Require two-factor authentication when accessing the Tesla app.
The login to Tesla’s website and their app gives a lot of control of the car, things like disabling the alarm system, activate the car, unlock doors, open the trunk, and frunk and bypass security PIN to drive the car, and track the car at any moment.
Unfortunately, the login security is minimal. Making it very easy to be hacked/hijacked, giving full control to every Tesla vehicle of a certain owner.
Few methods to steal this name and password are:
* Social Engineering
* Emails that lead people to enter their username and password to compromised websites
* Apps that promise features about the car, but steal the credentials
* Fake Tesla WIFI close to Superchargers as demonstrated in this video: youtu.be/bA7KM51ie28
To reduce the risk of the users, Tesla should add 2FA (Two Factors Authentication), U2F (Universal Two Factors), and/or MFA (Multiple Factors Authentication). Those methods have already many open-source that can be used for simpler implementation.
The 2FA can be using a token compatible with many apps, like Google Authentication, 1Password, and many others, by SMS, and/or email.
The U2F is to uses biometric or token hardware integration, like TouchID, FaceID, and others, not only to open the app but also to sign the login communication.
MFA is the possibility of using multiple factors at the same time, like requiring the token and clicking an email link before allowing the App login.
Once the user is logged in, there is no need to request this every time the app is open or the website is open on a trusted computer. However if a hacker attempt to steal the credentials, it will be fairly hard or maybe impossible for him to get a successful connection to accounts that have one or more safety features enabled.
Moderator: Seems to be a solution looking for a problem. Unaware of this ever being a real issue, although theoretically possible. Could be of value to those who don’t have good control of their phone and are unwilling to lock it. The app does have an option for fingerprint authentication.