Tesla Model S Hacking Prize Claimed 59
savuporo sends word that a $10,000 bounty placed on hacking a Tesla Model S has been claimed by a team from Zhejiang University in China. The bounty itself was not issued by Tesla, but by Qihoo 360, a Chinese security company.
"[The researchers] were able to gain remote control of the car's door locks, headlights, wipers, sunroof, and horn, Qihoo 360 said on its social networking Sina Weibo account. The security firm declined to reveal details at this point about how the hack was accomplished, although one report indicated that the hackers cracked the six-digit code for the Model S's mobile app.
Re:So (Score:4, Insightful)
Tesla should not have allowed the PIN to be brute forced. The PIN should be stored by the car, not by the app, and it should have a 30 second lock-out after 3 wrong attempts, and then double the lock-out time for each additional wrong attempt. This is Security 101.
At which point, anyone in the world could very very easily DOS your car.
There are ways around that, but the naive and very very common implementation you describe is trivial to DOS. I'd hope that the users key could still get them in and get an override, but the app should use much stronger auth to avoid DOS issues (ex. challenge response with something that requires largish compute time for the client in order to register and calculate a very large shared key - ie. this would be a one time registration per client app; then use the lock out on a per-registered-client basis; thus is would be costly to generate more client ids, and the lock out would make each only worth a few bad tries before forcing re-handshake). PIN would still be used on top of that (adds another factor, and something easily set/changed on the car side).