Most strikingly, Dhanjani notes, Tesla users are required to register an account password containing six characters with at least one number and one letter.
Whether by brute force attacks, phishing, malware, social engineering attacks or e-mail account compromise, those passwords are relatively vulnerable -- and anyone with the user's password can leverage Tesla's iOS app to unlock the car and view its location and charge status.
Dhanjani also notes that the Tesla iOS app uses a REST API, which can be leveraged by third parties, to send commands directly to the car. "Should the third party infrastructure be compromised, the malicious intruder can collect Tesla users' credentials and abuse the remote functionality," he writes.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
The car can also connect to local Wi-Fi, Dhanjani adds, and a 4-pin connector to the left of the dashboard can provide a malicious user with information about the vehicle.
"Given the serious nature of this topic, we know we can’t attempt to secure our vehicles the way we have attempted to secure our workstations at home in the past by relying on static passwords and trusted networks," Dhanjani writes. "The implications to physical security and privacy in this context have raised stakes to the next level."