“Given the fantastic future of IoT devices ahead of us, it is the responsibility of the security community and device manufacturers to do our best to enable these devices securely,” said independent security researcher Nitesh Dhanjani, in a blog. “The IoT devices in scope include remotely controllable thermostats, baby monitors, light bulbs, door locks, cars and many more. The impact of security vulnerabilities targeting such devices can lead be physical in nature in addition to contributing to loss of privacy.”
The Tesla Model S comes with a central control display that not only lets passengers control media, access navigation and turn on the rear view camera, but also lets them adjust the suspension, open the panoramic roof, lock and unlock doors, and adjust the height and braking of the vehicle. This is all done via the touch screen.
Unfortunately, as whiz-bang as that all is, Dhanjani pointed out that there are some basic security flaws in the car. For one, a six-character password is all that’s required for the online account controlling the touchscreen. Also, once the car is delivered, the user can use the iOS app to control the car, inclusive of unlocking the car, checking on the car’s location and charge status.
That leaves basic physical security again open to brute-force attacks; anyone can locate the car and unlock it –and even manipulate the brake system –via any variety of malware, phishing gambits and password leaks. Also, any user with temporary access to the owner’s email can reset the owner’s password, and that person will not be required to answer any secret questions or any additional information.
“The Tesla website doesn’t seem to have any particular account lockout policy per incorrect login attempts,” explained Dhanjani. “This puts owners at risk since a malicious entity can attempt to brute-force the account and gain access to the iPhone functionality.”
In addition to these issues, it is widely known among Tesla owners that company's customer service has the ability to unlock cars remotely.
“It is unclear what consistent requirements owners have to go through to verify their identity. Without clear requirements, it is possible that a malicious entity may be successful in social engineering Tesla customer service to unlock someone else’s car,” warned Dhanjani. “It is also unclear what background checks Tesla employees are subject to prior to be given the power to unlock any Tesla car.”
Meanwhile, third-party developers have already started to leverage the Tesla REST API to build applications. The Tesla for Glass application for instance lets users monitor and control their Teslas using Google Glass – but, the app requires Google glass owners to authorize and add the app. Once this step is complete, the user is redirected to a login page, laying them open to spoofing and man-in-the-middle attacks.
“Elon Musk has confirmed that Tesla has plans to eventually release an SDK for 3rd party developers,” Dhanjani said. “It is likely that the Tesla sponsored solution includes an SDK, access to a remote API, local sandbox, OAUTH like authorization functionality, and a vetting process that draws inspiration from the Apple App Store. In the meanwhile, Tesla owners are strongly encouraged not to use third party applications.”
On a somewhat positive note, the researcher noted that the Tesla website incorporates an anti-CSRF token, which prevents malicious website from taking over the user’s account.
“The Tesla Model S is a great car and a fantastic product of innovation,” Dhanjani said. “Owners of Tesla as well as other cars are increasingly relying on information security to protect the physical safety of their loved ones and their belongings. Given the serious nature of this topic, we know we can’t attempt to secure our vehicles the way we have attempted to secure our workstations at home in the past by relying on static passwords and trusted networks. The implications to physical security and privacy in this context have raised stakes to the next level.”
Dhanjani explained that he has reached out to Tesla to foment a dialogue on the potential issues. In the meantime, owners can use common sense when selecting passwords, downloading non-native apps and fielding emails and other common social engineering tools.