Published on April 13th, 2014 | by Important Media Cross-Post


Tesla’s Security Shortfalls

April 13th, 2014 by  

Originally published on Gas2.
By Zachary Coffey

Tesla Login

A recent blog post by Nitesh Dhanjani, a respected security researcher and author, explains why Tesla needs to rethink many of its security standards. By cracking a user’s login credentials, a hacker can unlock the doors of a Tesla Model S, track the vehicle through GPS, and operate the roof, lights and horn.

To understand the full extent of this issue, it helps to know how basic password cracking works. There are many ways to obtain a target’s password. Dictionary attacks cycle through a list of words found in a dictionary file until the correct password is found. This rudimentary method can be thwarted by simply using an original combination of characters.

Brute force attacks take dictionary attacks to the next level by inputting any alpha-numeric combinations possible (e.g. aaaa1, aaaa2, …… zdh3sl8, zdh3l9). Rainbow table attacks make an attempt to crack the encrypted password that the system receives and take less time than cracking the actual password. Malware can even record the user’s password entries and send them back to the software developer.

The Tesla Model S is vulnerable to many different types of attacks due to the simplicity of its user management system and its password requirements in particular. Tesla’s password requirements are minimal at best, requiring only 6 characters with at least one number. More advanced systems require 8 characters with at least one number, symbol and sometimes even an upper case letter thrown in, making attacks take a much longer time to complete.

Tesla Security

Moving beyond the issues with the password format, Tesla has placed no limit on the number of attempts the user can enter for the password. Many companies have placed a limit of 3 attempts before the account is locked out to prevent brute force and dictionary attacks.

Additionally, if a user’s email is compromised, there are no additional security measures to reset a password. The familiar “Reset your password” link sends an email to the account, allowing an immediate reset. Other third parties applications are also allowed access to login credentials through Tesla’s REST API, which allows applications to interact together. If these third party companies are hacked, password information could be leaked causing a potential threat.

If the multiple vulnerabilities outlined by Dhanjani are exploited, it could cause a serious concern for the tens of thousands of Tesla drivers all over the world. While the car cannot be turned on with these login credentials, the car can be tracked and unlocked, leaving any valuables inside up for grabs.

Many of the shortfalls of the system can be fixed by increasing the requirements for password choices and including a secondary authentication process. This authentication can be performed by a number of methods from security questions to biometric options like retina or fingerprint scans. It is impossible to be completely secure in this world of gadgets that we live in, but for something as simple as a few characters, can Tesla really afford to not fully charge their attempts?

Sources | Photos: Nitesh Dhanjani | Tesla

Check out our new 93-page EV report, based on over 2,000 surveys collected from EV drivers in 49 of 50 US states, 26 European countries, and 9 Canadian provinces.

Tags: , , ,

About the Author

-- CleanTechnica is one of 18 blogs in the Important Media blog network. With a bit of overlap in coverage, we sometimes repost some of the great content published by our sister sites.

  • JamesWimberley

    Have a look at the xkcd password generator:

  • terrorist96

    Let’s not leave out the lack of forward secrecy and HSTS on the log in page.

  • Shiggity

    The advantages outweigh the disadvantages of having a connected car. This is just a standard blog post written to scare and anger you.

    If you’re not smart with your password, EVERYTHING of yours can be hacked, not just your car.

  • Nick Marino

    I have to say, I really disagree with all these articles about Tesla security.

    Let’s imagine they only allow alphanumeric passwords with exactly six characters. (They actually allow symbols, and longer passwords than that too, but bear with me.) Even in this limited case, there are over 56 *billion* possible passwords. Yes, they don’t lock out the account after 3 failed login attempts, but that shouldn’t matter. Even if someone is performing 100 login attempts per second (which may not even be possible, I don’t know what kind of latency and/or rate limiting the Tesla API has) it will still take someone over 17 years to try all possible passwords.

