A security researcher has discovered a way to locate, hack and unlock Tesla Motors premiere Model S from a remote computer using traditional hacking techniques.
Nitesh Dhanjani announced his findings at the Black Hat Asia security conference in Singapore over the weekend, where the author of multiple books on hacking revealed that by cracking a six-character password transmitted wirelessly over the Internet, a hacker could locate and gain access to any Model S.
Using Dhanjani’s technique, hackers could find and break into Teslas to steal any contents inside the car, but would be unable to hijack and drive the car itself, which requires the owner’s electronic key fob.
“We cannot be protecting our cars in the way we protected our [computer] workstations, and failed,” Dhanjani said in a Reuters report.
Dhanjani’s study uncovered “several design flaws” in the car’s security software, while the rest of the systems got a green light. The corporate security consultant has already forwarded his study on Model S’ software systems to the California-based electric auto manufacturer.
“We protect our products and systems against vulnerabilities with our dedicated team of top-notch information security professionals, and we continue to work with the community of security researchers and actively encourage them to communicate with us through our responsible reporting process,” Tesla spokesman Patrick Jones said after the study’s announcement.
Tesla owners are required to choose a six-character password as part of their Model S order, which is entered into a mobile smartphone app to active the car’s systems remotely and access the user’s online Tesla account. From there owners can locate and lock or unlock their cars, along with various other features like setting the cabin temperature.
Tesla’s website does not have a set number of login attempts before locking a user out of their account, which leaves open the possibility for hackers to try various general means of breaching security like password-stealing viruses. Dhanjani also said there was evidence indicating hackers could impersonate Tesla support staff online to remotely unlock cars.
“It’s a big issue where a $100,000 car should be relying on a six-character static password,” Dhanjani said.