At question is the Tesla REST API, which is accessed via a web-based portal, usually by Model S owners with their iPhone or Android-based smartphone, to perform a variety of menial tasks and check the status of the car. The Tesla-registered e-mail and password of the car owner is used to access the API through a web portal, which creates a "token" that lasts for three months. During that period, owners access the Tesla REST API via the token without the use of their log-in information. Unfortunately, the tokens and their respective cars are stored on website databases that are all too easy to hack, Reese explains, and if a hacker gains access, "it has free access to all of that site's cars for up to three months with no ability for the owners to do anything about it." On top of that, there is no way to revoke access of a compromised application.
Reese says that "there's nothing in the API that (can? should?) result in an accident if someone malicious were to gain access." The API can check the car's battery charge, operate climate control, operate the sunroof, identify car location, honk the horn, open the charge port, and perform other similar operations. But, he cautions, "Perhaps the scariest bit is that the API could be used to track your every move."
At least it's not a major hack-attack like that experienced by a Forbes reporter in a Prius. Now that's scary!