Forums

HeartBleed: When should we change our passwords?

HeartBleed: When should we change our passwords?

Yesterday, a really nasty security vulnerability that affects pretty much the whole Internet was published called HeartBleed: http://heartbleed.com

Interestingly, the Tesla login page went down yesterday. Hopefully to patch the problem. I sent a message to Ownership and I'm awaiting a response.

Has anybody heard anything from Tesla about this?

In the end, everybody needs to change their passwords, but only after the problem is fixed.

BTW... I'm not the alarmist type, but this affects most websites using HTTPS. Including banks, webmail, etc.... Please be vigilant and change your passwords as websites are fixed.

Tesla Ownership | 15 avril 2014

Over the past week, there has been lots of online news regarding a security vulnerability within versions of OpenSSL, known as the Heartbleed Bug. After a comprehensive review of our services by our dedicated team of information security professionals, we would like to report that we have not found any evidence of compromised exposure to the OpenSSL vulnerability and that our systems, including our website and vehicle related resources, are not using a version vulnerable to the Heartbleed Bug. Your account details remain secure. Regardless, we recommend that our customers change their passwords as an added precaution.

Whether it’s developing the car that has the highest safety rating or doing everything in our power to protect our customers against online incursions, security is Tesla’s top priority. Our dedicated team of best-in-class information security professionals protect our products and systems from vulnerabilities on an ongoing basis, and we continue to work with security researchers around the world who are incentivized to report any potential issues. To offer customers an extra level of confidence, two weeks ago, we updated our minimum password requirements from six to eight characters, and we encourage the use of passwords that are considerably stronger. We have also implemented a password lockout feature that requires MyTesla account holders to reset their passwords via our website after five failed login attempts.

We have taken these steps because we consider the security of the website and mobile application of paramount importance. Just as we encourage customers to protect their MyTesla credentials with the same care they would dedicate to any of their other accounts (online or otherwise) with sensitive information, we are committed to doing what we can to ensure the maximum level of protection. It’s also important to note that, in case customers remain concerned about general online or mobile app security, we have given Model S owners the option of disabling mobile access through the Controls menu on the car’s touchscreen.

We strongly encourage anyone to report security issues on any of Tesla’s products via the Responsible Reporting process on our website: https://www.teslamotors.com/about/legal#security-vulnerability-reporting....
Through that process, we offer a range of rewards to security researchers who report valid issues to help us bolster online security and further protect our products.

PorfirioR | 15 avril 2014

Thanks Tesla.

As a general tip, if anyone would like to check if any site is vulnerable, there are a number of Internet sites that can help. Here is one: http://www.digicert.com/help/
Don't forget to check the "Check for Heartbleed Vulnerability" box before running the test.

After a site (i.e. your bank) passes that check, you should change your password.

Also, some sites are automatically resetting all their users' passwords as soon as they discover they were vulnerable. That's probably not a bad approach since there are likely many users who will never change their potentially-compromised passwords after the site is patched.

GeekEV | 15 avril 2014

CNET has a great, simple write up of what you need to know about this general vulnerability and what you should do about it:

http://www.cnet.com/news/heartbleed-bug-what-you-need-to-know-faq/

For the technically minded, XKCD has a great comic explaining how this vulnerability is exploited:

http://xkcd.com/1354/

;-)