Tesla’s Model S is supposed to be the safest car on the road — at least where the physical realm is concerned. But apparently, the crazy expensive car’s six-character password is vulnerable to some pretty basic hacking techniques, leaving you and your car’s data at the mercy of a tech-savvy stranger.
The vulnerability was revealed by Nitesh Dhanjani, a corporate security consultant and Tesla owner, at Singapore’s Black Hat Asia security conference this past Friday. While the car can’t go into drive without the actual key fob present, it is still possible to both unlock and access the car’s internal data system. Because once a hacker has the owner’s six-character password, the accompanying mobile app will grant access to the car’s monitoring system as well as allow the hacker to “perform minor tasks,” such as controlling the car’s headlights and halting charging.
Will Dhanjani was understandably sparse on details, he did say that the password can be hacked using “the same methods used to gain access to any other online account.” This, of course, isn’t helped by the fact that Tesla’s website doesn’t have any restriction on the number of incorrect login attempts. What’s more, Dhanjani discovered that Tesla support staff has the ability to unlock and monitor vehicles remotely, meaning Tesla employees would be able to pinpoint and unlock any car on the road.
The car is still only in its early stages, so hopefully, this finding will encourage Tesla’s engineers to seriously reconsider their software security. They already have physical safety down — now it’s time to move that to the virtual realm. [Value Walk]