Whilst praising the Tesla Model S for its innovation, Nitesh Dhanjani said the car manufacturer’s website did not appear to have any particular account lockout policy when large numbers of login attempts were made.
A brute force attempt on the login pages could therefore open up user accounts, he said. Similar tactics could be used to gain access to the iPhone app, which allows the user to unlock the car, determine its location and view its charge status.
“Tesla should address the issue of using static passwords with low complexity requirements,” Dhanjani said in a blog post.
“Tesla owners should be aware of risks based on the current situation and take precautions.” Those precautions should include stronger passwords, added Dhanjani, who had presented his findings at BlackHat Asia.
He also warned of the potential for malicious third-party applications to connect to the Tesla application programming interface (API). It appeared, looking at the Google Glass app for Tesla, that those apps connecting to the API would handle logins for users, indicating usernames and passwords would be shared with the third-party software.
“Until Tesla announces an SDK and methods they are going to outline to sandbox applications, users should refrain from using third party applications,” he added.
“Given the serious nature of this topic, we know we can’t attempt to secure our vehicles the way we have attempted to secure our workstations at home in the past by relying on static passwords and trusted networks. The implications to physical security and privacy in this context have raised stakes to the next level.”
Tesla had not responded to a request for comment at the time of publication.
The car company has a responsible vulnerability disclosure programme and has hired various big name security professionals to ensure its cars are safe. That included the “hacker princess” of Apple, Kristin Paget.
Are you a security pro? Try our quiz!