Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Evaluation of the Tesla Model S

Soulskill posted about 5 months ago | from the fob-it-off-on-somebody-else dept.

Transportation 93

An anonymous reader writes: "Nitesh Dhanjani has written a paper outlining the security mechanisms surrounding the Tesla Model S, as well as its shortcomings, titled 'Cursory Evaluation of the Tesla Model S: We Can't Protect Our Cars Like We Protect Our Workstations.' Dhanjani says users are required to set up an account secured by a six-character password when they order the car. This password is used to unlock a mobile phone app and to gain access to the user's online Tesla account. The freely available mobile app can locate and unlock the car remotely, as well as control and monitor other functions.

The password is vulnerable to several kinds of attacks similar to those used to gain access to a computer or online account. An attacker might guess the password via a Tesla website, which Dhanjani says does not restrict the number of incorrect login attempts. Dhanjani said there is also evidence that Tesla support staff can unlock cars remotely, leaving car owners vulnerable to attackers impersonating them, and raising questions about the apparent power of such employees to locate and unlock any car with or without the owner's knowledge or permission. In his paper, Dhanjani also describes the issue of Tesla's REST APIs being used by third parties without Tesla's permission, causing Tesla owners' credentials to be sent to those third parties, who could misuse the information to locate and unlock cars."

cancel ×

93 comments

Sorry! There are no comments related to the filter you selected.

Question (1)

CheezburgerBrown . (3417019) | about 5 months ago | (#46612059)

Is there a market for used or stolen Tesla cars or parts?

In other news (1)

fyngyrz (762201) | about 5 months ago | (#46613009)

...trusted sources reported today that if a Tesla vehicle is dropped from orbit, the impact would be devastating. The NTSB is looking into this, and Fox News reports that Obama is responsible. Scientists confirm using actual math that the outcome is all but inevitable.

[camera shows stock shots of meteor crater in Arizona]

Tesla has not responded to our requests to comment, except to say that SpaceX cargo capacity is a privileged corporate information.

In financial news, Aluminium foil prices are up.

Re:Question (2)

fuzzyfuzzyfungus (1223518) | about 5 months ago | (#46613583)

Is there a market for used or stolen Tesla cars or parts?

It wouldn't 100% shock me (though it'd have to be an export job, 'notable and uncommon', 'aggressively interacts with the vendor', and 'stolen' are not attributes that work well together); but it's probably not on the top of the list of cars that flip or chop easily.

On the other hand, its materials/recycle value is probably above average for vehicles of its size.

Re:Question (1)

mjwx (966435) | about 5 months ago | (#46617723)

Is there a market for used or stolen Tesla cars or parts?

It wouldn't 100% shock me (though it'd have to be an export job, 'notable and uncommon', 'aggressively interacts with the vendor', and 'stolen' are not attributes that work well together); but it's probably not on the top of the list of cars that flip or chop easily.

On the other hand, its materials/recycle value is probably above average for vehicles of its size.

I know /. is very US centric, but in Europe driving a stolen car over a border is trivial and a Tesla will fetch a good price even in Eastern Europe.

Re:Question (1)

fuzzyfuzzyfungus (1223518) | about 5 months ago | (#46619213)

By the same token, though, I'd have to imagine that European law enforcement types have(formally or informally) had to adapt to the fact that "Eh, just report the details to border control and call it a day" doesn't work anywhere in the Schengen Area anymore. Most of Europe also has suitably compatible cellular operations, so I'd feel about as safe across a European 'national' border as I would across a US 'state' one.

Either way, once you get 'outside the country' whether literally (US) or figuratively(the parts of Europe that actually play nicely with each other) and strip the phone-home features, you probably do have a saleable product; but definitely a shady one. Tesla has never been secretive about (indeed, they consider it part of their customer service) the fact that vehicles phone home to report issues, assist in necessary maintenance, etc. so selling a suitably de-fanged Tesla would probably be more like selling enterprise network gear that mysteriously lacks any warranty entitlements, valid serial numbers, etc. than it would be like selling an ordinary 'used car of dubious provenance'.

For the moment, I'd imagine that the better money is either something mundane but trivially flippable/partable that you can do in relative volume with limited expertise, or bespoke hits on very high value stuff. Now, give it another few years, maybe a decade, and you'll have a number of legitimate Tesla buyers who no longer have warranty coverage and are looking for a good deal on a new battery/other part. That could change the equation.

Re:Question (0)

nospam007 (722110) | about 5 months ago | (#46613867)

"Is there a market for used or stolen Tesla cars or parts?"

Not very likely. Even the radio is dangerous for the ears, since the volume goes up to 11.

http://en.wikipedia.org/wiki/U... [wikipedia.org]

unlock the fire within (1)

turkeydance (1266624) | about 5 months ago | (#46612071)

"Pioneers get slaughtered, and the settlers prosper." - Daymond John

Seen This One Before (4, Interesting)

rmdingler (1955220) | about 5 months ago | (#46612091)

A disgruntled former employee (hardly ever see that) kept access to work computers at a tote-the-note car lot.

