Cars and hacking, at least the digital kind, aren’t two things you usually associate with each other, but the rise of smart cars might make that a source of headaches and nightmares in the near future. And the Tesla Model S, being one of the first of that generation, might also become one of the first poster boys for that inevitable problem.
The issue was raised by security consultant Nitesh Dhanjani, himself a Model S owner, at the Black Hat Asia security conference in Singapore. He explained how simple brute force techniques, the very same ones used to hack into normal Internet accounts, can be used to gain access to an owner’s six-digit passcode to unlock the Model S’ doors.
Currently, Tesla requires buyers to setup an account and a six-digit passcode to secure that account. This combination is used to unlock a free mobile app which, in turn, can be used to remotely monitor and control the Model S, including the locking and unlocking of doors. Fortunately, the mobile app cannot be used to drive the car so thieves will have to settle for pilfering what’s inside.
But Tesla might have a bigger problem. The same passcode is also used to access a user’s profile and other information. And Tesla’s own website does not restrict the number failed login attempts. In short, Tesla doesn’t exercise sufficient security measures both on the car as well as its web interface to keep their users and their cars safe.
That said, this isn’t exactly big news. At least not yet. Car theft, both the car itself and anything inside it, has been going on for decades, no matter the security measures. Smart cars only present added complexity and opportunity. Fortunately, miscreants haven’t reached that level of sophistication and are more likely to break through the windows than try to hack their way into it. The good news is that there is still time for Tesla to get its act together and ensure that its $100,000 car will not remain beholden to six numbers alone.