1.Log in to the stolen account by submitting a request to /login and populating the
user_session field with the victim’s email address and the user_session field with the
password.
2.Submit a request to /vehicles to obtain a list of all Tesla cars associated with the victim’s
account.
3.Submit a request to /vehicles/{id}/command/drive_state, where {id} is the value asso-
ciated with the car’s identity. This request will return the location of the car in the form of
latitude and longitude.
4.Submit a request to /vehicles/{id}/command/door_unlock to unlock the car.It is evident that single-factor authentication of just a username and password, even with
password complexity requirements and account lockout policies, are not sufficient to protect
the security of a vehicle since simple and traditional phishing attacks can allow a malicious
user to locate, unlock, and even start the car. Also consider the case in which an attacker has
temporary access to the victim’s email. The attacker can simply request a password reset from
the Tesla website and get hold of the user’s Tesla account. Take a moment to consider the
impact of this situation: an attacker who has compromised the email account of a Tesla owner
can locate and steal that individual’s car.
Users have a tendency to reuse their credentials across online services. This creates a sit-
uation in which an attacker who has compromised a major website can attempt to use the
same password credentials for other services, such as the Tesla website and iOS app. We also
see situations of major password leaks on a daily basis: these are easy to find by way of
projects like LeakedIn that collect and report on credentials that have been publicly exposed.
An attacker can easily use usernames and passwords from such leaks to attempt to log into
the Tesla iOS app, or automate the process described earlier) to locate and unlock cars.
This sets a new perspective on how traditional attack vectors can be abused to not only
gain access to a victim’s online information, such as email and instant messages, but to locate
and steal a luxury car. Yet again, the point here is that an IoT device capable of going from 0
to 60 miles per hour in 3.2 seconds should not be vulnerable to traditional attacks that are a
result of single-factor authentication. We also know that bot-nets relating to malware are
always incorporating new methods to locate and pillage user information. If companies like
Tesla continue to implement weak controls such as traditional username-and-password—
based authentication, it is quite likely that malware authors will attempt to look for and cap-
ture these credentials. Since particular strains of malware can compromise millions of laptops
and desktops, this will create a situation in which a significant number of connected vehicles
may be compromised and remotely accessible by bot-net herders who can be located any-
where in the world.
THE TESLA MODEL S 177