Connect with us

Hi, what are you looking for?



Tesla Model S Cars Can be Located, Unlocked With Stolen Passwords: Researcher

A recent presentation at the Black Hat Asia conference last week placed the spotlight on securing the Internet of Things, this time in the form of an electric car.

A recent presentation at the Black Hat Asia conference last week placed the spotlight on securing the Internet of Things, this time in the form of an electric car.

According to researcher Nitesh Dhanjani, Tesla Motors gives car owners the ability to unlock their car doors using their mobile phones, creating a potential opening for criminals able to get their hands on the user’s password.

In a paper, Dhanjani explained that to order a Tesla Model S, users have to establish a password-protected account on Once the car is delivered, the owner can use a mobile app to take a number of actions, including both locking and unlocking the car as well as flashing the lights. They cannot use the app to actually start the car, which requires the actual key fob.

Still, this new reality opens up a number of potential attack vectors, Dhanjani argued, including the use of brute-force attacks. According to Dhanjani, the Tesla website does not have an account lockout policy that goes into effect after multiple failed login attempts. The situation is also attractive for phishers who may look to steal the credentials as well. From there, the attackers could find the cars associated with the accounts and unlock the doors.

“Once credentials are gathered,” the researcher wrote, “phishers can easily check the location of the cars for the accounts they have compromised by using the Tesla REST API  (destination by following these steps:

                 A. Login by submitting to /login and setting the user_session[email] and user_session [password] parameters.  

                 B. Use the session token from A to obtain the vehicle list by submitting a GET request to /vehicles.  

                 C. User the vehicle id obtained in B to query the location of the vehicle by submitting a GET request to /vehicle/{id}/command/drive_state. This will return the location in the form of latitude and longitude.

Advertisement. Scroll to continue reading.

“Once the phisher has obtained the location of the vehicles mapped to the compromised accounts he or she can unlock a particular vehicle or a set of vehicles (buy invoking the following in a loop): GET request to /vehicles/{id}/command/door_unlock,” he wrote. 

The researcher also noted that third-party applications have already begun to leverage the Tesla REST API to build applications. This could be problematic in the case of malicious apps or in the event the third-party infrastructure is compromised. Until Tesla announces an SDK and the methods they are going to outline to sandbox applications, users should refrain from using third-party applications, he wrote.

Dhanjani stated that he has shared his findings with Tesla Motors. In a statement, a spokesperson for the car company told Reuters that the company “will continue to work with the community of security researchers and actively encourage them to communicate with us through our responsible reporting process.”

“Given the serious nature of this topic, we know we can’t attempt to secure our vehicles the way we have attempted to secure our workstations at home in the past by relying on static passwords and trusted networks,” according to Dhanjani’s paper. “The implications to physical security and privacy in this context have raised stakes to the next level.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...