Is the Tesla Model S vulnerable to hackers? Say it isn’t so.
The bond I make with my Tesla Model S each and everyday is one that only another Model S owner can relate to …. well, let me rephrase that – not so much a metaphysical bond, but rather a bits and bytes type of bond derived from having API (wiki) access directly with the Model S.
The freedom of having direct access to the life functions of your Model S through an API, whether it’s checking on battery state, changing your climate control settings, unlocking/locking your doors, and even tracking real-time GPS coordinates of the vehicle has given life to a flourishing community of programmers looking to build the next coolest app (GlassTesla, Tesla Model S REST API, the official Tesla Motors App) for your Model S. However, this convenience doesn’t come at a cost – at least that’s what George Reese thinks.
George, a Model S owner and Director of Cloud Management at Dell, outlines some potential security flaws in the Tesla REST API that could potentially be a playground for a any skilled hacker. George states in his article within the O’Reilly Community,
“The authentication protocol in the Tesla REST API is flawed. Worse, it’s flawed in a way that makes no sense. Tesla ignored most conventions around API authentication and wrote their own. As much as I talk about the downsides to OAuth (a standard for authenticating consumers of REST APIs—Twitter uses it), this scenario is one that screams for its use.”
George continues to point out various vectors of attack, while noting that the true effect on any potential attack will be felt on an economical level – such as maliciously forcing a battery to be used more often than it should hence shortening the life of the battery.
Being Model S owners ourselves, we’re not sure what to make of this other than the fact that we’ll be making an outlandish cry slash ridiculous yodel for help if Tesla Motors decides to one day shut its doors on this flourishing community of app developers! Instead, please button up the security on your API.