Forgot your password?
typodupeerror
Transportation Security

Security Evaluation of the Tesla Model S 93

Posted by Soulskill
from the fob-it-off-on-somebody-else dept.
An anonymous reader writes: "Nitesh Dhanjani has written a paper outlining the security mechanisms surrounding the Tesla Model S, as well as its shortcomings, titled 'Cursory Evaluation of the Tesla Model S: We Can't Protect Our Cars Like We Protect Our Workstations.' Dhanjani says users are required to set up an account secured by a six-character password when they order the car. This password is used to unlock a mobile phone app and to gain access to the user's online Tesla account. The freely available mobile app can locate and unlock the car remotely, as well as control and monitor other functions.

The password is vulnerable to several kinds of attacks similar to those used to gain access to a computer or online account. An attacker might guess the password via a Tesla website, which Dhanjani says does not restrict the number of incorrect login attempts. Dhanjani said there is also evidence that Tesla support staff can unlock cars remotely, leaving car owners vulnerable to attackers impersonating them, and raising questions about the apparent power of such employees to locate and unlock any car with or without the owner's knowledge or permission. In his paper, Dhanjani also describes the issue of Tesla's REST APIs being used by third parties without Tesla's permission, causing Tesla owners' credentials to be sent to those third parties, who could misuse the information to locate and unlock cars."
This discussion has been archived. No new comments can be posted.

Security Evaluation of the Tesla Model S

Comments Filter:
  • "Pioneers get slaughtered, and the settlers prosper." - Daymond John
  • Seen This One Before (Score:5, Interesting)

    by rmdingler (1955220) on Saturday March 29, 2014 @07:13PM (#46612091)
    A disgruntled former employee (hardly ever see that) kept access to work computers at a tote-the-note car lot.

    They had taken advantage of remote tech to disable the vehicle and engage the horn from a keyboard... in case of nonpayment for the former and sometimes aiding location efforts for the latter.

    Poor chap was so disgruntled he killed vehicles and blew horns for most of a weekend before they deduced the antagonist. I am sure there are some repercussions for this kind of adventure, but hell, if there's even a chance you'll have a grandchild, do you want this story in your arsenal?

  • FTS: "The password is vulnerable to several kinds of attacks similar to those used to gain access to a computer or online account."

    Has any hack of these 'vulnerabilities' ever been proven to have actually occurred yet?

    • Re:"Vulnerable"? (Score:5, Insightful)

      by symbolset (646467) * on Saturday March 29, 2014 @08:12PM (#46612307) Journal
      It is not like it is difficult to unlock almost any car.
  • by Animats (122034) on Saturday March 29, 2014 @07:24PM (#46612127) Homepage

    How to steal car:
    1. Guess username and password.
    2. Log in to "https://portal.vn.teslamotors.com".
    3. Send GET to "https://portal.vn.teslamotors.com/vehicles" to get list of vehicle IDs for that owner.
    4. Send GET to "https://portal.vn.teslamotors.com/vehicles/{id}/command/drive_state" to get vehicle latitude and longitude.
    5. Send GET to "https://portal.vn.teslamotors/vehicles//vehicles/{id}/command/door_unlock" to unlock doors.
    6. Get in car and plug laptop into onboard Ethernet, where car internals are exposed, unencrypted.
    ...

    And those guys think they're going to do automatic driving. Right.

    • by pepty (1976012)
      That opens the car; stealing the whole car would still require a truck to move it.
    • by fyngyrz (762201) on Saturday March 29, 2014 @11:36PM (#46613035) Homepage Journal

      1: Hold gun, knife or pipewrench in "I'm going to use it" position, threaten owner, drive away with car, possibly with the owner as well.

      Tools required: One. (may substitute inexpensive gun replica if low budget operation)

      Number of attempts required for success: One

      Technical knowhow required: Zero.

      Additional opportunities inherent in operation: Ransom money, rape subject, opportunistic beatings, petty theft, direct access to bank accounts.

      • by rtb61 (674572)

        Reality. At the end of the day, what will the insurance company accept as sufficient security so as to replace the vehicle upon claim of theft, nothing more and nothing less. As for the balance of easy usability vs number of features vs security implementation, with a modern electric computerised vehicle that might best be left to a consultation between the sales consultant and the end user, with features not wished by the end user disabled and or other features set up.

        • Re: (Score:3, Informative)

          by firewrought (36952)

          Reality. At the end of the day, what will the insurance company accept as sufficient security...

          No, the security only has to be sufficient enough to blame you [wired.com] for the theft.

          the balance of easy usability vs number of features vs security implementation, with a modern electric computerised vehicle that might best be left to a consultation between the sales consultant and the end user

          The salesman and customer are the least informed for making security tradeoffs, and the complications of having multiple security arrangements across a fleet of supported vehicle isn't worth the extra headache for the manufacturer.

