Tesla Motors Inc (NASDAQ:TSLA) its Model S sedan has been named the best car of 2013, and Consumer Reports says it’s the safest car on the road. But security experts have identified a serious security flaw in the vehicle that makes it vulnerable to hacking. A new research found that hackers can locate and unlock a Model S remotely by cracking a six-character password. And the password can be cracked even with simple traditional techniques.

Tesla Motors

Tesla needs to fix it

Corporate security consultant, author and Tesla Model S owner Nitesh Dhanjani revealed the findings during a presentation at the Black Hat Asia security conference in Singapore. He studied Tesla Motors Inc (NASDAQ:TSLA)’s Model S and found multiple design flaws in its security system. Dhanjani said that he has communicated his findings with Tesla. Last year, Dell Inc executive George Reese also said that the Model S is vulnerable to hacking.

Tesla Motors Inc (NASDAQ:TSLA)’s Model S can only be driven when a key fob is present. But hackers can unlock the vehicle and steal the contents via an online command to the car if they can crack the password. When a customer places an order for a new Model S, he is required to set up an account with a six-character password. Users can access their account through an Android or iOS app to perform minor tasks and check the vehicle’s status. The freely available app requires the six-character password, and can remotely locate and unlock the electric vehicle. It can also monitor other functions.

Tesla support staff can also gain access to cars remotely

Dhanjani said the password can be hacked through the same methods used to gain access to any other online account. Attackers can eventually guess the password through Tesla Motors Inc (NASDAQ:TSLA) website, which doesn’t restrict the number of incorrect login attempts. Hackers can also gain access to the password from the Model S owner’s computer using password-stealing viruses. He said it’s a serious issue when a $100,000 car relies on a six-character password.

Dhanjani also found evidence that Tesla Motors Inc (NASDAQ:TSLA) support staff can unlock the vehicles remotely. That leaves Model S owners vulnerable to attackers (even support staff) impersonating them. It also raises a serious question about staff having the power to locate and unlock any Tesla vehicle even without the owner’s permission or knowledge.

Tesla Motors Inc (NASDAQ:TSLA) shares inched up 1.23% to $214.98 in pre-market trading Monday.