They had taken advantage of remote tech to disable the vehicle and engage the horn from a keyboard... in case of nonpayment for the former and sometimes aiding location efforts for the latter.

Poor chap was so disgruntled he killed vehicles and blew horns for most of a weekend before they deduced the antagonist. I am sure there are some repercussions for this kind of adventure, but hell, if there's even a chance you'll have a grandchild, do you want this story in your arsenal?

[citation needed] (-1)

Anonymous Coward | about 5 months ago | (#46612203)

[citation needed]

Re:[citation needed]:Rocky's 5th best line (2)

rmdingler (1955220) | about 5 months ago | (#46612333)

You lie to your friends and I'll lie to mine.

It goes without saying we'll both lie to the customer.

We'll just plain be honest with each other.

"Vulnerable"? (0)

SternisheFan (2529412) | about 5 months ago | (#46612095)

FTS: "The password is vulnerable to several kinds of attacks similar to those used to gain access to a computer or online account."

Has any hack of these 'vulnerabilities' ever been proven to have actually occurred yet?

Re:"Vulnerable"? (0)

Anonymous Coward | about 5 months ago | (#46612243)

I don't think it matters whether it has happened. What matters is we know how it can happen after which it's only a matter of time.

Re:"Vulnerable"? (4, Insightful)

symbolset (646467) | about 5 months ago | (#46612307)

It is not like it is difficult to unlock almost any car.

Re:"Vulnerable"? (0)

Anonymous Coward | about 5 months ago | (#46613799)

my home depot sells this thing called a cinder block. It is universally known to open all cars.

Re:"Vulnerable"? (1)

symbolset (646467) | about 5 months ago | (#46613845)

There is this magic thing called a Z-bar that can be used to open almost any car without breaking the windows. But brute force does still work and is quick.

Re: "Vulnerable"? (2)

corychristison (951993) | about 5 months ago | (#46615039)

My wife's family owns my towns only Locksmith company.

I spent some time working there, and let me tell you the best tool for breaking into cars is the correct tool for that vehicle. We had toolboxes of roughly 15 tools for various vehicles. Knowing which tool to use and how to use it is a skill I think everyone should learn.

My favourite was the slimjim. I even made my own because I wasn't fond of the one included in the kit. Its so versatile.

As an aside: We worked with CAA (Canadian version of AAA) and once every month or so we'd get a fax to unlock a vehicle (usually a Ford for some reason) who's keyless entry fob's battery had died. We would arrive and they are holding their key in their hand, pressing the button to unlock it and they are getting frustrated the vehicle isn't unlocking. I would calmly ask to see their key, walk up to the door and stick it in the door's keyway and turn it. The look on their face was always priceless. I even had one lady confess she didn't know that was even possible.

Re: "Vulnerable"? (1)

sh00z (206503) | about 5 months ago | (#46620663)

As an aside: We worked with CAA (Canadian version of AAA) and once every month or so we'd get a fax to unlock a vehicle (usually a Ford for some reason) who's keyless entry fob's battery had died. We would arrive and they are holding their key in their hand, pressing the button to unlock it and they are getting frustrated the vehicle isn't unlocking. I would calmly ask to see their key, walk up to the door and stick it in the door's keyway and turn it. The look on their face was always priceless. I even had one lady confess she didn't know that was even possible.

But if the car has an alarm system and it's active, this doesn't help much. If I unlock my car with a physical key, there's a three-step process I need to do in order to disable the alarm and engine kill. If your owners didn't realize their keys would work, what's the likelihood they'd then remember everything else required before driving away?

Re: "Vulnerable"? (1)

corychristison (951993) | about 5 months ago | (#46625631)

But if the car has an alarm system and it's active, this doesn't help much. If I unlock my car with a physical key, there's a three-step process I need to do in order to disable the alarm and engine kill. If your owners didn't realize their keys would work, what's the likelihood they'd then remember everything else required before driving away?

The alarm will also go off if I open it with a tool to bypass the lock... It's not my responsibility to know how to turn the alarm off. The point I was trying to make was these people did not know they could unlock their car, and gain access to their belongings, without their keyfob.

Of the three calls I handled in this in the situation I described, they were factory keys with the remote unlock buttons on the key itself.

I even had one case, where the passenger window was rolled down half way, allowing me to reach in effortlessly and unlock the vehicle.

OK, Tesla not qualified to do automatic driving (4, Informative)

Animats (122034) | about 5 months ago | (#46612127)

How to steal car:
1. Guess username and password.
2. Log in to "https://portal.vn.teslamotors.com".
3. Send GET to "https://portal.vn.teslamotors.com/vehicles" to get list of vehicle IDs for that owner.
4. Send GET to "https://portal.vn.teslamotors.com/vehicles/{id}/command/drive_state" to get vehicle latitude and longitude.
5. Send GET to "https://portal.vn.teslamotors/vehicles//vehicles/{id}/command/door_unlock" to unlock doors.
6. Get in car and plug laptop into onboard Ethernet, where car internals are exposed, unencrypted.
...

