2012 Tesla Model S
  • 2012 Tesla Model S
  • 2012 Tesla Model S front 3/4 view

  • 2012 Tesla Model S
  • 2012 Tesla Model S rear 3/4 view

  • 2012 Tesla Model S
  • 2012 Tesla Model S front 3/4 view

  • 2012 Tesla Model S
  • 2012 Tesla Model S rear 3/4 view

  • 2012 Tesla Model S
  • 2012 Tesla Model S side view

  • 2012 Tesla Model S
  • 2012 Tesla Model S front view

  • 2012 Tesla Model S
  • 2012 Tesla Model S rear view

  • 2012 Tesla Model S
  • 2012 Tesla Model S front 3/4 view

  • 2012 Tesla Model S
  • 2012 Tesla Model S rear 3/4 view

  • 2012 Tesla Model S
  • 2012 Tesla Model S headlight

  • 2012 Tesla Model S
  • 2012 Tesla Model S logo

  • 2012 Tesla Model S
  • 2012 Tesla Model S wheel

  • 2012 Tesla Model S
  • 2012 Tesla Model S side marker

  • 2012 Tesla Model S
  • 2012 Tesla Model S door handle

  • 2012 Tesla Model S
  • 2012 Tesla Model S brake light

  • 2012 Tesla Model S
  • 2012 Tesla Model S taillight

  • 2012 Tesla Model S
  • 2012 Tesla Model S logo

  • 2012 Tesla Model S
  • 2012 Tesla Model S logo

  • 2012 Tesla Model S
  • 2012 Tesla Model S badge

  • 2012 Tesla Model S
  • 2012 Tesla Model S badge

  • 2012 Tesla Model S
  • 2012 Tesla Model S front cargo area

  • 2012 Tesla Model S
  • 2012 Tesla Model S rear cargo area

  • 2012 Tesla Model S
  • 2012 Tesla Model S interior

  • 2012 Tesla Model S
  • 2012 Tesla Model S interior

  • 2012 Tesla Model S
  • 2012 Tesla Model S interior

  • 2012 Tesla Model S
  • 2012 Tesla Model S steering wheel

  • 2012 Tesla Model S
  • 2012 Tesla Model S front seats

  • 2012 Tesla Model S
  • 2012 Tesla Model S front seats

  • 2012 Tesla Model S
  • 2012 Tesla Model S rear seats

  • 2012 Tesla Model S
  • 2012 Tesla Model S digital display

  • 2012 Tesla Model S
  • 2012 Tesla Model S digital display

  • 2012 Tesla Model S
  • 2012 Tesla Model S steering wheel

  • 2012 Tesla Model S
  • 2012 Tesla Model S steering wheel controls

  • 2012 Tesla Model S
  • 2012 Tesla Model S steering wheel controls

  • 2012 Tesla Model S
  • 2012 Tesla Model S dash

  • 2012 Tesla Model S
  • 2012 Tesla Model S emergency button

  • 2012 Tesla Model S
  • 2012 Tesla Model S center arm rest

  • 2012 Tesla Model S
  • 2012 Tesla Model S touch screen

  • 2012 Tesla Model S
  • 2012 Tesla Model S touch screen

  • 2012 Tesla Model S
  • 2012 Tesla Model S touch screen

  • 2012 Tesla Model S
  • 2012 Tesla Model S touch screen

  • 2012 Tesla Model S
  • 2012 Tesla Model S touch screen

  • 2012 Tesla Model S
  • 2012 Tesla Model S touch screen

  • 2012 Tesla Model S
  • 2012 Tesla Model S touch screen

  • 2012 Tesla Model S
  • 2012 Tesla Model S touch screen

  • 2012 Tesla Model S
  • 2012 Tesla Model S VIN display

Next time you walk by a parked Tesla and its sunroof is opening and closing with nobody sitting inside or around it, you could be witnessing a hacker moment. For all of its strengths as a car, the Model S reportedly has a weak spot: the security of its API (application programming interface) authentication, according to an article in the O'Reilly Community by George Reese, executive director of cloud management at Dell. Tesla develops and uses its own API authentication protocols, which have made access to certain Model S functions too easy for hackers, Reese says - himself a Model S owner.

At question is the Tesla REST API, which is accessed via a web-based portal, usually by Model S owners with their iPhone or Android-based smartphone, to perform a variety of menial tasks and check the status of the car. The Tesla-registered e-mail and password of the car owner is used to access the API through a web portal, which creates a "token" that lasts for three months. During that period, owners access the Tesla REST API via the token without the use of their log-in information. Unfortunately, the tokens and their respective cars are stored on website databases that are all too easy to hack, Reese explains, and if a hacker gains access, "it has free access to all of that site's cars for up to three months with no ability for the owners to do anything about it." On top of that, there is no way to revoke access of a compromised application.

Reese says that "there's nothing in the API that (can? should?) result in an accident if someone malicious were to gain access." The API can check the car's battery charge, operate climate control, operate the sunroof, identify car location, honk the horn, open the charge port, and perform other similar operations. But, he cautions, "Perhaps the scariest bit is that the API could be used to track your every move."

At least it's not a major hack-attack like that experienced by a Forbes reporter in a Prius. Now that's scary!


I'm reporting this comment as:

Reported comments and users are reviewed by Autoblog staff 24 hours a day, seven days a week to determine whether they violate Community Guideline. Accounts are penalized for Community Guidelines violations and serious or repeated violations can lead to account termination.


