tesla's permission, causing Tesla owners' credentials to be sent to those third parties, who could misuse the information to locate and unlock cars."

Seen This One Before

[rmdingler]

A disgruntled former employee (hardly ever see that) kept access to work computers at a tote-the-note car lot.

They had taken advantage of remote tech to disable the vehicle and engage the horn from a keyboard... in case of nonpayment for the former and sometimes aiding location efforts for the latter.

Poor chap was so disgruntled he killed vehicles and blew horns for most of a weekend before they deduced the antagonist. I am sure there are some repercussions for this kind of adventure, but hell, if there's even a chance you'll have a grandchild, do you want this story in your arsenal?

not limiting attempts

[tompaulco]

Not limiting login attempts is not the end of the world, especially if they institute a delay between logins. If you screw up your password, it is going to take at least one second before you make your second attempt anyway, so why not enforce that one second delay on the server side? With a 6 digit password composed of numbers and letters, it would take 69 years to guarantee breaking a password. By them they will probably have a gen 2 Tesla that requires a 7 digit password.
I've never seen a login delay enforced in the wild, but it pretty much neuters any brute force attack. At least , if they are attacking the server, it does. If they get ahold of the encrypted passwords, then they can brute force it at their whim.

Option?

[ArcadeMan]

Is it even possible to buy a Tesla without all that online, password-protected, cellphone-enabled stuff?