Security is particularly important in a highly networked vehicle like a Tesla. Due to my experience as a specialist for network security and work in my software company, I am often confronted with this topic.
Therefore, I would like to give some important tips in this blog on how to make it as difficult as possible for criminals.
What can even happen?
Once an attacker has access to my Tesla Account, there are a number of ways in which he can harm me.
- Store purchases: With the payment data stored for supercharging, the attacker can go on a shopping spree, have the goods sent to an external address and then sell these goods.
- theft of the vehicle: The attacker could store a Tesla account created with fake data as an additional driver for the vehicle(s) and would have full access within a few minutes. He can use the smartphone app to open the vehicle and drive away. As soon as he has switched the vehicle to D, he disables mobile access and/or disrupts the LTE signal or removes the antenna or SIM. This means that the rightful owner is also locked out.
- Removing the vehicle from the account: Removal from the account is used regularly to change ownership. The attacker cannot make any real profit from this, but it can cost the rightful owner a lot of nerves.
How can I protect myself?
Of course, there is never 100% protection in life. However, a high level of security can be achieved with a few simple measures. If the attacker has no personal motives, he can usually be deterred by this alone - he simply looks for an easier victim.
Tesla Specific Recommendations
Pin 2 Drive: A 4-digit PIN can be assigned via the vehicle menu, which must be entered before each journey. This works well against simple criminals who steal the vehicle key or, on older Model S and X, amplify the signal of the nearby key. It also helps against opportunistic thieves if you forgot your key in the vehicle, or burglars who physically take the key.
However, it does not help against a hijacked accountvery good, because for security reasons the PIN can be reset using the account login in the vehicle.
Check emails and add Tesla to your favorites: Once a new driver is added to a vehicle, Tesla will send an email to the owner and the new authorized driver for information.
Anyone who has deactivated their notifications for new e-mails should use the e-mail firstname.lastname@example.orgAdd to favorites so emails from Tesla always trigger a notification. With luck you are fast enough and can log in in time and remove access to the vehicle again, as well as reset the password.
No password change possible: Tesla does not allow you to change your own password via the account page. It is only possible to reset it. You will receive an email with a link to a website where you can set your new password. This prevents someone with account access from being able to lock out the actual owner. However, if an attacker has additional access to the e-mails, he can intercept them, complete the password change himself and thus lock out the owner.
To counteract this, special attention should be paid to securing your personal e-mail inbox - more on this below in the general recommendations.
- Use password manager: The following recommendations would be very difficult to implement without a password manager - with one, however, they cause practically no additional work in daily use. However, a password manager should be part of the absolute basic equipment of every Internet user. We have had very good experiences with, for example1Passwordmade, it also offers the possibility to manage multi-factor authentication across devices and offers many useful functions. As a large and well-known provider, also from the corporate environment, you have to prove your security every day.
- No password to remember: Passwords should totallyrandomly generated, as long as the provider allows (or e.g. 64 characters) and use all characters that the provider allows (upper and lower case, digits, special characters). 1Password offers just such a password generation and with the browser plugins and apps for all desktop and mobile platforms, manual login is also a thing of the past.
- Do not use a password twice: Passwords that are used more than once are one of the biggest points of attack in IT security. If a poorly secured service is compromised by an attacker, he can use this to obtain the password used for the Tesla Account. If you use a password manager, there is no longer a reason to use the same password for multiple services - not even for convenience.
Use multi-factor authentication (2FA or MFA).: With two-factor or multi-factor authentication, the point is to prove authorization not just through one factor "knowledge" (the password), but through at least a second one, such as "possession" (the code generator) or "being" (biometric method).
Tesla supports the standard procedure of a code generator (also supported by 1Password and other password managers). In addition, up to 2 generators can be registered. You should also do this to have an independent backup. The added benefit of using 1Password in the cloud is that the code generator is replicated across all devices. That means I can also log in easily (or if necessary) with my tablet or PC and am not solely dependent on my smartphone.
