With all the software bit now heading into cars, it is hardly a surprise that they are now vulnerable to hacking attempts, just like how remote users would use a security flaw in the software to get in. This time around, it is the Tesla Model S, which is potentially under threat. George Reese, Executive Director, Cloud Management at Dell has outlined the threat, the Tesla REST API. In an article over at the O’Reilly Community, Reese explains that the Tesla API can be accessed on a portal via the Android and iOS devices, and can perform certain tasks and also check the status of the vehicle.
However, this is where the flaw sits. “Authentication happens when you call the /login action with the email address and password of the Tesla customer. This is the same email address and password used to log in to www.teslamotors.com. Every customer has one because this web site is where the customer builds their car.The authentication action creates a "token" that is valid for 3 months. Any further requests use that token for validation. You don't use the email address/password again until the token expires in 3 months (assuming you store the token somewhere).”, he says.
Most of the controls seen here can also be controlled via the browser based portal from Android and iOS smartphones
Essentially, the tokens are saved on website databases, which can be easily hacked, allowing the hacker access to limited amount of control over the vehicle. “As noted above, the impact of any of these very real attack vectors is pretty much economic. I can target a site that provides value-added services to Tesla owners and force them to use a lot more electricity than is necessary and shorten their battery lives dramatically. I can also honk their horns, flash their lights, and open and close the sunroof. While none of this is catastrophic, it can certainly surprising and distracting while someone is driving. Perhaps the scariest bit is that the API could be used to track your every move.”, he illustrates a possible compromise scenario.
Source: O’Reilly Community