Tesla Cars Lack Two-Factor Authentication

The Telsa Model S are great cars. Researcher Nitesh Dhanjani confesses such in a new blog. However, when it comes to security, he says that Tesla could still learn a few things.

Dhanjani is no stranger to hacking the Internet of Things. Previously he's hacked baby monitors and lightbulbs. You can hear an interview with him here.

But his current attention is on Telsa. Among the problems he's found, he cites in particular two issues that are critical.

1. Tesla's six character password can lead to car being remotely located and unlocked via malware, phishing, and password leaks. Dhanjani notes that the Tesla website doesn’t have a account lockout policy per incorrect login attempts. Once the account has been compromised an attacker can "obtain the location of the vehicle mapped to the compromised accounts he or she can unlock a particular vehicle or a set of vehicles," he writes. Further, authenticating the user is not done so it is possible that a malicious entity may be successful in social engineering Tesla customer service to unlock someone else’s car. And an attacker with temporary access to the owner’s email can then reset the owner’s password.

2. Tesla's REST API implicitly encourages credential sharing with untrusted third parties. For this, Dhanjani writes a "malicious intruder can collect Tesla users’ credentials and abuse the remote functionality."

Dhanjani also notes that an attcker can go old school physically attack the car. He writes "[a] M12 to RJ45 adapter can be used to connect a laptop to this port. Users on the teslamotorsclub.com forum have reported various information about the internal network after having plugged into it ..."

Dhanjani concludes by saying that:

1. Tesla should address the issue of using static passwords with low complexity requirements.

2. Tesla owners should be aware of risks based on the current situation and take precautions outlined in this document.

3. Until Tesla announces an SDK and methods they are going to outline to sandbox applications, users should refrain from using third party applications.

4. The forum discussion referred to in the Low Hanging Fruit section fascinating. It is clear that Tesla owners want to engage in an open dialogue where they are assured by Tesla what security architectures are being utilized to secure the cars. This is analogous to how Apple described how the iMessage infrastructure is secured to put personal and corporate users at ease.

Whitepaper: Achieving Mobile Agility in a BYOD World