Security slip lets crims locate, unlock Tesla model S roadster

Security slip lets crims locate, unlock Tesla model S roadster

Web app for $200,000 car lacks second factor authentication.

Criminals have a new vector of attack to steal the $200,000 Tesla model S car thanks to security risks that permit unlimited log in attempts of online control panels and effective phishing of passwords.

Among the security risks identified is the ability for hackers to continuously enter passwords without restriction into the car's web login panel which allows a model S to be remotely located and unlocked.

Security across network-capable cars such as the model S was consistently found to be slack, and if it did not improve, botnets may in the future target vehicles, possibly tracking and attacking fleets, the researcher who found the flaws hypothesised.

Hackers could brute-force the passwords for the model S login page -- in which scores of combinations were entered against a given username without interruption -- because Tesla did not employ any second-factor authentication such as tokens or apps such as the Google Authenticator. 

This was perhaps the most risky vector of attack because it meant drivers and Tesla staff, who could unlock customer cars, could be targeted in cunning spear phishing attacks aiming to steal passwords.

If usernames and passwords were lost, there would be no security mechanism preventing attackers from logging in and potentially stealing cars.

"Users have a tendency to re-use their credentials on other services as well," researcher Nitesh Dhanjani (@nitesh_dhanjani) saidTesla's iOS app

"This creates a situation where an attacker that has compromised a major website can attempt to try the same password credentials on Tesla website and iPhone app."

This process could be easily automated to target multiple cars.

Tesla was discreetly contacted by the researcher but has not commented.

Dhanjani had also found three IP-enabled devices in his Tesla model S which may have been the cars' dashboard and console which had risky exposed network services including SSH and HTTP.

Much work has been done in examining the security architectures of cars. The most famous of these was the many months of work research duo Charlie Miller and Chris Valasek spent tearing apart and hacking a Toyota Prius and Ford Escape to control its breaks and other functions.

The two were icons in a burgeoning scene of academics and security boffins who along with a thriving but fragmented assortment of rev-head hobbyist geeks are battering the digital fabric powering modern-day cars.

A lot of hacking was focused on Controller Area Networks (CANs) embedded into many cars in use today. This allowed alarms, speedos, brakes and door locks to be altered, but provided for legitimate uses including modifying fuel injection and monitoring precise performance.

Source: Copyright © PC & Tech Authority. All rights reserved.

See more about:  tesla  |  security  |  infosec  |  phishing  |  car  |  auto  |  security risks  |  nitesh dhanjani
 
 

Readers of this article also read...

Project Ara was delayed because magnets won't hold it together 

Project Ara was delayed because magnets won't hold it together

 
Octopus genetics study reveals actual alien results 

Octopus genetics study reveals actual alien results

 
The real reasons for Alphabet are as easy as A, B, C 

The real reasons for Alphabet are as easy as A, B, C

 
How to: Bring your project to life on Kickstarter 

How to: Bring your project to life on Kickstarter

 
Watch Google Chrome dominate the world in just seven years 

Watch Google Chrome dominate the world in just seven years

 
Latest articles on BIT Latest Articles from BIT
How to protect your LastPass account from hackers
19 Jun 2015
So, the unthinkable has happened for millions of LastPass customers worldwide: LastPass’s ...
NovaBACKUP 17 brings installation assistance, phone/ email tech support
11 May 2015
NovaStor has announced the release of its industrial-strength backup solution for Windows, ...
Dropbox for iOS 3.9 adds new Recents tab, supports comments
11 May 2015
Dropbox has unveiled Dropbox for iOS 3.9.0, a significant update to its client for iPhone and ...
Arq cloud backup app debuts on Windows
11 May 2015
Popular Mac cloud backup app Arq is now available on Windows 7 and later. The program makes it ...
Need working capital? Here's another source
8 May 2015
Online lender Moula can make lending decisions in hours and when loans are approved funds ...

Latest Comments

Latest Competitions

Win one of three Intel 750 1.2TB SSDs worth $1599 each! 

Win one of three Intel 750 1.2TB SSDs worth $1599 each!

If you purchase an Intel 6600K or 6700K CPU from an Intel Technology Partner* between 8/8/15 and 15/12/15 you can win the stunning new Intel 750 Series 1.2TB SSD.
 

Latest Poll

What PC component are you planning to upgrade in the next six months










Ads by Google

From our Partners

PC & Tech Authority Downloads