          The "balance" of this situation should not lie in the boneheaded territory of elementary security mistakes... if you're going to have a remotely accessible API, hire programmers who understand securi

      • by Anonymous Coward

        Except this'll get the police searching for you within minutes. Unlocking it remotely will probably give you hours before it's noticed, during which you have time to remove/disable the tracker, hide the car and change the plates, maybe even the colour. And with zero risk of setting the alarm off, which is its advantage over just breaking into any car on the street. Plus it lets you target expensive new cars since it even tells you where they are.

        • by fyngyrz (762201)

          Except this'll get the police searching for you within minutes.

          Why would the police search until the driver is reported missing? Which might not happen for days, depending on the driver's social connections, but certainly won't happen for hours, by which time the car has either been disassembled or packed into a shipping container anyway.

  • by tompaulco (629533) on Saturday March 29, 2014 @07:47PM (#46612213) Homepage Journal
    Not limiting login attempts is not the end of the world, especially if they institute a delay between logins. If you screw up your password, it is going to take at least one second before you make your second attempt anyway, so why not enforce that one second delay on the server side? With a 6 digit password composed of numbers and letters, it would take 69 years to guarantee breaking a password. By them they will probably have a gen 2 Tesla that requires a 7 digit password.
    I've never seen a login delay enforced in the wild, but it pretty much neuters any brute force attack. At least , if they are attacking the server, it does. If they get ahold of the encrypted passwords, then they can brute force it at their whim.
    • With a 6 digit password composed of numbers and letters, it would take 69 years to guarantee breaking a password...

      guarantee. Statistically.

      On the other hand, most users don't use random strings for passwords.

  • Option? (Score:4, Interesting)

    by ArcadeMan (2766669) on Saturday March 29, 2014 @08:06PM (#46612275)

    Is it even possible to buy a Tesla without all that online, password-protected, cellphone-enabled stuff?

    • by pepty (1976012)
      You can do it by phone and fax.
    • by zwede (1478355)
      Yes. The remote access to the car has to be turned on by the owner. When the car is delivered it is turned off. Tesla still has remote access even if the user-level access is off, but that would prevent access via the REST API and mobile app.
  • Service can unlock (Score:5, Informative)

    by nsxdavid (254126) <dw AT play DOT net> on Saturday March 29, 2014 @11:33PM (#46613031) Homepage

    I know service can unlock your car remotely, since I have one (model S) and they did it for me.

    The interesting thing is Elon made his fortune at PayPal. You think he'd know better.

    • by Jeremi (14640)

      Given that Tesla, Inc. knows the position of all its cars at all times, what is the benefit of stealing one? If you then drive it for any length of time, the police will track it to your location and arrest you. OTOH, you could try to sell it for parts, but I doubt the Tesla parts market is large enough to do that anonymously; most likely anyone interested in buying said parts would know they were stolen and would report you to the police.

    • How does one steal these cars? Is anybody even trying and succeeding at stealing them yet?

      Ok, so you take the quite likely insured car... How do you get away? Drive like mad for... 300 miles then wait for many many hours to recharge? (NO, instant battery swap requires ID, quickcharger stations talk to the computer probably ID the car too, slow charging is the probably the only secure way and that takes TIME.) Naturally all this is after you rip out wherever their cell modem's antennae is.

      They don't need m

    • by timeOday (582209)

      The interesting thing is Elon made his fortune at PayPal. You think he'd know better.

      If only he'd spent more time sitting around absorbing the endless stream of "what could possibly go wrong..." posts on slashdot, instead of building an empire.

  • Ohter vendors (at least one german one, though I dont remember which) can remote-unlock your car as well and noone complains.

  • * Can the owner switch off the remote control/access to their car ?

    * Can the owner switch off the remote control/access to their car by Tesla as well as the owner ?

    * 6 character password. Is that the minimum length or the length it must be (Ie can't set a longer one) ?

    * It mentions an iPhone app. What if I don't have (or want) an iPhone ?

    * What cars made by companies other than Tesla have similar systems ?

    • Re:Questions: (Score:4, Informative)

      by zwede (1478355) on Sunday March 30, 2014 @09:30AM (#46614449)

      * Can the owner switch off the remote control/access to their car ?

      Yes.

      * Can the owner switch off the remote control/access to their car by Tesla as well as the owner ?

      No.

      * 6 character password. Is that the minimum length or the length it must be (Ie can't set a longer one) ?

      Minimum. The password can also contain special character.

      * It mentions an iPhone app. What if I don't have (or want) an iPhone ?

      There's an official android app. I think there's an unofficial winphone app too. There's an unoffical chrome plugin and stand-alone JAVA app.

      * What cars made by companies other than Tesla have similar systems ?

      No one has anything as comprehensive. Closest is probably on-star.

  • He makes some good points, but his suggestions are honestly not that relevant.

    His major mistake is not comparing the electronic security to current security.

    He complains about static, short complexity passwords, but does not recognize that most of the time longer, more complex passwords decrease security.

    Many current car locks can be picked by by a guy with a bump key. The electronic security he lists is in fact far more secure than the standard key lock/ignition. More importantly, cars have side windo

Please go away.

Working...