Locate and Steal a Tesla the Old-Fashioned Way
It is common knowledge that weak passwords are a bad idea, and most popular online serv-
ices require that users pick a password with reasonable complexity. Otherwise, users tend to
select passwords that are easily guessable, and attackers can exploit this situation by guessing
possible combinations of passwords (also known as a brute-force attack) to gain access to a
victim’s account. As shown in Figure 6-6, Tesla’s older website enforced a password length of
six characters, including one letter and one number. This allowed for weak passwords such as
password1, Tesla123, and so on. According to a recent survey, 123456 remains one of the most
common passwords, while abc123 is the 14th most common (and this would pass Tesla’s
complexity requirement). Furthermore, Tesla’s website (and its iOS app, as shown in
Figure 6-7) did not originally enforce any password lockout policy, which allowed a potential
attacker to guess a target’s password unlimited times. An attacker who is able to guess the
password can then find the physical location of the target’s car using the app—and that’s not
all. The attacker can also unlock the car, start it, and drive it using the app!
Tesla updated its password complexity requirements in April 2014 to a minimum of eight
characters, including one letter and one number. The 25th most common password identified
by the previously mentioned survey, trustno1, would meet this requirement. Tesla also imple-
mented a password lockout policy that locks a given account when six incorrect login attempts
are made. When an account is locked out, the user can request a password reset link to be
emailed to the address on file.
CHAPTER 6: CONNECTED CAR SECURITY ANALYSIS—FROM GAS TO FULLY(^174) ELECTRIC