And those guys think they're going to do automatic driving. Right.

Re:OK, Tesla not qualified to do automatic driving (0)

Anonymous Coward | about 5 months ago | (#46612693)

Sounds easy. What's my username and password?

Re:OK, Tesla not qualified to do automatic driving (2)

pepty (1976012) | about 5 months ago | (#46612697)

That opens the car; stealing the whole car would still require a truck to move it.

Re:OK, Tesla not qualified to do automatic driving (0)

Anonymous Coward | about 5 months ago | (#46613139)

Not necessarily, that's where this bit comes in:

6. Get in car and plug laptop into onboard Ethernet, where car internals are exposed, unencrypted.

All that's required is an exploit attack on the engine computer, or possibly even just knowing the correct packet(s) to send.

How to *actually* steal car: (5, Insightful)

fyngyrz (762201) | about 5 months ago | (#46613035)

1: Hold gun, knife or pipewrench in "I'm going to use it" position, threaten owner, drive away with car, possibly with the owner as well.

Tools required: One. (may substitute inexpensive gun replica if low budget operation)

Number of attempts required for success: One

Technical knowhow required: Zero.

Additional opportunities inherent in operation: Ransom money, rape subject, opportunistic beatings, petty theft, direct access to bank accounts.

Re:How to *actually* steal car: (1)

rtb61 (674572) | about 5 months ago | (#46613129)

Reality. At the end of the day, what will the insurance company accept as sufficient security so as to replace the vehicle upon claim of theft, nothing more and nothing less. As for the balance of easy usability vs number of features vs security implementation, with a modern electric computerised vehicle that might best be left to a consultation between the sales consultant and the end user, with features not wished by the end user disabled and or other features set up.

Re:How to *actually* steal car: (3, Informative)

firewrought (36952) | about 5 months ago | (#46613259)

Reality. At the end of the day, what will the insurance company accept as sufficient security...

No, the security only has to be sufficient enough to blame you [wired.com] for the theft.

the balance of easy usability vs number of features vs security implementation, with a modern electric computerised vehicle that might best be left to a consultation between the sales consultant and the end user

The salesman and customer are the least informed for making security tradeoffs, and the complications of having multiple security arrangements across a fleet of supported vehicle isn't worth the extra headache for the manufacturer.

The "balance" of this situation should not lie in the boneheaded territory of elementary security mistakes... if you're going to have a remotely accessible API, hire programmers who understand security and have them design the damn thing to be secure from the ground up. It's not impossible or mystical or some big unknown.

Re:How to *actually* steal car: (1)

Anonymous Coward | about 5 months ago | (#46613145)

Except this'll get the police searching for you within minutes. Unlocking it remotely will probably give you hours before it's noticed, during which you have time to remove/disable the tracker, hide the car and change the plates, maybe even the colour. And with zero risk of setting the alarm off, which is its advantage over just breaking into any car on the street. Plus it lets you target expensive new cars since it even tells you where they are.

Re:How to *actually* steal car: (1)

fyngyrz (762201) | about 5 months ago | (#46613173)

Except this'll get the police searching for you within minutes.

Why would the police search until the driver is reported missing? Which might not happen for days, depending on the driver's social connections, but certainly won't happen for hours, by which time the car has either been disassembled or packed into a shipping container anyway.

Re:How to *actually* steal car: (0)

Anonymous Coward | about 5 months ago | (#46613189)

1: Hold gun, knife or pipewrench in "I'm going to use it" position, threaten owner, drive away with car, possibly with the owner as well.

So what does that prove except that any car can be stolen, from a Honda Civic to a Lamborghini.

Re:How to *actually* steal car: (1)

fyngyrz (762201) | about 5 months ago | (#46617145)

It was relevant to the thread. My point was it's a little ridiculous to worry about these complex electronic paths to stealing a car. Any thug can steal your car with little to no effort; practically speaking, all they need is the desire to do it and the opportunity.

I'll grant you that criminals are generally not the brightest people, but I don't think that predisposes them to do something via a significantly more complex method. The focus is on the wrong thing here.

Re:How to *actually* steal car: (0)

Anonymous Coward | about 5 months ago | (#46613917)

Maybe somebody just wants the car, not a laundry list of felonies to throw them in assrape-land for the rest of their lives.

Re:How to *actually* steal car: (1)

fyngyrz (762201) | about 5 months ago | (#46617117)

Ah, someone who doesn't understand the USA. Steal a car (and particularly a Tesla), you've *already* committed a felony; having done so and gotten caught as you suggest, you're going to jail and then most likely prison, not one, but *two* varieties of "assrape-land" as you put it, and when you get out, you will be unemployable, consequently if you want any of the supposedly "good" things in life, significantly profitable enterprises will be limited to things like, you guessed it: stealing cars, burglary, dealing, mugging, sharking and so on. With very few exceptions, in the USA, one felony turns you into a lifetime criminal. Commit your first felony; virtually guarantee more thereafter. Because, again with extremely rare exceptions, one thing you *won't* ever have again is a decent job, because they all interpose a background check between you and that paycheck. Once a felon, always a felon. It's the American way!

