A researcher has identified a number of issues with the security of the Tesla S, including its dependence upon a weak one-factor authentication system linked to a mobile app that can unlock the car remotely.

The current move by auto makers to stuff their vehicles full of networked devices, Bluetooth radios and WiFi connectivity has not gone unnoticed by security researchers. Charlie Miller and Chris Valasek spent months taking apart–literally and figuratively–a Toyota Prius to see what vulnerabilities might lie inside; and they found plenty. Now, another researcher has identified a number of issues with the security of the Tesla S, including its dependence upon a weak one-factor authentication system linked to a mobile app that can unlock the car remotely.

The Tesla S is a high-end, all-electric vehicle that includes a number of interesting features, including a center console touchscreen that controls much of the car’s systems. There also is an iPhone app that allows users to control a number of the car’s functions, including the door locks, the suspension and braking system and sunroof. Nitesh Dhanjani found that when new owners sign up for an account on the Tesla site, they must create a six-character password. That password is then used to login to the iPhone app.

Dhanjani discovered that the Tesla site doesn’t seem to have a function to limit the number of login attempts on a user account, so an attacker potentially could try to brute force a user’s password. An attacker also could phish a user to get her password and then, if he had access to the user’s iPhone, log in to the Tesla app and control the vehicle’s systems. The attacker also could use the Tesla API to check the location of the user’s vehicle, even without the iPhone app.

Dhanjani said that the attacks he’s most concerned about don’t involve brute-forcing, though. He’s more worried about attackers running a phishing campaign against Tesla owners.

“The point here (and subsequent attack vectors) is that Tesla needs to implement an authentication mechanism that is beyond 1-factor. Attackers shouldn’t be able to use traditional and well known attack vectors like phishing to remotely locate and unlock a 100k+ car built in 2014,” he said via email.

“In cases where the attacker is able to hack another website, he or she can use the usernames and credentials from the compromised accounts to attempt them on Tesla’s website and APIs given that users have the tendency to re-use passwords.”

Other possible attack vectors Dhanjani envisioned include an attacker installing malware on a target user’s machine to log his password for the Tesla site or using social-engineering attacks against Tesla employees to have them turn over passwords or remotely unlock a vehicle. The phishing and malware attack vectors are threats that any site that relies on a password faces. But they take on extra importance when the password is associated with something as valuable as a car.

“The Tesla Model S is a great car and a fantastic product of innovation. Owners of Tesla as well as other cars are increasingly relying on information security to protect the physical safety of their loved ones and their belongings. Given the serious nature of this topic, we know we can’t attempt to secure our vehicles the way we have attempted to secure our workstations at home in the past by relying on static passwords and trusted networks. The implications to physical security and privacy in this context have raised stakes to the next level,” Dhanjani said.

Along with the authentication issues, Dhanjani also found that by connecting a laptop to the vehicle through a port in the dashboard, he could identify three separate IP-enabled devices in the vehicle, potentially the dashboard screen, the center console and an unidentified third device. Both the console and the dashboard have a number of services exposed, including SSH and HTTP, and the third device has tlnet exposed, as well.

He said that he has sent the information he gathered to a Tesla employee through a friend and the company is aware of what he’s published, but he hasn’t heard an official response.

Image from Flickr photos of AutoMotoPortal.HR.