Researcher lights fire under Tesla security
Researcher lights fire under Tesla security: A security researcher is calling on Tesla to introduce two-factor authentication for access to the combination of services that make its Tesla S model one of the most “Internet of Things” vehicles in the world today.
As noted by Threatpost, researcher Nitesh Dhanjani has found that the combination of a mere six-character password used by Tesla S owners to register with the site, plus poor access control and re-use of the password on the iPhone app represent a serious security issue.
As Dhanjani posts, Tesla doesn’t limit the number of login attempts a user can make. This makes the six-character password trivial to brute-force, he writes: “a malicious entity can attempt to brute-force the account and gain access to the iPhone functionality”.
Should an attacker gain access to a user’s credentials, he writes, the Tesla REST API then lets the attacker locate the vehicle, since once logged in, the session token can be used to submit a GET request to obtain vehicle ID, followed by a second request to that ID to retrieve latitude and longitude from the car.
“Once the phisher has obtained the location of the vehicles mapped to the compromised accounts he or she can unlock a particular vehicle or a set of vehicles (buy invoking the following in a loop): GET request to /vehicles/{id}/command/door_unlock,” Dhanjani writes.
This could be deployed by Botnet herders to launch mass attacks, he continues, concluding that “we know we can’t attempt to secure our vehicles the way we have attempted to secure our workstations at home in the past by relying on static passwords and trusted networks”.