Researchers warn of internet security risks connected to Tesla Backup Gateway

Hundreds of Tesla gateway systems have been found, exposed and open, online.
Written by Charlie Osborne, Contributing Writer

Researchers have outlined weak security points in Tesla Backup Gateway and the ways in which they can be exploited. 

On Tuesday, Rapid7 described the security risks associated with connecting Tesla Backup Gateway to the internet; in particular, ways that open connections can be used to violate user privacy and security. 

Tesla Backup Gateway (.PDF) is a platform designed by the automaker for managing solar and battery/Powerwall installations. The system is able to connect directly to the grid, monitor outages, and gives users the option to watch and control energy reserves via a connected mobile application. Connections can be established via wifi, Ethernet cable, or mobile. 

In order to access the gateway, users connect to the software's wifi network, enter its serial number -- which acts as a password -- and access Tesla Backup Gateway from an internet browser. Each gateway uses a self-signed SSL certificate.

The first time a user logs in, their email and a password -- the last five digits of the gateway password -- are used. 

See also: Tesla's April Fool joke turns into $250 tequila reality, sells out in hours

According to Rapid7 and past research conducted by Vince Loschiavo, the risk with this practice is that weak credentials can be exploited. 

At worst, five digits for first-time logins result in 60.4 million password combinations and the team says there does not appear to be restrictions in place to stop brute-force attempts. However, there are ways to circumvent the challenge of trying out millions of combinations, as a simple drive-by to record the wifi access point can reduce this volume. 

The access point SSID uses the last three characters of the serial number, leaving only two to guess. 

Rapid7 also notes that many counties publish household Tesla Solar and Powerwall install permits online, giving attackers direction toward potential targets. 

When the gateway is connected to a local area network, its hostname is broadcast using the full serial number. 

CNET: Rules for strong passwords don't work, researchers find. Here's what does

A number of Tesla Backup Gateway installations have also been found, open and available on the internet. The researchers have documented 379 exposed installations since January in the US and Europe, some of which are commercial-grade Tesla Powerpacks

The platform includes APIs documenting power usage, draw, and some ownership information -- but there are also hidden APIs that can be leveraged for additional statistics.

"In theory, the voltage, cycle, and other settings of the energy managed by the Backup Gateway, and the batteries connected to it are configurable," Rapid7 says. "It may be possible to do damage to a battery, or even the electrical grid, if these settings could be tampered with. Though placing a Tesla Backup Gateway or Tesla Powerpack on the internet may be tempting, we should remember that the internet is noisy by nature, with lots of unsolicited traffic being passed through various ports on a regular basis."

TechRepublic: Hackers for hire target victims with cyber espionage campaign

Rapid7 reached out to Tesla prior to publication and the company said that upcoming security updates will feature hardening and mitigation of the issues mentioned. 

Furthermore, Tesla said, "predictable installer passwords have been fixed for some time on newly-commissioned Backup Gateway V1 devices, but some previously commissioned devices still had them, and all online Backup Gateway V1 devices have had their installer passwords randomized." Backup Gateway V2 devices also now come with randomized passwords. 

ZDNet has reached out to Tesla and will update when we hear back. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards