Some security problems are outlined here; http://www.dhanjani.com/blog/2014/03/curosry-evaluation-of-the-tesla-mod...
Not to hard for Tesla to fix. But it should be done soon.
Not too worried
The article was misleading and provocative. Nobody can steal your car. At worst they can access information in the car, big whoop. They can flash the lights and change charging setup (that could be trouble), but you'd easily see and correct that.
The likelihood there will be a problem is small, though a longer password or a call back algorithm (longer connect time here) would be better. IMO.
...how about changing your password to something longer and more complicated..6 characters, really???
@JPPTM, that was my takeaway as well. The article makes it out that everyone has a six character password.
Not me!! (think 19 chars or larger) and I change mine more than monthly.
The article was wasted bytes unless it helps to educate folks to use a password vault, random password generation and to understand that, yes, you need to change your passwords.
Brian H, are u suggesting that a really long password that start with something easy for human to remember and end with something hard for human to guess will help fend off both machines and other humans?
A pass phrase is the way to go as Brian H points out.
Harder for machines to crack simply because it is longer but easier for humans to remember.
But also Tesla does need to fix the web site. Allowing guesses from the same IP over and over is an easy way to crack easy passwords that people might use.
I don't want anyone opening my car and stealing stuff out of it.
Tesla is itself provocative and it is no surprise that innovation generates provocative discussions. Open lively debate is healthy.
The article is educational and does point out potential vulnerabilities as most Tesla owners take a big technical plunge with a touch screen controlled car.
Although personally not technically geeky, the password, direct and remote access, and third party app issues would appear to be something that Tesla and their owners can easily address with education and updates.
Looking forward to many more provocative questions.
While I have never used this procedure, the best idea I have seen is to take the first letter of each word of a lengthy enough easy to remember phrase or book title or movie (e.g. Harry Potter and the Prisoner of Azkaban would be hpatpoa).
Most of those are common to all websites and people who not able to recognize any type of phishing or malware, in short the same folks who believe that their PC has been locked by the FBI and requires a $200 payment via a green dot card to unlock.
You need an email address and a password to login to the car.
Using your email address as your displayed username on the forum gives a hacker half of the info they need. In addition, it gets you on spam lists.
Since email addresses can be found from so many other sources. I have considered changing my Tesla email to a unique address that I never use elsewhere.
I should clarify - the remote apps require the email address.
The website will take email address or username.
It is about time users (not just the company) start to first worry, and as result, begin to care about security. Better before than after it becomes
painfully obvious that it is and will be a serious issue at some point.
Thinking that hiring one person somehow magically means safety is naive. Much like posting private info online and not realizing that affluent consumers, posting lots of preferences online, is something that doesn't attract social engineering and exploit professionals.
Don't whine if someone posts about an issue. Pay attention and be proactive. Protect the car as best you can, while expecting same from Tesla.
Is Tesla's security any worse than OnStar's? I have never had OnStar so I am unfamiliar with their security and capabilities.
Its a reasonable article and the conclusions are fair--the attack vectors he pointed out are legit and there are things that Tesla owners should be aware off such as having strong passwords and being cautious about sharing credentials with 3rd parties.
I think the biggest issue right now is the unsecured ethernet port--that is kinda sloppy.
That being said, I have faith in Kristin setting them right.
I never turn on remote access. I assume I have nothing to worry about. I don't have the app because I have no real use for it.
I don't have a need to preheat, flash the lights or honk the horn. I really don't want my spouse watch me drive around aimlessly.
I turned on the remote access on one time when I dropped it off at a detail shop. That's it. Only my spouse has the app and he just uses it as a toy and watched it while it sat there at the detail shop.
I have no interest at all in any apps that may come along later that are not under Tesla's complete control either. That seems like a big risk for abuses.
We did try to use the app for keeping the AC on in the car for the dog but we learned that the AC times out when you use the app. Instead, we just turn on the AC manually when we leave the car and it will stay on until we get back.
How do you get the AC to stay on when you leave the car? This would be invaluable to me in my business, but only know how to do that using the app. It's kind of clunky this way.
I put the car in Neutral and set the emergency brake on the touch screen. You will want to turn off your automatic headlights and your automatic wipers or you might find them on when you come back to your car after dark or if it started to rain.
After the emergency brake is set, I get out and lock the car with the fob.
I haven't needed to do it for a couple months so you might want to test it and make sure that it will still operate in the same fashion after the most recent update.
From an IT standpoint, I think the article is quite reasonable. They neither exaggerated nor downplayed the obvious security issues with the car. Of course, someone could use the article as FUD, but the article itself wasn't inflammatory.
I'd like to see a third-party credential system so Visible Tesla never sees my login. That's the issue that bothers me the most, even though I have reasonable trust in that app and it's developer.
In any case, I have a suggestion for unique emails: Gmail (and probably others) ignore a '+' (plus sign) and any following characters in an email address. So, instead of using @gmail.com, you could use +@gmail.com. This allows you to generate multiple, different, email addresses
Sorry, HTML broke my suggestions...try this...
...instead of using firstname.lastname@example.org, use email@example.com...
BTW, the XKCD comic that Brian H posted is a good start, but computing power is so cheap, even that is not infallible. Because the words (horse, battery, etc) are in the dictionary, its still vulnerable to a brute force dictionary attack. To add another layer of protection, use words not in the dictionary (nonsense words or intentionally misspelled) and use unconventional capitalization, for example, capitalize a letter in the middle or at the end of the word.
For example: correkthorsbatterY
Random worD mIXEd or inTerLeaved wItH Hexadecimal:
attitude + ad6be7 = Aatdt6ibteu7dE
helion + 42 = HelioN + 101010 = H1e0li0o1N0
If an attacker can gain root access to the car they could certainly start/stop/accelerate. No idea if the current security holes allow "root" or not but they probably make it easier to do so. With a car that can do OTA updates like ours, it damn well better be very secure. These basic security issues suggest that the car may not yet be as well protected against hackers as it should. I agree that it's not a huge worry, but it is something I'm sure the engineers are addressing.
And why is on star security relevant in any way to this discussion? That's like excusing Obama as a bad president because Bush was a bad president. No relevance whatsoever.
The drivetrain systems are separate from the system that controls the secondary systems, display etc, which is why you can reboot the systems while driving without loss of control. So no, gaining "root" access to the latter will not give you access to the former, as the former use embedded SW not a full-fledged OS.
that article is bogus. it is MINIMUM 6 character but can be much longer.
try hacking a password like :
simply pick a sentence:
good luck with your attrack vector...
In the real world, what is the reward to a hacker if he got into my S? I don't keep my bank account or classified correspondence on my car and I doubt anyone has a motive to take control of my car remotely. Like many security issues, what is the threat?
Even you very long passphrase will fall to a brute force attack as long as you use words in the dictionary (see this enlightening/scary article for details: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-ou...). Now will someone actually expend the effort is a different story. Probably not, but using the car as an attack vector to get into the Tesla servers (say be compromising or spoofing the OpenVPN connection) would be more worthwhile.
There are a couple of simple things Tesla could do like enable two-factor authentication and certificates. They could also implement an temporary lockout after x number of failed attempts to protect against brute force attempts.
Being a networking geek, I would also like to see them lock-down the unprotected Ethernet port.
Do people really use words from the dictionary?
@Go Long TSLA
"If an attacker can gain root access to the car they could certainly start/stop/accelerate."
Do you know if the same system that allows remote access also has the capability to control acceleration? If you don't know this, than it is not a certainty.