There is no doubt that Tesla has driven the move towards electric vehicles, with Elon Musk firmly behind the wheel. I'm not your resident motoring expert, so it should come as no surprise that my interest rests more with the security side of EV ownership. Tesla has had a good track record on this front, with the various models being pretty hard to steal, and harder to hack.
Not impossible, mind, as McAfee hackers showed when they fooled two Tesla vehicles into thinking a 35 miles per hour speed restriction was an 85 miles per hour one. That, however, isn't the kind of "hacking" I'm talking about: I'm more interested in the stuff a typically clued-up 21st-century car thief would be looking at.
Again, Tesla has not been immune here, as was the case a couple of years ago when it was found that hackers could steal a Model S by cloning the key fob. Although that route to Tesla theft was supposedly shut off at the time, it turned out that vulnerabilities remained with the encryption used in the "fixed" key fobs.
These were fixed in 2019 when, as I wrote at the time, Tesla told me that "nothing can prevent against all vehicle thefts," but "Tesla has deployed several security enhancements such as PIN to drive that makes them less likely to occur."
One security enhancement, however, has been noticeably absent, and now Elon Musk has put his hands up and apologized for it being "embarrassingly late," as a Tech Crunch report points out.
Bringing enhanced Tesla app security to the vehicle protection party
So, what is the security upgrade that could make a Tesla harder to hack, and which is so late to the vehicle theft-protection party? Perhaps surprisingly, the answer is two-factor authentication or 2FA for short.
When prodded on Twitter by someone asking when 2FA would be coming to the Tesla app, Musk responded by tweeting: "Sorry, this is embarrassingly late. Two-factor authentication via SMS or authenticator app is going through final validation right now." And late is right, seeing as Musk has been promising 2FA for the app for more than a year now.
Why is this important? Well, good security comes in layers, and one of the best layers you can add to any application, site, or service is 2FA because it protects users against hackers who have compromised username and password credentials. Many people use weak passwords, or share logins across services and leave themselves open to credential stuffing attacks if just one service is breached.
Even if a cybercriminal had your username and password, they would still need to enter an authentication code if 2FA is added to the mix. Without that code, either provided by an authenticator app, hardware key, or text message, the login will still fail.
The type of 2FA is key to Tesla anti-hacking
Given that the Tesla app can be used as a key for some models, amongst other things, the lack of 2FA is a fairly severe failing in my never humble opinion. And, sadly, it's not all good news despite that Elon Musk tweet.
The key, if you'll excuse the pun, is where Musk says that 2FA is coming "via SMS or authenticator app." Unfortunately, 2FA by SMS is a notoriously weak method of delivering authentication codes and really should be avoided. Equally interesting is that Musk made no mention of the use of a hardware key for authentication.
I have reached out to Tesla and will update this article as soon as I have any clarification regarding this.