As more and more technology gets crammed into our automobiles, replacing once simple mechanical systems with electronics and other such wizardry, hackers and people much smarter than ourselves are finding more and more ways to exploit them. The latest such case comes from a man named Nitesh Dhanjani, who has reportedly managed to send wireless codes over the internet to the Tesla Model S that can unlock the car's doors.

According to an article from Reuters, the six-digit passcode required to gain entry into Tesla's electric sedan isn't the only flaw in the car's security Dhanjani – himself a Tesla Model S owner – has found. That said, the car's electronic key fob is still required to start and drive the vehicle, meaning thieves would only have the ability to steal things left inside the car and wouldn't actually be able to operate it or drive it away.

"It's a big issue where a $100,000 car should be relying on a six-character static password," said Dhanjani, who has shared his findings with Tesla.

We agree, sort of. While we certainly don't like the idea of unlocking anyone's automobile for nefarious means, nobody can deny that thieves and other not-so-pleasant people have been breaking into and stealing cars ever since their invention. Ford has used manual-entry keypad entry systems for decades, remote access keys have been hacked in the past, and, of course, the old-fashioned brick-through-the-window approach happens more times every day than we'd like to think about...

Still, this potential security flaw is worth investigating, especially, we'd imagine, to current and future Tesla owners. We've reached out to Tesla for comment and will update this story if and when we hear back.


I'm reporting this comment as:

Reported comments and users are reviewed by Autoblog staff 24 hours a day, seven days a week to determine whether they violate Community Guideline. Accounts are penalized for Community Guidelines violations and serious or repeated violations can lead to account termination.


    • 1 Second Ago
  • 61 Comments
      DarylMc
      • 8 Months Ago
      Is Nitesh Dhanjani any good with websites. Maybe he can come and fix the problems with the comments here:)
      Joeviocoe
      • 8 Months Ago
      The problem would be with Tesla's servers... not with the cars. When you log into the Tesla Owners site... and enter that 6 digit number (either from a home computer or mobile phone), and use that web frontend to send an unlock or locate command to the car... the communications from their is encrypted with long keys. So this would not require any OTA update or recall for the cars themselves... but rather a simple patch on their server to disallow multiple failed entries. The 6-digit password is pathetic. But they chose a short password because most people will want to log in via smartphone, and within seconds of reaching their car. A long password makes that cumbersome. A mistake to be sure, but the easiest to correct.
        Bernard
        • 8 Months Ago
        @Joeviocoe
        That server needs 2 factor authentication then. Just like what Google has.
          Joeviocoe
          • 8 Months Ago
          @Bernard
          No 2 factor. The user is expected to be able to login very quickly to unlock doors or locate the car.... from their mobile phone. 2 factor would require too much time. A simple pw fail timeout is more than enough to thwart brute force attacks like this.
        Marco Polo
        • 8 Months Ago
        @Joeviocoe
        @ Joeviocoe Isn't it inherent that any computerized system that can receive instructions over the internet, or by wireless communication, can be hacked ? Tesla is more vulnerable than most vehicles, because it's also more capable of receiving upgrades etc by remote processes. There is always the danger of a security problem, but I guess that just the price to pay for progress. The ability to open the cars doors, is relatively minor in comparison to being able to hack, or corrupt, the operating functions of the vehicle.
        Marco Polo
        • 8 Months Ago
        @Joeviocoe
        @ Joeviocoe Cyber attack is not just a problem for Tesla. All vehicles which are 'internet'' or telephone connected, will become subject to an endless battle against malicious or criminal cyber interference. Opening the cars doors for criminal purpose is a fairly mild annoyance, but an attack of the vehicles safety or operating systems, could prove more serious and even fatal. Since Tesla is just a pioneer with this technology, which will eventually become standard, cyber security will become a new area of concern for all auto-makers.
      Marco Kuendig
      • 8 Months Ago
      that article is certainly wrong. the model s has username and password as protection. you can choose any character and make the password as long as you want. that is same or better security as most e-banking has.
        jeff
        • 8 Months Ago
        @Marco Kuendig
        Exactly, The 6 digit is just to set up the account.... Mine is significantly longer....
      Chris
      • 8 Months Ago
      It is not a 6 digit code... It's a minimum 6 character password. BIG DIFFERANCE. My Tesla password is longer and containes upper and lower case, numbers and special charecters. So the problem with the Model S security is.....????
        Julius
        • 8 Months Ago
        @Chris
        Somehow, I'm thinking it's the codes for the keyless remote system that's at question, not the user password for the vehicle.
        Julius
        • 8 Months Ago
        @Chris
        Somehow, I'm thinking it's the codes for the keyless remote system that's at question, not the user password for the vehicle.
      bonehead
      • 8 Months Ago
      why use the concept photos in this article???
        Tesla Fan
        • 8 Months Ago
        @bonehead
        because the concept car was prone to password hacking
      Ralphie
      • 8 Months Ago
      Is that a model S in the photo? The front fascia looks different.
      Joeviocoe
      • 8 Months Ago
      The early wireless key fobs were also easily hackable with little knowledge and some cheap equipment too. A Ham radio operator could figure it out. Many cars were stolen this way, but nobody bats an eye... not unless you are talking about a controversial new automaker. Either way... it is good a security researcher poses the question first rather than an incident be uncovered. The fix is cheap and easy. A lot cheaper and easier than titanium.
      throwback
      • 8 Months Ago
      Isn't everything computer controlled hackable? The question is how easy is it to do?
      KC
      • 8 Months Ago
      Why is the goto image a prototype from so long ago?
      Chunky
      • 8 Months Ago
      Clickbait alert!
      jeff
      • 8 Months Ago
      This is being blow way out of proportion: 1) This is about the password for the mobil app. While it allows simply 6 digit passwords, you can enter a longer and more complex password if you like. Since you only have to enter it once in the Mobil app why not make is better. 2) If you are really paranoid, you can turn the remote feature off in the car. It is a setting on the touch screen.
        Marco Polo
        • 8 Months Ago
        @jeff
        @ jeff Jeff, yes this particular story may be not that much of a problem, and Tesla is just a pioneer of this technology. But stepping around all the gratuitous attacks and defensiveness about Tesla, the problem remains. As more and more auto-makers follow Tesla's example and auto-mobiles become increasingly "connected" and dependant on computerised system, so will the potential for malicious cyber attacks. Cyber security is an area new to the auto-industry, and merits discussion.
      Larene Depopiet
      • 8 Months Ago
      In related news, a reliable source reports that they were able to gain access to a $20M mansion with a simple crowbar. Our source comments "This is a big issue for owners of luxury $20M mansions, who should not expect that a simple $5 crowbar could break the locks of the back room entrance."
    • Load More Comments