Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Evaluation of the Tesla Model S

Anonymous Coward writes | about 4 months ago

1

An anonymous reader writes "Nitesh Dhanjani has written a paper outlining the security mechanisms surrounding the Tesla Model S as well as it's shortcomings in his paper titled "Cursory Evaluation of the Tesla Model S: We Can't Protect Our Cars Like We Protect Our Workstations".

According to a report by Reuters [ http://www.reuters.com/article... ], Dhanjani said that Users are required to set up an account secured by a six-character password when they order the car. This password is used to unlock a mobile phone app and to gain access to the user's online Tesla account.

The freely available mobile app can locate and unlock the car remotely, as well as control and monitor other functions. The password is vulnerable to several kinds of attacks similar to those used to gain access to a computer or online account.

An attacker might guess the password via a Tesla website, which Dhanjani says does not restrict the number of incorrect login attempts.

Attackers could try to gain access to the password from the user's computer via password-stealing viruses, or gain access to other accounts that might use the same password.

"It's a big issue where a $100,000 car should be relying on a six-character static password," he said.

Dhanjani said there is also evidence that Tesla support staff can unlock cars remotely, leaving car owners vulnerable to attackers impersonating them, and raising questions about the apparent power of such employees to locate and unlock any car with or without the owner's knowledge or permission.

In his paper, Dhanjani also describes the issue of Tesla's REST APIs being used by 3rd parties without Tesla's permission causing Tesla owners' credentials to be sent to the 3rd parties who could misuse this to locate and unlock cars."

Link to Original Source

cancel ×

1 comment

Can we WHAT (0)

Anonymous Coward | about 4 months ago | (#46610693)

"We Can't Protect Our Cars Like We Protect Our Workstations...."

Sure we can or can't. We can do what ever we want!

Sadly the whole issue is that we need to protect all the above
better. The interesting thing is that phones are becoming
the de facto key for almost anything. If a persons phone is
hacked his pacemaker is under some anonymous remote
control and the keys to his car are the least of our worries.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...