Feeds

Researcher lights fire under Tesla security

Needs two-factor authentication now

Internet Security Threat Report 2014

A security researcher is calling on Tesla to introduce two-factor authentication for access to the combination of services that make its Tesla S model one of the most “Internet of Things” vehicles in the world today.

As noted by Threatpost, researcher Nitesh Dhanjani has found that the combination of a mere six-character password used by Tesla S owners to register with the site, plus poor access control and re-use of the password on the iPhone app represent a serious security issue.

As Dhanjani posts, Tesla doesn't limit the number of login attempts a user can make. This makes the six-character password trivial to brute-force, he writes: “a malicious entity can attempt to brute-force the account and gain access to the iPhone functionality”.

Should an attacker gain access to a user's credentials, he writes, the Tesla REST API then lets the attacker locate the vehicle, since once logged in, the session token can be used to submit a GET request to obtain vehicle ID, followed by a second request to that ID to retrieve latitude and longitude from the car.

“Once the phisher has obtained the location of the vehicles mapped to the compromised accounts he or she can unlock a particular vehicle or a set of vehicles (buy invoking the following in a loop): GET request to /vehicles/{id}/command/door_unlock,” Dhanjani writes.

This could be deployed by Botnet herders to launch mass attacks, he continues, concluding that “we know we can’t attempt to secure our vehicles the way we have attempted to secure our workstations at home in the past by relying on static passwords and trusted networks”. ®

Secure remote control for conventional and virtual desktops

Whitepapers

Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.