Re:How to *actually* steal car: (0)

Anonymous Coward | about 5 months ago | (#46614893)

Gun probably will work most of the time. Knife and pipe-wrench it might very well depend on the drivers temperament and if the window is up. I know coworker who had his window down. Someone reached into the car and began punching him. Demanding he get out. Instead he grabbed the guys arm, held it, put the car in gear, pulled across the street and slammed the guy into a parking meeter. Needless to say the attackers injuries were rather more severe than the busing my coworker took.

A car is pretty effect weapon.

Re:How to *actually* steal car: (1)

fyngyrz (762201) | about 5 months ago | (#46617063)

No question, the optimum time is just as they approach the car. Once inside, or in motion, things become much more difficult.

slapping my ballsack (-1)

Anonymous Coward | about 5 months ago | (#46612139)

i like to slap it - one day i should have it stuffed and eagle wings propped up on either side

I have a better idea (0)

Anonymous Coward | about 5 months ago | (#46613089)

Just coat it with dead meat and bring about a golden eagle. Then you can have eagle wings on either side of it, while it looks for your little 1" worm.

Here it comes... (0)

grub (11606) | about 5 months ago | (#46612157)


Big car makers and the oil industry will hammer on these weaknesses to show people how untrustworthy the Tesla is. Hell, they'll probably try to make one rear end an old Corvair just for the lulz.

Re:Here it comes... (0)

Anonymous Coward | about 5 months ago | (#46612283)

breaking news! non-tesla cars vulnerable to several kinds of attacks!

an attacker might break the window with a hammer and steal the contents! more seasoned attackers may even be able to start the car and drive off with it!

Re:Here it comes... (0)

Anonymous Coward | about 5 months ago | (#46612355)

How about putting your money where your mouth is and abandoning all large corporations and anything made with oil... You know, like your computer.
 
Bye bye fucktard bitch.

Re: Here it comes... (1)

loufoque (1400831) | about 5 months ago | (#46613837)

Silicon is not made from oil.

Re: Here it comes... (1)

philip.paradis (2580427) | about 5 months ago | (#46613853)

I believe the GP was referring to the plastic portions of laptops, which are largely synthesized from oil and natural gas, not silicon.

Re: Here it comes... (1)

loufoque (1400831) | about 5 months ago | (#46613865)

Plastic is not computer-specific, and is not required at all for a computer. Some popular laptops are even made of aluminium.

Re: Here it comes... (1)

philip.paradis (2580427) | about 5 months ago | (#46613889)

Please cite a source for any laptop which does not contain plastic.

Re: Here it comes... (1)

philip.paradis (2580427) | about 5 months ago | (#46637373)

and is not required at all for a computer

You must have missed my earlier reply. As the GGP comment contained the excerpt "like your computer", I'm still eagerly awaiting a citation regarding a computer which contains no plastic components, presumably one available for purchase under the implicit assumption that you are in possession of such a machine. I'm looking forward to the opportunity to purchase this wonderful device for my own use, so please don't keep me waiting too long.

How much? (-1)

Anonymous Coward | about 5 months ago | (#46612165)

How much does it cost for a slashvertisement again? Seems Tesla posts one every day

Mod parent up... (0)

Anonymous Coward | about 5 months ago | (#46612191)

...insightful. So tired of the continual Tesla astroturfing here...

Re:Mod parent up... (0)

Anonymous Coward | about 5 months ago | (#46612749)

You would prefer GM astroturfing? At least tesla is technology related. GM sells obsolete junk

It's valid technical news for nerds (0)

Anonymous Coward | about 5 months ago | (#46612417)

Tesla S is a leading edge tech product in the rising EV automotive sector, and this particular article is about the car's security issues involving computer accounts and passwords. That's EXACTLY the kind of topic that constitutes good technical material for nerds.

What do you suggest Slashdot should cover instead?

Re: It's valid technical news for nerds (0)

Anonymous Coward | about 5 months ago | (#46612845)

I think he wants slashdot to post more free porno. He said he's tired of Tesla, so I guess he's into naked cars, or maybe naked dead famous eccentrics.

Re: It's valid technical news for nerds (0)

Anonymous Coward | about 5 months ago | (#46612947)

No tail pipe on the tesla so he can't have sex with it.

not limiting attempts (4, Interesting)

tompaulco (629533) | about 5 months ago | (#46612213)

Not limiting login attempts is not the end of the world, especially if they institute a delay between logins. If you screw up your password, it is going to take at least one second before you make your second attempt anyway, so why not enforce that one second delay on the server side? With a 6 digit password composed of numbers and letters, it would take 69 years to guarantee breaking a password. By them they will probably have a gen 2 Tesla that requires a 7 digit password.
I've never seen a login delay enforced in the wild, but it pretty much neuters any brute force attack. At least , if they are attacking the server, it does. If they get ahold of the encrypted passwords, then they can brute force it at their whim.