    Obviously if someone picks a bad password, or their email account gets hacked, then yeah someone might be able to hack them. But then again, this presupposes that an attacker knows a particular email address is associated with a Tesla account. For someone targeting a particular person they might know this, but for some random hacker on the internet, there is no publicly accessible directory of Tesla account emails that they can troll through. So yes, if someone is specifically trying to hack my car personally, and I pick a bad password then I might be in trouble…but if someone is targeting me personally and trying to steal stuff from my car, then they might have an easier time just breaking the windows.

    Finally I just want to say, yes, maybe if Tesla implemented stronger password requirements or extra “security questions” then things might be a little bit more secure. But there’s only so far you can go in protecting people from themselves. Personally, I find a lot of this stuff extremely annoying: I don’t need endless security questions, complex arbitrary password requirements, and account lockouts to protect me, when I’m a already able to choose good passwords on my own. I would rather Tesla not compromise their user experience for the sake of trying to stop people from shooting themselves in the foot.

    • Steve Grinwis

      This comment fundamentally fails to understand the risks.

      This is not that someone attempts 100 password attempts per second for 17 years. The risk is that someone steals the hashed and salted password result. At this point, We can turn the result over to an FPGA hash cracking algorithm that can churn out billions of password attempts per second. Your six character password is now crackable in less than a minute. Even 8 character passwords with their 210 trillion combinations, can be cracked in a mere day and a half with this method.

      What they should really have is two factor authentication. Password + secondary password produced from a smartphone or tablet. Now they need to crack your password && steal your phone. That’s hard.

      • Bob_Wallace

        ” secondary password produced from a smartphone or table”

        Or key fob?

      • Nick Marino

        If someone actually breaks into Tesla’s servers deeply enough to steal both the password database and the salt value, then we’re all clearly screwed anyway. At that point Tesla is going to have to force everyone to reset their passwords, whether or not they have two factor authentication in place. And that’s assuming the hackers even *need* passwords, given that they’ve clearly already got a backdoor into the servers.

        That said, I don’t disagree that two factor would improve security in certain situations. I think it would be great if that were an option (although for me, I don’t feel the increased hassle would be worth it). But that’s not what everyone has been complaining about. All the articles I’ve read have been saying “oh no! They allow passwords that are only six characters in length, and those are easy to brute force, right!?!?” Or stuff like “if a user’s email is compromised, then whoever hacked their email can just reset the password”.

        Well, okay, those things may have grains of truth to them, in some situations. But none of these risks are remotely unique to Tesla. There are lots of websites on the internet with similar security setups (including really important stuff, like financial sites, medical databases, etc), and most of them don’t offer two factor authentication either. Yet, you don’t see articles popping up all over the internet about “Vanguard’s broken security model”, or how “BCBS users could have medical data stolen by hackers”.

        The only reason this is getting so much attention is because we’re talking about Tesla, and the media loves to try and tear them down at every opportunity. And, of course, headlines about cars getting hacked yields lots of attention and clicks, even if it hasn’t actually happened to anybody, ever.

        • Steve Grinwis

          You can obtain the salted and hashed password without breaking into the servers. They could be obtained from memory inspection on an infected computer, or from sniffing packets on the wire and using the recently exposed heart bleed exploit to obtain the SSL key.

          Two factor gets around all of that. If they used Google authentication, they get this for free. It also has the ability to permanently authenticate a particular system, so that you only set up Terri factor and use it once every month or so to authenticate your box again. Works well.

    • Otis11

      Very well thought out argument, however you overlook the hacking approach Steve discusses (these can be harnessed using GPUs in everyday personal computers, you don’t even need the FPGA he mentions). Additionally, I would posit that they can significantly improve security without compromising user experience with two simple improvements: Implement a maximum number of guesses for a password (something large like 10-15 guesses per correct unlock) and a double check security feature for password resets – email and a pass-code text to the user. Having to request a unlock with your email address and then inputting a passcode that was sent to your phone within 15 minutes of the request.

      This would noticeably improve security. Sure, any one car may be safe for an attack, but what’s to stop someone from trying to attack every Tesla car in the world simultaneously and then, when they undoubtedly get lucky, using the GPS to find it?

Back to Top ↑