The remote access REST API for the Tesla Model S has security vulnerabilities, according to George Reese, a top Dell Engineer and a Tesla Model S owner. The vulnerabilities would allow an attacker to cause mischief, some forms of damage, but not anything outright dangerous such as forcing a car accident.
Because the Tesla Model S, like many modern cars, is connected to the Internet and Tesla uses that connection to implement remote access and monitoring of the Model S, a door is opened to a whole new realm of considerations. Are cars like the Model S vulnerable to hackers? And what are the automakers going to do about any such vulnerability?
A "REST API" is a common technique to implement Internet services, routinely implemented on websites and technological widgets around the world. Essentially such an API allows one computer to make requests from another computer, to retrieve data or perform an action.
Tesla's purpose to expose this API is worthy, because it allows 3rd party application developers to access data about a Model S. The API lets an application read data from the car, such as the state of charge in the battery pack, GPS coordinates, and so forth. The API also lets an application change some things, like honk the horn, change the climate control settings, or change other settings in the car.
Any car that supports remote access, such as from a smart phone application, implements an over-the-Internet API of some kind. The bigger question is whether other car makers are being careful in designing their remote access API, and how much damage a hacker could cause when exploiting such an API.
Reese made his claims in a posting on a blog hosted by O'Reilly and Associates, a book publisher with whom he's written several books, including ones on REST API design. The problem he raises is the method used by Tesla to authenticate an application. The industry standard authentication system is OAuth, and is implemented by websites all over the planet. That system was not used by Tesla, and instead Tesla implemented a home-grown authentication system that, according to Reese, is flawed.
Tesla's system has several bad practices that create vulnerabilities which can be exploited by attackers. No known attack has been launched against the Model S, Reese is simply noting the potential for an attack.
A troubling point Reese raises is that if an attacker gained access to Tesla's computers, they could possibly steal authentication data for all Tesla customers and then launch a mass attack against all Model S's.
Fortunately, most of the API functions are fairly benign, making the potential damage limited. The API does support unlocking the doors, and the car's GPS coordinates and speed can be read.
Source: George Reese