Re:not limiting attempts (0)

Anonymous Coward | about 5 months ago | (#46612329)

>69 years
What if I have 1000 threads trying different passwords? 10,000? 100,000?
And I can use multiple server instances from botnet/cloud services across the world, so you can't just block 1 IP.

Re:not limiting attempts (3, Insightful)

nate_in_ME (1281156) | about 5 months ago | (#46612505)

If the login delay is implemented based on the user ID and not the IP address, it wouldn't matter how many threads/machines you had attacking.

On a completely random note, I think the amount of time to do this attack, even with the current setup, would make it nonrealistic. Someone above listed the steps to break into a Tesla using this vulnerability (how accurate they were, I don't really know - or care for that matter). There's one big factor that is being overlooked, however. With relatively few Tesla cars on the road right now (I don't know the exact numbers at the moment, but compared to all other cars on the road, I think we can agree that "relatively few" is a safe estimate), this particular attack isn't one that could be done with the "normal" way that I imagine stealing a car goes:

"Hey that's a nice car...lets steal it!"

For this attack to work, it would have to be done one of two ways:

1. Break into "random" Tesla accounts until you found one in your area
2. Exploit this attack to steal the car

OR

1. Find a Tesla parked somewhere.
2. Somehow figure out that car's account
3. Break into that account
4. Use exploit to steal car

Basically, the time it takes to break into one Tesla account is irrelevant. The goal is to break into the RIGHT Tesla account, which I imagine, unless you already knew a lot about the owner of a particular car, would take a lot longer than this 69 year number being thrown around for breaking into a single Tesla account by brute force.

Re: not limiting attempts (1)

Anonymous Coward | about 5 months ago | (#46612695)

Break into any account, find position of car, go there, steal car.

brute force attack takes a minute or so (1)

dutchwhizzman (817898) | about 5 months ago | (#46613685)



If you have a botnet, you can have tens of thousands of computers do a log on attempt almost simultaneously. It'd take just a few days at full speed (tesla would notice) and a few weeks at moderate speed to get a significant amount of Tesla car accounts cracked. Once you have that, you can use the account details to find the exact location of those cars. At those numbers, the chance of finding one near you is actually high enough for thieves to be able to drive to one near by so they can unlock it and get it in their trailer. Once they have the car in their possession, they would probably find a way to hack it and give it a new identity or at least make it drivable.

The big limiting factor for this happening is the fact that Tesla is in control of the entire food chain for Tesla parts, maintenance and they have tracking data for every car at every moment in time. Cars that aren't in their system or that are reported stolen will simply not get serviced and their VIN and such will be in a database that will make it extremely hard for people to get those cars insured or get license plates.

The only market for stolen Tesla cars I can think of would be scrap metal and resale of the very expensive battery packs for other use, or countries where they don't really care about maintenance with stolen parts on stolen cars. You'd have to steal a bunch of cars, sell a few and take the rest apart as a parts donor for the stolen cars in order to make that business model work.

This limits the usefulness of hacking into Tesla cars at this moment, but once Teslas are found on every street corner and the thieves/hackers have found ways to fool the computers in the Tesla to believe stolen parts are genuine, you'll see a market for stolen cars and parts emerge and people will swap car identities and parts identities to make the vehicles and parts stolen legit again.

Tesla is learning the hard way themselves and obviously haven't had security people help design their "smart" network and web part. I think it's time they start working on designing version 2.0 for their whole system and do a design with security built in, starting from scratch. With the current user base and their total control of the sales and repair of the cars, they can get away with the current flaws in the system, but that will not last very long.

Re:not limiting attempts (2)

fyngyrz (762201) | about 5 months ago | (#46613045)

What if I have 1000 threads trying different passwords? 10,000? 100,000?

Then, in a well designed system, you'd have 1000, 10000 or 100000 responses that all say "It has not yet been one minute since the last failed login to this account. Your login attempt was not accepted."

Re:not limiting attempts (0)

Anonymous Coward | about 5 months ago | (#46613123)

A couple extra table columns and a little extra logic is all it should take to mitigate that attack:

[NumLoginAttempt](INT), [NextAllowedLogin](DATETIME)

Default NumLoginAttempt to 0, incrementing it each time the user incorrectly guesses the password. When a threshold is met (say 3 incorrect guesses), set NextAllowedLogin to x-number of seconds or minutes in the future and display an appropriate response back to the user. Otherwise, upon successful authentication reset NumLoginAttempt to 0 and NextAllowedLogin to NULL or some past date/time.

Re:not limiting attempts (1)

Anaerin (905998) | about 5 months ago | (#46613577)

Doesn't much matter. 1,000 threads hammering an account that will only accept an attempt every second will take just as long as 10,000 threads, or even 1. It's tied to the account, not the IP.

Re:not limiting attempts (1)

Frosty Piss (770223) | about 5 months ago | (#46612507)

With a 6 digit password composed of numbers and letters, it would take 69 years to guarantee breaking a password...

guarantee. Statistically.

On the other hand, most users don't use random strings for passwords.

