Require two factor authentication when accessing the Tesla app.
The login to Tesla’s website and their app gives a lot of control of the car, things like to disable the alarm system, activate the car, unlock doors, open the trunk, and frunk and bypass security PIN to drive the car, and track the car at any moment.
Unfortunately, the login security is minimal. Making it very easy to be hacked/hijacked, giving full control to every Tesla’s vehicles of a certain owner.
Few methods to steal this name and password are:
* Social Engineering
* Emails that lead people to enter their username and password to compromised websites
* Apps that promise features about the car, but steal the credentials
* Fake Tesla WIFI close to Superchargers as demonstrated in this video: youtu.be/bA7KM51ie28
To reduce the risk of the users, Tesla should add 2FA (Two Factors Authentication), U2F (Universal Two Factors) and/or MFA (Multiple Factors Authentication). Those methods have already many open-source that can be used for simpler implementation.
The 2FA can be using a token compatible with many apps, like Google Authentication, 1Password, and many others, by SMS, and/or email.
The U2F is to use biometric or token hardware integration, like TouchID, FaceID and others, not only to open the app but also to sign the login communication.
MFA is the possibility of using multiple factors at the same time, like requiring the token and to click an email link before allowing the App login.
Once the user is logged, there is no need to request this every time the app is open or the website is open in a trusted computer. However if a hacker attempt to steal the credentials, it will be fairly hard or maybe impossible for him to get a successful connection to accounts that have one or more safety features enabled.
Moderator: Seems to be a solution looking for a problem. Unaware of this ever being a real issue, although theoretically possible. Could be of value to those who don’t have good control of their phone and are unwilling to lock it. App does have an option for fingerprint authentication.
(lightly edited by moderator)