Hackers can unlock a high-tech Tesla car door by using the same run-of-the-mill techniques they use to crack open computers.
That’s according to security researcher Nitesh Dhanjani, who spoke about his findings at a recent hacker conference in Singapore. All it takes is cracking a six-character password, considered low-hanging fruit in the cyber security world.
And if it can happen to a Tesla (, other cars may also be susceptible. After all, many modern cars made by others like )Ford ( and )Toyota ( )can also be controlled via computer and mobile phone apps and come equipped with wireless connections that tap into Wi-Fi, Bluetooth or cell phone networks.
“We now have ways of accessing our cars we never did before, and consumers aren’t quite aware of that. Hackers will try to take advantage of that lack of awareness,” said Erik Cabetas, managing partner at the consulting firm Include Security.
Dhanjani said today’s cars should be held to a higher security standard than the average laptop. Not only are they more expensive, but losing control of a car can put lives in danger.
“We can’t attempt to secure our vehicles the way we have attempted to secure our workstations at home,” Dhanjani, who advises companies on computer security, said in a blog post. “The implications to physical security and privacy in this context have raised stakes to the next level.”
Dhanjani was especially worried about Teslas.
Tesla owners must create a password-protected online account, which lets them use a smartphone app to access car locks, locate a car, and also see how much its batteries are charged. A single password gives complete access to an account, which is a problem, according to Dhanjani.
He also found that Tesla’s website didn’t lock users out even if someone typed several incorrect passwords. That opens up the site to what’s known as “brute-force attacks,” where a computer tries thousands of passwords per second until it breaks in. On Monday afternoon, Tesla updated its requirements, locking out users after five incorrect attempts, Dhanjani said. Tesla did not immediately respond to a request for comment.
Dhanjani learned about this firsthand when he bought his own Tesla Model S P85+ three weeks ago. He noticed the single password requirements, and decided to test the system by submitting a wrong password 150 times straight. It never locked him out, nor did it ask for the jumbled letters that keeps automated hacker attacks at bay.
Despite the findings, Dhanjani said he isn’t uneasy about his own car and can’t wait to get back from vacation to drive the Model S parked at home in Bellevue, Wa.
However, he’s concerned about the security of a Tesla, especially if it were to be the security standard for electric cars.
“The time is right now for Tesla to fix this,” Dhanjani said. “As other car manufacturers draw inspiration from Tesla’s design and architecture, there will be more people to compromise and launch attacks against.”