Re:not limiting attempts (0)

Anonymous Coward | about 5 months ago | (#46613513)

No, statistically, you get it in half the time. That means it's about 35 years. But yeah, a long time.

Re:not limiting attempts (0)

Anonymous Coward | about 5 months ago | (#46612731)

This sounds good, but it's a way to lock out users from logging into the account. Just have a script that keeps trying to login with the wrong password and the real user cannot login.

Re:not limiting attempts (0)

Anonymous Coward | about 5 months ago | (#46613687)

Locking people out of their account is even worse. Try three random passwords and your CEO neighbour cannot get to his important meeting in time. You could DOS attack people you don't like / people competing with you pretty trivially if they did that. That's why locking accounts is a *bad idea*. A delay is magnitudes better.

I'll pass... (0)

Anonymous Coward | about 5 months ago | (#46612231)

Don't have a need for a vehicle with a password, or connected in any way to the net... Keep it simple stupid. If I want connectivity, I'll add it myself.

Yet another reason not to buy an electric car. (-1)

Anonymous Coward | about 5 months ago | (#46612247)

Add this reason to the long long list of other reasons (there batteries are toxic, they are all powered by coal which is 1000000 times more dirty than gasoline, etc etc).

At this point you just have to be a liberal statist moron to fall for the tesla hype.

Re:Yet another reason not to buy an electric car. (0)

Anonymous Coward | about 5 months ago | (#46612377)

-1Troll - Bad speller

Re:Yet another reason not to buy an electric car. (0)

Anonymous Coward | about 5 months ago | (#46612769)

Wrong on both counts

Option? (3, Interesting)

ArcadeMan (2766669) | about 5 months ago | (#46612275)

Is it even possible to buy a Tesla without all that online, password-protected, cellphone-enabled stuff?

Re:Option? (1)

pepty (1976012) | about 5 months ago | (#46612703)

You can do it by phone and fax.

Re:Option? (0)

Anonymous Coward | about 5 months ago | (#46612711)

Is it even possible to buy a Tesla without all that online, password-protected, cellphone-enabled stuff?

Yes, I'm sure there is, in much the same way you can buy a cell phone completely unlocked and untethered from a manufacturer.

At 4x the cost.

Re:Option? (0)

Anonymous Coward | about 5 months ago | (#46612787)

Next you'll be asking to buy a tesla without all the electronic crap but with a big american V8 with carbs etc. You know a big crap engine that performs worse than any Japanese engine of similar specifications.

Re:Option? (2)

zwede (1478355) | about 5 months ago | (#46614407)

Yes. The remote access to the car has to be turned on by the owner. When the car is delivered it is turned off. Tesla still has remote access even if the user-level access is off, but that would prevent access via the REST API and mobile app.

Fire Soulskill (0)

Anonymous Coward | about 5 months ago | (#46612279)

Oh look, another Tesla article. It must be a day ending in Y

Re:Fire Soulskill (0)

Anonymous Coward | about 5 months ago | (#46613007)

If you can't handle the technology then maybe you should go over to GMs forums grandpa!

How does this differ from OnStar ? (0)

Anonymous Coward | about 5 months ago | (#46612287)

How exactly is the dishonest support staff bit different from the other automotive remote assist technologies ?

With Remote Door Unlock1, OnStar can have your door opened quickly.
  Call 1.888.4.ONSTAR (1.888.466.7827).
  Verify your account information.
  A remote signal is sent to your vehicle that usually unlocks the doors.
  It’s available anytime, day or night, with no limits on how often you can call for help.
  Put your OnStar sticker in your window — or program the number into your cell phone — so you’ll have easy access if you need it.

evaluation of insecurity in abused populations (0)

Anonymous Coward | about 5 months ago | (#46612561)

never a better time to consider ourselves in relation to one another & our spiritual connection with our universe, momkind http://www.youtube.com/results?search_query=moms+against+population+abuse&sm=12 too much religion can kill us?

I had issue with this day one when we took deliver (0)

Anonymous Coward | about 5 months ago | (#46613023)

This was a red flag immediately for me when we took delivery of our Model S recently, that all I needed was our Tesla account and password to have full access to location, climate controls, unlock doors. I immediately set a very strong password on the account. I really wish they would make this a two factor config: I log in to the Tesla mobile app, then must authorize the mobile device via the touchscreen in the car. Or perhaps it will allow access if the mobile device has been paired to Bluetooth. Either way, I agree that I'm a bit uneasy about just user/pass access to that kind of data on our car.

Re:I had issue with this day one when we took deli (0)

Anonymous Coward | about 5 months ago | (#46613563)

How exactly is a 6 character (number + letter) password secure in the absence of a delay?

Statistically, by brute forcing, you'll run into the answer at (1/2) * (36^6) / 31,536,000 seconds = about 34.5 years, assuming 1 try per second.

Now, let's say I can use a botnet with 100 bots with an average per connection time of 0.5 seconds. That's (1/2) * (36^6) / (100*2*31,536,000 seconds) = about .17 years (or about 63 days, a little over 2 months).

