Next time you walk by a parked Tesla and its sunroof is opening and closing with nobody sitting inside or around it, you could be witnessing a hacker moment. For all of its strengths as a car, the Model S reportedly has a weak spot: the security of its API (application programming interface) authentication, according to an article in the O'Reilly Community by George Reese, executive director of cloud management at Dell. Tesla develops and uses its own API authentication protocols, which have made access to certain Model S functions too easy for hackers, Reese says - himself a Model S owner.
At question is the Tesla REST API, which is accessed via a web-based portal, usually by Model S owners with their iPhone or Android-based smartphone, to perform a variety of menial tasks and check the status of the car. The Tesla-registered e-mail and password of the car owner is used to access the API through a web portal, which creates a "token" that lasts for three months. During that period, owners access the Tesla REST API via the token without the use of their log-in information. Unfortunately, the tokens and their respective cars are stored on website databases that are all too easy to hack, Reese explains, and if a hacker gains access, "it has free access to all of that site's cars for up to three months with no ability for the owners to do anything about it." On top of that, there is no way to revoke access of a compromised application.
Reese says that "there's nothing in the API that (can? should?) result in an accident if someone malicious were to gain access." The API can check the car's battery charge, operate climate control, operate the sunroof, identify car location, honk the horn, open the charge port, and perform other similar operations. But, he cautions, "Perhaps the scariest bit is that the API could be used to track your every move."
At least it's not a major hack-attack like that experienced by a Forbes reporter in a Prius. Now that's scary!