Access any Tesla S with only a 6 character password over the net

I don’t find this worrisome, since if someone wants access to a Tesla S, they’d find a way to break in. But I do find it interesting.

Tesla Motors Inc’s electric vehicles can be located and unlocked by criminals remotely simply by cracking a six-character password using traditional hacking techniques, according to newly released research.

It’s not like someone could take the car without the fob or stop the car while you are driving it. Both of those things would obviously be real issues for the owner.

Users are required to set up an account secured by a six-character password when they order the car. This password is used to unlock a mobile phone app and to gain access to the user’s online Tesla account.

The freely available mobile app can locate and unlock the car remotely, as well as control and monitor other functions. The password is vulnerable to several kinds of attacks similar to those used to gain access to a computer or online account, Dhanjani said.

An attacker might guess the password via a Tesla website, which Dhanjani says does not restrict the number of incorrect login attempts.

This wouldn’t stop me from buying a Tesla, but I do hope they give this problem some thought.



  • SockRolid

    Maybe the Apple / Tesla meeting started like this: “We’ll talk about the joint U.S.-based battery production deal later. But first, tell us about TouchID and how we can use it to make our cars more secure…”

  • gglockner

    This story is overblown. You need both the username (email address) and the password. The solution: don’t use a 6 character password. Generate a longer, random password and store it in a password database. That said, Tesla does need to add a second level of authentication on their (not officially documented) API.