Tesla's Model S Lock Can Be Easily Hacked

Tesla's Model S Lock Can Be Opened With a Basic Hack

Tesla's Model S is supposed to be the safest car on the road — at least where the physical realm is concerned. But apparently, the crazy expensive car's six-character password is vulnerable to some pretty basic hacking techniques, leaving you and your car's data at the mercy of a tech-savvy stranger.

The vulnerability was revealed by Nitesh Dhanjani, a corporate security consultant and Tesla owner, at Singapore's Black Hat Asia security conference this past Friday. While the car can't go into drive without the actual key fob present, it is still possible to both unlock and access the car's internal data system. Because once a hacker has the owner's six-character password, the accompanying mobile app will grant access to the car's monitoring system as well as allow the hacker to "perform minor tasks," such as controlling the car's headlights and halting charging.

Will Dhanjani was understandably sparse on details, he did say that the password can be hacked using "the same methods used to gain access to any other online account." This, of course, isn't helped by the fact that Tesla's website doesn't have any restriction on the number of incorrect login attempts. What's more, Dhanjani discovered that Tesla support staff has the ability to unlock and monitor vehicles remotely, meaning Tesla employees would be able to pinpoint and unlock any car on the road.

The car is still only in its early stages, so hopefully, this finding will encourage Tesla's engineers to seriously reconsider their software security. They already have physical safety down — now it's time to move that to the virtual realm. [Value Walk]


Comments

    wooo I can change the headlights.... totally going to do that...... not\

    No one is going to hack it as there is no money to be made, now if you could unlock the car and turn on the engine....

      I strongly disagree with you! This is just the beginning. All big hacks are started from smaller expolits allowing you to just that little bit more than your supposed to. Look at Iphone jailbreaking & lock screen bypasses for example.
      The fact that gaining *any* access to a "locked" system is step 1 in the series of steps to pwn something. Read between the lines of what he is saying, IE: system software exists to remote unlock said car.
      Its just a glitch to the left....then right a bit....

    "An attacker might guess the password via a Tesla website" This is the basis for this story.. with no detail or evidence, this amounts to wild speculation. I understand Nitesh Dhanjani, may be a security consultant and Tesla owner, but without evidence, feels much more like link bait than a story with any real substance.

    Yup, link bait. The "hack" is just brute forcing a user's password on the website.

    It's definitely a security vulnerability, but as with all Risk Management you need to take into account Threat, Likelihood and Consequence. Let's do the numbers for a laugh:

    Threat: A "hacker" finds out your login ID and then brute forces your password
    Vulnerability: The car can be unlocked remotely using the password
    Likelihood: Rare - requires identification of the owner and location of the car. Highly targeted.
    Consequence: Theft of contents/Vandalism

    Gosh that consequence sounds a lot like what anyone with a brick can do by smashing the window. Extra bonus: you don't need a PC!

Join the discussion!

Trending Stories Right Now