At the starting of last month we reported that by using a $20 toolkit called CAN Hacking Tool (CHT), hackers can hack your Smart Cars, giving entire control of your car to an attacker from windows and headlights to its steering and brakes.
Now a new research carried out on the Tesla Smart car has proved that the hackers are able to remotely locate or unlock the Tesla Motors Inc. electric vehicles, just by cracking a six-character password using traditional hacking techniques.
Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology
Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.Join Now
At the Black Hat Asia security conference in Singapore on Friday, Nitesh Dhanjani, a corporate security consultant and Tesla owner, said a recent study conducted by him on the Tesla Model S sedan pointed out several design flaws in its security system, and there wasn't any hidden software vulnerabilities in the car's major systems. The major vulnerability sites somewhere else.
According to Dhanjani, the Model S of Tesla Motors requires a key fob in order to drive it, but the car can be unlocked through a command transmitted wireless over the Internet to the Smart car. Now this command could be hijack by the cybercriminals, as it's quite easy to crack the password using traditional hacking techniques or steel it either way.
By using this password, attackers would not be able to drive your car, but could unlock, locate and gain access to your car and steal its contents, like laptops, tablets, GPS systems, money, or whatever's stored in the car.
"We cannot be protecting our cars in the way we protected our (computer) workstations, and failed," he said during a presentation.
HOW TO HACK 'Tesla Smart Car'
When the users order a car, they are required to sign up an account, secured by a six-character long password (key) that is also used to unlock the mobile phone app to gain access to their online Tesla account (https://www.teslamotors.com).
Tesla Smartphone app is freely available for your device, and using it you can easily locate and unlock your car remotely, furthermore, the app can control and monitor other functions of your car as well.
Now, this password (key) might easily guess by a hacker via a Tesla website, which has no restriction on the number of incorrect login attempts.
"The password is vulnerable to several kinds of attacks similar to those used to gain access to a computer or online account," Dhanjani said. "It's a big issue where a $100,000 car should be relying on a six-character static password," he added.
Dhanjani has reported his findings to Tesla, but Tesla spokesman Patrick Jones declined to comment on it, though he said the research they received by the security experts is carefully reviewed by the carmakers.
"We protect our products and systems against vulnerabilities with our dedicated team of top-notch information security professionals, and we continue to work with the community of security researchers and actively encourage them to communicate with us through our responsible reporting process," Jones said via an email.
Dhanjani also claimed through evidence that Tesla support staff can unlock cars remotely, leaving the car owner vulnerable to hackers, an attacker could masquerade as Tesla staff and might succeed to hack into the users' car.
These small issues must be seriously considered by the car manufacturers as the coming years will totally based on the Android based Smart Cars, as Google has also tied-up with several Auto manufacturers with the goal to bring Android to Cars with built-in controls and hardware by the end of this year.