Nitesh Dhanjani, a corporate security consultant, Tesla owner and
author of books on hacking, said at a conference in Singapore on
Friday that he recently conducted a study of the Tesla Model S sedan
and found several design flaws in its security system. He said his
review did not uncover any hidden software vulnerabilities in the
car's major systems.
"We cannot be protecting our cars in the way we protected our
(computer) workstations, and failed," he said during a presentation
at the Black Hat Asia security conference in Singapore.
Dhanjani said he has passed on his findings to Tesla.
Tesla spokesman Patrick Jones declined to comment on Dhanjani's
findings, though he said that the carmaker does carefully review
research it receives from security experts.
"We protect our products and systems against vulnerabilities with
our dedicated team of top-notch information security professionals,
and we continue to work with the community of security researchers
and actively encourage them to communicate with us through our
responsible reporting process," Jones said via email.
Tesla's Model S car can only be driven when a key fob is present,
but it can be unlocked via a command to the car transmitted
wirelessly over the Internet, according to Dhanjani.
If a password is stolen or cracked, someone could locate and gain
access to the car and steal its contents, but not drive it, Dhanjani
Users are required to set up an account secured by a six-character
password when they order the car. This password is used to unlock a
mobile phone app and to gain access to the user's online Tesla
The freely available mobile app can locate and unlock the car
remotely, as well as control and monitor other functions. The
password is vulnerable to several kinds of attacks similar to those
used to gain access to a computer or online account, Dhanjani said.
[to top of second column]
An attacker might guess the password via a Tesla website, which
Dhanjani says does not restrict the number of incorrect login
Attackers could try to gain access to the password from the user's
computer via password-stealing viruses, or gain access to other
accounts that might use the same password.
"It's a big issue where a $100,000 car should be relying on a
six-character static password," he said.
Dhanjani said there is also evidence that Tesla support staff can
unlock cars remotely, leaving car owners vulnerable to attackers
impersonating them, and raising questions about the apparent power
of such employees to locate and unlock any car with or without the
owner's knowledge or permission.
(Additional reporting by Jim Finkle; editing by Peter Galloway and
[© 2014 Thomson Reuters. All rights
Copyright 2014 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.