According to a report by Reuters [ http://www.reuters.com/article... ], Dhanjani said that Users are required to set up an account secured by a six-character password when they order the car. This password is used to unlock a mobile phone app and to gain access to the user's online Tesla account.
The freely available mobile app can locate and unlock the car remotely, as well as control and monitor other functions. The password is vulnerable to several kinds of attacks similar to those used to gain access to a computer or online account.
An attacker might guess the password via a Tesla website, which Dhanjani says does not restrict the number of incorrect login attempts.
Attackers could try to gain access to the password from the user's computer via password-stealing viruses, or gain access to other accounts that might use the same password.
"It's a big issue where a $100,000 car should be relying on a six-character static password," he said.
Dhanjani said there is also evidence that Tesla support staff can unlock cars remotely, leaving car owners vulnerable to attackers impersonating them, and raising questions about the apparent power of such employees to locate and unlock any car with or without the owner's knowledge or permission.
In his paper, Dhanjani also describes the issue of Tesla's REST APIs being used by 3rd parties without Tesla's permission causing Tesla owners' credentials to be sent to the 3rd parties who could misuse this to locate and unlock cars.