If I have a botnet with 1000 bots that take 1 second each, that's 6.3 days.

How much would it take to unlock a Tesla in 15 minutes (900 seconds)? If we assume our botnet averages a delay of 1 second, and there aren't any network admins doing their jobs or any automated traffic monitoring, that's 900 seconds = (1/2) * (36^6) / X. X = (1/2) * (36^6) / 900 seconds = about 1,209,324 bots.

If a bot costs $1 to rent for 1 second, it wouldn't be profitable to unlock Teslas in 15 minutes. A Tesla's base price is $59,900, so with 29,950 bots, one could unlock a car of double the value in 10 hours.

Re:I had issue with this day one when we took deli (4, Informative)

zwede (1478355) | about 5 months ago | (#46614425)

The article is a bit misleading. The Tesla account requires a MINIMUM of 6 characters for the password. You can use a much longer one. The password also allows special character. You're not brute-forcing mine this side of the end of the universe. It's a generated password, very long and all kinds of special characters.

Service can unlock (5, Informative)

nsxdavid (254126) | about 5 months ago | (#46613031)

I know service can unlock your car remotely, since I have one (model S) and they did it for me.

The interesting thing is Elon made his fortune at PayPal. You think he'd know better.

Re:Service can unlock (1)

Jeremi (14640) | about 5 months ago | (#46613335)

Given that Tesla, Inc. knows the position of all its cars at all times, what is the benefit of stealing one? If you then drive it for any length of time, the police will track it to your location and arrest you. OTOH, you could try to sell it for parts, but I doubt the Tesla parts market is large enough to do that anonymously; most likely anyone interested in buying said parts would know they were stolen and would report you to the police.

Re:Service can unlock (0)

Anonymous Coward | about 5 months ago | (#46614077)

I do not know how it works over at the pond but over here all those east european car thieves with at least a clue have a GPS blocker (and they are well organised, they usually do have a clue).

They* get in the car, switch the blocker to "on" which simply overrides the GPS frequences within a small radius and drive all the way to their backyard place in poland (or wherever), where "someone knowledgeable" disables the GPS locator. The car then is sold on to russia (or wherever) without a working location. I fail to see how that would not work with a Tesla.

* "They" share the work. One steals, gives the car to the guy who drives it over borders. They also often have a non-stolen car driving ahead of the stolen car(s), checking out police presence on the route, the cars are then passed to people in remote shops, who pass it to other people who organise the further distribution. I strongly doubt any anti-theft-measure is going to stop them, as the most stolen cars in germany (by %) are BMW, Audi and Porsche. You'd assume those companies are able to put in all technical measures that do exist; in absolute terms it's VW, BMW and Audi, they are not known for creating cheapo cars without any thinking put in how to prevent theft. Tesla is just going to show up in those numbers as well once they start to sell significantly here.

Is it THAT bad? (1)

bussdriver (620565) | about 5 months ago | (#46613433)

How does one steal these cars? Is anybody even trying and succeeding at stealing them yet?

Ok, so you take the quite likely insured car... How do you get away? Drive like mad for... 300 miles then wait for many many hours to recharge? (NO, instant battery swap requires ID, quickcharger stations talk to the computer probably ID the car too, slow charging is the probably the only secure way and that takes TIME.) Naturally all this is after you rip out wherever their cell modem's antennae is.

They don't need much service, Tesla does it cheap if you do. The parts are custom to the car and not really usable outside Tesla, so what market is there for parting it out from a chop shop?

The cars are loaded with tracking and IDs that all need to be removed. securely. How would you sell a hot Tesla? Do they even have used Tesla being sold at dealerships? oh, yeah, the dealerships HATE Tesla and are working to ban them state by state. How do you sell it? Some ignorant pawn shop owner?

How about running the battery DEAD remotely and damage the car? Oh, Tesla gets informed and a tech stops bye and saves the car for you... which has been reported as happening already (not from a hacker but from it getting too close to dead.)

Re:Is it THAT bad? (0)

Anonymous Coward | about 5 months ago | (#46614419)

No idea about the US but at least here in Europe we'd probably see stolen Teslas getting put in trucks or on (also stolen?) car transports, battery is not going to be any issue at all. Some poor blokes are going to get a few hundred euro for a successful transport and it won't matter if half of them get caught in the process. It all depends on if the russians create a market for electric cars over there.

How does something like that work over in the US?

Re:Is it THAT bad? (0)

Anonymous Coward | about 5 months ago | (#46625697)

In my state somebody without a title on a car made from junk (to get around the VIN) has to sit on the car unused for many years before being able to get a new title issued for it. So it's not profitable for somebody to steal and keep a whole car -- unless it's some antique car; in which case the VIN is a bigger issue - so then it probably would be parted out. In my state the plates are tied to the car itself and the VIN is needed for the title which in turn is needed for the plates. More and more cops have auto plate scanners that actively scan everything as they drive around.

You can't just put plates on a car and drive around thinking you won't get noticed. Plus every police stop no matter how stupid requires you to show ownership plus insurance.

