Weaknesses in the way the Tesla's high-end Model S electric sedan communicates with drivers could leave it open to hacks that allow a remote hacker to unlock its doors and continuously track its location, a security researcher said.

The most serious vulnerability stems from Tesla's minimum password requirement, which is just six characters with at least one number and one letter, according to a recently published evaluation from independent security researcher Nitesh Dhanjani. Combined with no clear account lockout policy limiting incorrect login attempts, the requirement makes passwords susceptible to brute-force attacks, which cycle through all possible combinations until the proper one is guessed. Armed with a valid password, an attacker could use an iOS app to check the car's location and charge status and unlock its doors. Update: On Tuesday, four days after the evaluation was published, Tesla changed the password requirements to 8 characters with at least one number and one letter. The manufacturer also added a lockout following five unsuccessful login attempts, after which users must reset the password.

Avoid third-party apps, for now

Dhanjani has previously uncovered weaknesses in Internet-connected LED lights networked baby monitors , and other "Internet-of-things" devices, and he pointed out that a large percentage of people use identical or very similar passwords for multiple services. That means that even if Tesla improves its password policy, Model S passwords could still be vulnerable if they're included in a hacked database retrieved from an unrelated website. Password reuse is by no means a threat that's unique to Model S owners, but given the ability of a single password to track and unlock cars, the threat could be particularly more severe.

Model S passwords are also susceptible to theft or leakage through third-party apps such as Tesla for Glass for Google Glass and the upcoming Automate Your Tesla. Dhanjani said third-party apps work by reverse engineering a programming interface known as REST, which Tesla designed for its Tesla iOS app and has yet to advertise for outside use. REST doesn't use OAuth or similar means to allow apps to login without accessing passwords. By exposing driver credentials to unvetted third-party app developers, the interface increases the chances they could be leaked during hacks or even by rogue employees, Dhanjani warned.

"Tesla designed the API for their own iOS apps to function and they have not advertised it as a good way for third parties to avail the functionality," the researcher told Ars. "Unless Tesla announces a way for third parties to authorize access to car data (which they have not because the API has been reverse engineered), the Tesla owners are submitting their credentials to third parties who are unvetted and can abuse the credentials to check on the location of the cars and unlock them."

For the time being, Dhanjani advised Model S users to steer clear of third-party apps.

Dhanjani has identified at least one other potential weakness—a four-PIN adapter that connects laptop computers to a car's internal network. Although the data is encrypted using the OpenVPN cryptography library, outgoing connections can be configured to use pre-shared credentials. It's still not exactly clear what connected laptops can do and access once they're authenticated. Still, the connection could represent a potential privacy or security threat if the credentials were known by someone with physical access to the car.

Dhanjani said the point of his evaluation was to demonstrate that static passwords and other traditional methods for locking down computers and networks may not be sufficient for cars and other Internet-of-things devices where physical security is often involved. Ars forwarded Dhanjani's report to Tesla officials, but the company has yet to issue a statement in response.

"Tesla has demonstrated innovation leaps beyond other car manufacturers," he wrote. "It is hoped that this document will encourage owners to think deeply about doing their part as well as for Tesla to have an open dialogue with its owners on what they are doing to take security seriously."