Security questions were raised over the app-based “key” used to unlock the electric supercar Tesla – after a researcher showed it was possible to guess the key’s six-digit PIN by brute force. The Model S is rated one of the safest cars on the road – but the electronic security system protecting its locks may not be quite as bulletproof, researchers claim.
The Tesla car is “locked” using an iPhone app, accesssed via a basic six-character password, according to Sky News.
This leaves the car vulnerable to ‘brute force’ hacks where attackers try thousands of passwords until they find the corrrect one.
The hack was shown off by researcher Nitech Dhanjani at a conference in Singapore. While obtaining the password would not allow the attacker to drive the car, it would alllow attachers to drain batteries, operating headlights and halting charging.
Dhanjani pointed out that the ‘static’ password system also meant that phishing attacks could be used to obtain the password, and thus control the Model S’s systems.
Gizmodo pointed out that the methods Dhanjani highlighted were similar to those used to gain access to any online account – and not what one would expect of a high-end supercar such as the Tesla Model S.
In a blog post, Dhanjani wrote,“The Tesla website doesn’t seem to have any particular account lockout policy per incorrect login attempts. This puts owners at risk since a malicious entity can attempt to brute-force the account and gain access to the iPhone functionality.
in a statement, Tesla said, “”Our customers’ security is our top priority, be that in developing a car with the highest safety rating or doing everything we can to protect them against online security breaches.”
“We protect our products and systems against vulnerabilities with our dedicated team of top-notch information security professionals, and we continue to work with the community of security researchers and actively encourage them to communicate with us through our responsible reporting process.”
Tesla said that it had altered its software to lock out users after five incorrect attempts.
Speaking to CNN, Dhanjani said that he was personally not concerned by the security of his own Model S, “”The time is right now for Tesla to fix this. As other car manufacturers draw inspiration from Tesla’s design and architecture, there will be more people to compromise and launch attacks against.”
Author Rob Waugh, We Live Security