With Elon Musk firmly behind the wheel, there’s no question that Tesla has accelerated the transition towards battery electric vehicles. On the security front, Tesla has a strong track record, with the various models being hard to steal, and harder to hack.
Not impossible, as McAfee hackers showed when they tricked two Tesla vehicles into believing a speed limit of 35 miles per hour was one of 85 miles per hour.
A few years ago, hackers were able to steal a Model S by copying the key fob. While at the time the route to Tesla theft was ostensibly shut down, it turned out vulnerabilities existed with the encryption used in the “fixed” key fobs.
These were resolved in 2019 because Tesla assured that “nothing can prevent against all vehicle thefts,” but “Tesla has deployed several security enhancements such as PIN to drive that makes them less likely to occur.”
Nonetheless, one security upgrade was notably lacking, and now, as a TechCrunch article points out, Elon Musk has apologized for it being “embarrassingly late.”
Bringing enhanced Tesla app security to the vehicle protection party
So, what is the security update that might make it harder for a Tesla to hack, and which is too late for the theft-protection party? Perhaps surprisingly, in short, the solution is two-factor authentication, or 2FA.
When prodded on Twitter by someone asking when 2FA will be coming to the Tesla app, Musk replied by tweeting: “Sorry, this is embarrassingly late. Two-factor authentication via SMS or authenticator app is going through final validation right now.” And late is right, seeing as Musk has been promising 2FA for the app for over a year now.
Why does it matter? Good protection comes in layers, and one of the best layers you can apply to any program, site, or service is 2FA because it protects users from hackers who have stolen login credentials and passwords. Many people use weak passwords or share site-wide logins and leave themselves vulnerable to credential stuffing attacks if only one site is compromised.
Even if a cybercriminal has your username and password, if 2FA is added to the mix they will still need to enter an authentication code. Without that code, the authentication will always fail, either given by an authenticator app, hardware key or text message.
The type of 2FA is key to Tesla anti-hacking
Because the Tesla app can be used as a key for certain models, among other items, the lack of 2FA is a relatively serious failure. And, unfortunately, given Elon Musk’s tweet, it’s not all good news.
Where Musk says 2FA is coming “via SMS or authenticator app.” Sadly, SMS 2FA is a notoriously poor way to send authentication codes and should be avoided. Equally significant is that Musk made no mention of authentication using a hardware key.
Reported by Forbes.
Want to buy a Tesla Model 3, Model Y, Model S, or Model X? Feel free to use my referral code to get some free Supercharging miles with your purchase: http://ts.la/guanyu3423
You can also get a $100 discount on Tesla Solar with that code. No pressure.