The only thing that changes for the user through the use of MFA is that after entering the password when logging in, an additional code must be entered, which is regularly regenerated by the generator (e.g. the 1Password app).
Don't share accounts: Accounts like the Tesla account are usuallyPersonal Accounts- thus tied to a person, a specific person. No matter how much you love your partner or trust friends - accounts should never be shared. Tesla allows additional drivers to be added - this should also be used as intended.
The problem with account sharing is not only that a partner or friendship can break up, but also an additional attack vector. Maybe I'm so experienced myself that I won't be fooled by a phishing email - but maybe my partner is.
Don't trust emails: As soon as access security (or credit card data, etc.) is at stake, distrust should set in. If an email ostensibly from Tesla or some other vendor asks me to enter my password, I become suspicious.
Of course there are occasional legitimate requests, for example to renew the password if it has not been changed for a long time. In that case, however, you should not click on the practical "Login" button in the email - this link, like the sender, can very well be forged - but open the browser by hand and type in the address of the provider.
- Check password recovery methods: Despite the password manager, it can sometimes happen that you lose a password and have to reset it. All services on the Internet should be checkedhowthe provider handles this case. Does a provider allow resetting by storing answers to questions such as "What is your favorite color" or even sending the password in plain text - the provider never knows this if the implementation is correct! - this provider should be avoided if possible. Obviously he has no security concept, or simply ignores it.
Secure emails: Looked at soberly, your own e-mail inbox is by far one of the most important access points you can have. Not least because warnings about unauthorized logins or requests to reset the password run through it. Many attacks are aimed at gaining access to the victim's e-mail inbox via detours in order to then attack the actual target - for example the Tesla access.
All of the above recommendations should therefore also and especially apply to your own e-mail inbox!
This also means that a provider who, for example, restricts the choice of password or does not offer MFA should be excluded or changed from the outset.
Supplement: password manager
We received a letter from Rolf describing his alternative setup to 1Password. Since this could be interesting for everyone who prefers open source solutions and synchronizations without cloud services, we don't want to withhold them from you:
"Keepassis an OpenSource solution that is available for free for all common platforms such as MacOS, Windows, Linux, Android and iOS. In combination withResilioSync(also free for personal, private use) orSyncThing(also open source) the same database with passwords can be kept up to date on all personal devices without cloud support.
Keepass can also do OTP with a plugin, but this should then also be installed on all devices used, unfortunately manually."
Supplement: External services such as ABRP or Teslalogger
Antonino had asked me to add a few thoughts on the use of third-party services such as ABRP or Teslalogger with regard to passing on the access token or even the access data.
Basically, everything that works with the login via the web interface now runs with the token (add/remove drivers, ...). The advantage of the token remains that I don't have to share any access data and it can be blocked more easily in an emergency. Under no circumstances would I give the complete access data to a third-party service - simply because it would then have to save it.
The risk of disclosure of access consists of two possible scenarios:
- The seller has bad intentions. So the provider himself does things with the access that he should not do.
- An attacker penetrates the provider and steals the tokens with which he can then cause damage.
I don't see the first variant as "so" dramatic for established providers because they have a trust-inspiring past ("track record"). But here too, for example an angry dismissed employee misuse the data if the provider has sloppy with its own IT security.
I am not aware of any provider who has transparently (publicly) documented their processing and infrastructure or had them audited. Strictly speaking, I would therefore not give access to such providers. For the average user who derives an important benefit from the relevant service, the security level of established providers such as ABRP can definitely be classified as acceptable. Nevertheless, one should at least be aware of the risk.
Applications such as the well-known Teslalogger, which are open source and can be audited by anyone with the appropriate programming knowledge, are much less critical in my view. In addition, Teslalogger, for example, can also be installed locally, so that no third-party provider has to be trusted. However, one must not forget that I am then responsible for the security myself. Without any specialist knowledge or the support of competent people, I would not necessarily put such a system into operation without first informing myself about the possible risks.