Tesla offers two-factor authentication for its application allowing access to certain features of its cars. Problem ? It is optional.
Do you own a Tesla car? So we can only encourage you to activate double authentication on the account, which allows access to the application. In a series of tweets published on January 10, David Colombo, hacker and cybersecurity specialist, claims to have taken remote control of several Tesla vehicles located in various countries.
“ This is not a vulnerability within Tesla infrastructure. It’s the owners fault. That’s why I would like to be able to report it to those concerned », He indicates. In his eyes, the flaw is on the side of users who do not have good enough IT hygiene to protect themselves from external attacks (choose a strong password for example, or do not use the same one for all of their accounts). The American manufacturer could however make its customers more responsible, for example by imposing double authentication (it is only optional for the moment).
Two-factor authentication should be mandatory for Tesla cars
Please note, David Colombo is not able to fully control Tesla cars from home: he cannot act on driving commands such as acceleration or direction when the driver is at the wheel. However, he explains that he can deactivate Sentinel mode (surveillance of the surroundings when the car is parked), unlock the doors, see the exact location or even start a video on YouTube. He concedes despite everything: ” I think it’s pretty dangerous if someone is able to play music at full volume or open the window while you are driving on the freeway. »Note that it is not possible to create a phone key given that you have to be near the car to proceed with the configuration (which goes through the Bluetooth link).
This shared experience reminds us of the importance of good IT hygiene. Double authentication is certainly the best way to avoid problems, and it should be imposed on products such as those from Tesla (we are still talking about cars that cost several thousand euros, not to mention the part related to the road safety and access to billing data). In the past, we have seen companies registered in markets less sensitive than Tesla’s strongly encourage double authentication (example: the Epic Games Store).
This hacking of Tesla cars is also reminiscent of this news item linked to a Ring camera, marketed by Amazon. In 2019, the device was hijacked to talk to a child. Here again, the multinational did not impose double authentication and blamed the parents. ” Unfortunately, when the same username and password are reused across multiple services, malicious individuals may have access to multiple accounts. She explained.
How to activate two-factor authentication on the Tesla app?
To configure double authentication, you must:
- Download a third-party authentication application (example: Google Authenticator);
- Log in to your Tesla account and press ‘Profile settings’;
- Press ‘Manage’ in ‘Multifactor authentication’;
- Follow the instructions (several options possible: verification code displayed on the application, QR Code, security key);
- Enter the verification code on the website;
- Check that you have received a confirmation email.