A security researcher reported to Tesla company a series of security issues related with S model that could be exploited to locate and unlock the vehicles.

Hackers are able to remotely locate or unlock the Tesla Motors electric vehicles, the news is curious but it isn’t a novelty. Car hacking was largely discussed in the last months, we read about the research conducted by Charlie Miller and and Chris Valasek on the topic, and we were surprised by the news that using a cheap tiny device, dubbed CAN Hacking Tool (CHT), it was possible to control some feature of the vehicle. Both studies are focused on the possibility to interact with any component in the car via CAN BUS, injecting malicious code or conducting a DOS attack. The the attack surface for any Smart Car is increasing due the presence of different networked devices and the implementation of different communication protocols like Bluetooth and WiFi. 

A new research demonstrated that is possible to hack a Tesla Smart car simply cracking a six-character password. Last week at the Black Hat Asia security conference in Singapore the researcher Nitesh Dhanjani, presented a study conducted on his own Tesla Model S Sedan describing a series of security vulnerabilities in the security system adopted to protect the vehicle.

The Model S of Tesla Motors allows drivers to use the vehicle in the presence of a key fob, anyway the car can be unlocked through a command transmitted via wireless over the Internet, the principal problem is that the command could be easily hijacked by the cybercriminals to crack or steal the password with traditional hacking techniques.

“We cannot be protecting our cars in the way we protected our (computer) workstations, and failed,” he said during a presentation.

Every new Tesla owner must complete a registration procedure on the web, signing up an account protected by a secret code composed of six characters, unfortunately the same code is used to unlock the mobile phone app to gain access to online Tesla account (http://www.teslamotors.com).

The first thing that the researcher noted is that an attacker can try all possible combinations of the 6 characters composing the password, the app doesn’t implement any restriction on the number of attempts making easy a brute-force attack.

“Once credentials are gathered, phishers can easily check the location of the cars for the accounts they have compromised by using the Tesla REST API [http://docs.timdorr.apiary.io ](destination https://portal.vn.teslamotors.com/) by following these steps:

“We protect our products and systems against vulnerabilities with our dedicated team of top-notch information security professionals, and we continue to work with the community of security researchers and actively encourage them to communicate with us through our responsible reporting process,” replied Jones via email.

The security issues presented by Dhanjani are very serious, we must consider that similar problems could affect a wide range of devices responding to the paradigm of Internet of Things and could have repercussion on a large scale.

Sincerely, I don’t think it is the case of Tesla company, but it’s time to start to consider security by design, no matter if you are designing a fridge, a SmartTV or a car.

Pierluigi Paganini

(Security Affairs –  car hacking, Tesla)