A place for all things security.

When Cars Attack! Tesla password policy enables unauthorized user access

Apr 1, 2014 // Andrew Stroup

Doors locking and unlocking, sunroofs opening, and horns honking uncontrollably may sound like a bad dream, but for Tesla drivers this could be a new reality. When someone buys a Tesla they are prompted to create a user account on the company’s website so they can lock and unlock their car, locate it, open the roof, and sound an alarm from their iPhones. While this feature is really cool, here’s the rub: the site doesn’t require the passwords to be longer than six digits, and allows unlimited login attempts. Essentially, this means that any hacker can crack your code by brute force, trying again and again until they get it right.

Security expert Nitesh Dhanjani, who first pointed out these flaws, goes on to say that these aren’t the only vulnerabilities Tesla drivers face. They’re also susceptible to email phishing messages, malware attacks, and a loss of access if their email account gets compromised.

The Tesla is a highly innovative product that has revolutionized the way we view cars and energy consumption, but Dhanjani points out that “Given the serious nature of this topic, we know we can’t attempt to secure our vehicles the way we have attempted to secure our workstations at home in the past by relying on static passwords and trusted networks.” We agree. Although Tesla hasn’t yet released any plans to update their security policies, we hope they will soon.” target=”_blank”>link</a>.