Weaknesses in the way the Tesla's high-end Model S electric sedan communicates with drivers could leave it open to hacks that allow a remote hacker to unlock its doors and continuously track its location, a security researcher said.
The most serious vulnerability stems from Tesla's minimum password requirement, which is just six characters with at least one number and one letter, according to a recently published evaluation from independent security researcher Nitesh Dhanjani. Combined with no clear account lockout policy limiting incorrect login attempts, the requirement makes passwords susceptible to brute-force attacks, which cycle through all possible combinations until the proper one is guessed. Armed with a valid password, an attacker could use an iOS app to check the car's location and charge status and unlock its doors. Update: On Tuesday, four days after the evaluation was published, Tesla changed the password requirements to 8 characters with at least one number and one letter. The manufacturer also added a lockout following five unsuccessful login attempts, after which users must reset the password.
Dhanjani has previously uncovered weaknesses in Internet-connected LED lights, networked baby monitors, and other "Internet-of-things" devices, and he pointed out that a large percentage of people use identical or very similar passwords for multiple services. That means that even if Tesla improves its password policy, Model S passwords could still be vulnerable if they're included in a hacked database retrieved from an unrelated website. Password reuse is by no means a threat that's unique to Model S owners, but given the ability of a single password to track and unlock cars, the threat could be particularly more severe.