Tesla’s Hackable Backdoor

Here’s a thought experiment for you: you have to face off against six opponents in rock-paper-scissors. You have to beat them all in a row and on the first try. Fail, and you start over again. Succeed, and you win a fabulous slice of pizza. You have an infinite number of tries. Would you be able to do it? Would you be able to enjoy a fresh slice of pizza?

The answer, of course, is “yes.” But there are two reasons why: the first is it’s a mathematical certainty that you’ll happen upon the right combination of rocks, papers and scissors to defeat all of your opponents in a row; the second, and more likely answer, is that you’ll study your opponents’ rock, paper scissors habits, and you’ll take advantage of that knowledge.

That exact thought experiment is essentially what failed to protect the Tesla Model S, a luxury all-electric car, from hackers, according to Nitesh Dhanjani, a corporate security consultant. Dhanjani presented his findings at Black Hat Asia, a security industry event, stating that hackers could easily bypass Tesla security and remotely locate and unlock—though not turn on—the Tesla Model S.

The hack is a result of the Tesla experience: Tesla requires new owners to set up an account on teslasmotors.com after purchasing a car. This account is linked to an iOS app allowing you to unlock and locate your new car, among other things. The account, however, is only protected by a bare-bones password requirement: six characters with at least one number and one letter and, oh, you have unlimited attempts to enter the password correctly.

That lack of an account lockout policy, which deactivates (or locks) an account after enough failed log-in attempts, made the Model S susceptible to brute-force attacks by hackers. A brute-force attack is a simple concept: guess an account password until you get it right. Making those guesses manually takes a long time, but hackers have a workaround.

Hackers use what’s known as a “dictionary attack,” which is similar to a brute-force attack save for one detail: instead of starting out with the letter “A” and adding and altering characters until a correct guess is entered, dictionary attacks start with the most common passwords, like “123456” and “password,” and add the most common variables until a correct guess is entered. Sadly, this is a shockingly effective way to bypass password challenges.

Thankfully, Tesla was quick on a fix: After Dhanjani came forward with his findings, the electric car company set a limit on the number of password guesses allowed before an account is deactivated, and they’ve changed the password requirement from six characters to eight. The underlying lesson here isn’t that Model S cars are inherently insecure (the car can only be located and unlocked using this method, not stolen), but that the underlying security standards protecting these Internet-connected devices need to be rethought.

As more traditionally manufactured products—like cars, televisions and thermostats—become connected to the Internet, they become more likely to be hacked or otherwise taken advantage of. Car owners of the past had to worry about slim-jims (thin pieces of metal used to unlock a cars from the outside) and crowbars being used to steal their cars. Future car owners will have to worry about data breaches, factory set passwords and brute-force attacks. Simple passwords—such as those discussed above—will not cut it in today’s security environment.

So how can you successfully protect the Internet of Things (IoT) devices in today’s Internet-connected world? Here are a few tips you can use to keep yourself and your devices—no matter how big or small—safe:

  • Set unique passwords with at least eight characters. You should have a unique, eight-character password that uses a combination of upper and lower case letters, numbers, and symbols for every website and service you use that requires a login. The same goes for apps on your smartphones and other mobile devices. McAfee SafeKey, the password manager that comes with McAfee LiveSafe™ service, will help create strong passwords for you, as well as sync and secure these passwords across your devices—remembering all your login details so that you don’t have to.
  • If possible, use two-factor authentication. Like I said earlier: security standards for Internet-connected devices, like the Tesla Model S, need to be rethought. The security industry is working on answers to this problem—one of which is two-factor authentication; a security standard that requires a user to have something they know, like a password, and something they possess, like a phone. Techniques like two-factor authentication can verify if a user is in fact who they say they are by challenging them to enter a code sent to their phone. Yes, it’s an extra step, but you’ll be more secure because of it.
  • Keep your computers, smartphones and tablets locked down with comprehensive security software. Threats come from all directions. Security has to too. With McAfee LiveSafe, you’re provided with the most comprehensive security services, working 24/7 to protect your data and devices (including PCs, Macs, smartphones, and tablets) from dangerous websites and malware.

And, of course, you can stay on top of the latest consumer and mobile security threats by following @McAfeeConsumer on Twitter and Liking us on Facebook.

Gary Davis

Leave a Comment

fourteen − six =