So Tesla's batteries are likely the only big money maker; the rest the car is likely pretty useless out there and will stick out bigtime. The batteries after they make their own factory for them will be Tesla brand and then it'll be probably more difficult.

Refined lithium itself will continue rise in value; especially after they finish up with all the cheap surface mines of the stuff. There is plenty of the metal - it's better than OIL but it's cheap to mine it now; like OIL used to be... but unlike oil, Lithium is an atom and is not destroyed by use. Recycling will become cheaper than mining.

Re:Service can unlock (1)

timeOday (582209) | about 5 months ago | (#46614569)

The interesting thing is Elon made his fortune at PayPal. You think he'd know better.

If only he'd spent more time sitting around absorbing the endless stream of "what could possibly go wrong..." posts on slashdot, instead of building an empire.

Others can do the same (1)

YoungManKlaus (2773165) | about 5 months ago | (#46613565)

Ohter vendors (at least one german one, though I dont remember which) can remote-unlock your car as well and noone complains.

Watch out for NSA (0)

Anonymous Coward | about 5 months ago | (#46613735)

It is really worrying after the news of NSA hacking into techinolgy systems and leaving back doers not only for access by NSA but hackers. It is bad enough that NSA will be able to track you, listen to conversation in cars but they can now kill you by causing malfunction to seems like an accident. This way not be due to some kind of National Security reason but to harm and destroy Tesla if they are seem as a threat to the big political donors such as car dealer lobby group or to Michigan auto makers as they have done to many auto starts up. Tesla rise is because the Deteoit mob was weaken by the 2008 financial crisis. The worst is some will do it as a political point as we remember Mitt Rommney is gear to destroy Tesla, which definitely will not be around if he became President. This is not some far out ideas as there has been many cases in the pass and is still going on.

Questions: (1)

Alain Williams (2972) | about 5 months ago | (#46614037)

* Can the owner switch off the remote control/access to their car ?

* Can the owner switch off the remote control/access to their car by Tesla as well as the owner ?

* 6 character password. Is that the minimum length or the length it must be (Ie can't set a longer one) ?

* It mentions an iPhone app. What if I don't have (or want) an iPhone ?

* What cars made by companies other than Tesla have similar systems ?

Re:Questions: (0)

Anonymous Coward | about 5 months ago | (#46614095)

* Can the owner switch off the remote control/access to their car ?

* Can the owner switch off the remote control/access to their car by Tesla as well as the owner ?

Yes

Re:Questions: (3, Informative)

zwede (1478355) | about 5 months ago | (#46614449)

* Can the owner switch off the remote control/access to their car ?

Yes.

* Can the owner switch off the remote control/access to their car by Tesla as well as the owner ?

No.

* 6 character password. Is that the minimum length or the length it must be (Ie can't set a longer one) ?

Minimum. The password can also contain special character.

* It mentions an iPhone app. What if I don't have (or want) an iPhone ?

There's an official android app. I think there's an unofficial winphone app too. There's an unoffical chrome plugin and stand-alone JAVA app.

* What cars made by companies other than Tesla have similar systems ?

No one has anything as comprehensive. Closest is probably on-star.

The guy describes gives some bad advice (1)

gurps_npc (621217) | about 5 months ago | (#46614733)

He makes some good points, but his suggestions are honestly not that relevant.

His major mistake is not comparing the electronic security to current security.

He complains about static, short complexity passwords, but does not recognize that most of the time longer, more complex passwords decrease security.

Many current car locks can be picked by by a guy with a bump key. The electronic security he lists is in fact far more secure than the standard key lock/ignition. More importantly, cars have side windows that can all be easily broken.

Locating and breaking into cars is not and has never been that difficult, and Tesla's methods are not significantly less secure than methods used by other people.

Particularly because the real owner can always tell where the car is.

In fact, I would suggest you remove the lock entirely, and simply put a camera viewing the driver seat.

Someone takes your car, track down the GPS location, check the video on who stole it, and arrest them.

Won't stop joyriding fools, or vandalism, but unless you lock the car up in manned garage everywhere you go, you can't do that anyway.

Re:The guy describes gives some bad advice (0)

Anonymous Coward | about 5 months ago | (#46616493)

Most current car locks cannot be bumped. Bumping is typically done to a pin-tumbler lock. The effect is the same as the Newton's Cradle toy: the brief shock to the key pins transfers to the driver pins which creates a gap between them, ideally at the shearline, allowing the lock to open. Most cars use sidebar wafer locks. These locks rely on a series of wafers (in planes) placed in parallel to each other. Each one is raised to the correct height by the key, and a notch in the side aligns with a rod running down the length of the plug. The rod then drops into the depression and the plug is freed to turn in the shell. Bumping will not help you with this.

- locksmith

NSA Cars Coming To You (0)

Anonymous Coward | about 5 months ago | (#46616637)

Now they know when you meet your friend to discuss clandestine ways to protest the crimes of the MIC.

Get yourself a cellphone jammer or build one.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>