    • 1 Second Ago
  • 51 Comments
      bluepongo1
      • 1 Year Ago
      AB *facepalm*
      rstonnerdd
      • 1 Year Ago
      The microchip giveth and the hacker taketh away. If you ask your car to do something through your smart phone, I would wager a life time of oil changes that there is some 12 year old kid trying to hack into it, just to see if he can do it. Nobody ever hacked into my 2004 Camry from my key fob. And even if they did, they would have a 9 year old car with 225,000 miles on it.
      EZEE
      • 1 Year Ago
      Any idea if a single tesla has been hacked? If there has not been a single tesla hacked, then this looks like the creation of a 'crisis' by people wanting publicity and Internet clicks. I am reminded of a Simpsons episode where a hurricane was approaching. The news casts 'goes to' the 'Deathclock' to see how many people have died. The numbers are spinning, but end up at zero. When they read 'zero' the announcer says, 'it's zero, but we expect it to start heading up really soon!' In an excited voice....
      John
      • 1 Year Ago
      well i dont drive a telsa so i dont have to worry about a hacker disabling the brakes and speeding the car, but electric cars like the telsas still are better than gas powered autos. we are almost slaves to the middle east. they can raise the price of oil and gas at the pump and make life worse for everyone. the more hybrids and electric vehicles the better for energy independence
      Koenigsegg
      • 1 Year Ago
      any car with electronics can be hacked how is this news
      2 wheeled menace
      • 1 Year Ago
      By this definition, even this site is vulnerable to those hack attacks, and so is pretty much every major site on the net that stores passwords and remembers logins. Good job trying to smear and single out green cars though.
        Letstakeawalk
        • 1 Year Ago
        @2 wheeled menace
        A Tesla owner identifying and addressing a potential problem can hardly be described as a "smear".
          brotherkenny4
          • 1 Year Ago
          @Letstakeawalk
          Headline is "Tesla Model S vulnerable to hackers". Not APIs vulnerable to hackers, not many cars and sites vulnerable to hackers. So, while the content may explain more the headline is intended to sensationalize and take advantage of the interest both negative and positive in the Tesla S. Ask yourself this, what other cars are vulnerable to hackers, and why weren't these used as examples? The answer simply is because they are not Teslas. So, it is clearly an weak attempt to connect Tesla with some problem.
        2 wheeled menace
        • 1 Year Ago
        @2 wheeled menace
        Hundreds of thousands of production cars would be "vulnerable" too, by this definition. So would facebook, twitter, aol, flickr, etc etc etc. So more accurately, they could say 'most of the internet and most cars vulnerable to hackers?' as the headline and still be accurate.
        2 wheeled menace
        • 1 Year Ago
        @2 wheeled menace
        The article even ends with: "This is NOT about Tesla in the end. It's about how we should be approaching API design in a world in which everything has an API."
          Letstakeawalk
          • 1 Year Ago
          @2 wheeled menace
          So, it's obviously not a smear, nor does it single out green cars - as you suggested. It's about APIs in general.
          Letstakeawalk
          • 1 Year Ago
          @2 wheeled menace
          Read my reply above. The man identified a problem with his Tesla, a problem that isn't uncommon in the larger world. He merely suggests that Tesla should make an improvement. He's not bashing Tesla, in the least.
          2 wheeled menace
          • 1 Year Ago
          @2 wheeled menace
          Read the original blog post, to the end. Then read the summary here on ABG.
      CoolWaters
      • 1 Year Ago
      "At least it's not a major hack-attack like that experienced by a Forbes reporter in a Prius" Forbes, the Fox "News" of business investment.
      CoolWaters
      • 1 Year Ago
      It'd be scary if it came from a source other then Forbes. This is another Wall Street Attack on TESLA Stock. Tesla stock short interest: http://shortsqueeze.com/?symbol=tsla&submit=Short+Quote%99 Propaganda is as American as Apple Pie.
      Weapon
      • 1 Year Ago
      The API is not vulnerable to hackers. The API is not an official API. It has been reverse engineered from the android/ios apps. That means that there is no reason why 3rd parties should be using the API unless you trust the 3rd party with your password. In the future, there will be an official API. But there is no vulnerability, this API was not intended for use by 3rd parties to begin with.
        Rotation
        • 1 Year Ago
        @Weapon
        That doesn't make sense. Just hiding the API means someone can take apart the app and discover the aPI and then abuse it. If you design the API and security properly, then hackers can't abuse the API even if they know of it.
      Puck
      • 1 Year Ago
      It won't make much sense nicking this car anyway
        kontroll
        • 1 Year Ago
        @Puck
        you know why, right?! it will be located and identified almost immediately and your a$$ will be caught within 5 minutes. Besides, nobody will be able to start the car without the "minitesla"
          Puck
          • 1 Year Ago
          @kontroll
          Yes, very much so, besides, starting to deal with Tesla S spare parts won't make you look very innocent.
      Kareem Sultan
      • 1 Year Ago
      This articles makers one big assumption and just glosses over it like it's a fact. The website "can be all to easily hacked"? How do? The big assumption here is that somebody can gain access to Tesla's database and there's no explanation of how this is easy. This article is true of any website with a login. If you can access the database, you can get enough info to fake being a user. I hope the author explains this "all too easily" remark.
      breitling65
      • 1 Year Ago
      How this car battery will behave if you will get into 2-3 of traffic while very hot and you need AC? Or very cold and you need heat?
    • Load More Comments