App Authentication Flaw Creates Tesla Motors Hack Concern. Your Tesla can spy on you and drive you off the road on command.
While Elon Musk has admitted to the New York Times that he can spy on any Tesla at any time, personally, the story gets worse:
The Tesla Model S is such an advanced automobile it even comes with its own mobile authentication vulnerability.
According to George Reese, Senior Distinguished Engineer and Executive Director of Cloud Computing at Dell, there’s a flaw in the REST API used in Android and iPhone apps that connect to the car. While he stresses one cannot crash the car with this, one could cause excess electrical usage and force excess wear on batteries.
(ED. At the DEFCON hacker conference, though, other hackers demonstrated a system to take over the GPS which could be used to crash the car by suddenly turn inputs or cruise control bursts. To be safe, have your GPS and all transceiver chips removed from the car.)
He notes that “[a]uthentication happens when you call the /login action with the email address and password of the Tesla customer. This is the same email address and password used to log in to www.teslamotors.com. Every customer has one because this web site is where the customer builds their car.” He then cites five vulnerabilities: “It requires the sharing of the user’s password with third-parties (major); no mechanism exists for cataloging applications with active tokens (significant); Only an inconsistent blunt-force mechanism exists for revoking access to a compromised application (moderate); No mechanism exists for revoking the access of a compromised application (major); The automated expiration of tokens in 3 months encourages applications to improperly store your email and password (significant).
By Robert Vamosi
In another Tesla failure, the doors of the car can be electronically hacked to not only lock you out of your car but LOCK YOU IN YOUR CAR. There are a number of published complaints online about the ongoing lock-in of Tesla owners.
K.G. – Dallas