14 DAY TRIAL // George Reese, a senior distinguished engineer and executive director of Cloud Computing at Dell, reports that several functions of Tesla Model S electric cars can be hijacked by cybercriminals via an authentication flaw in the REST API.
The API allows car owners to perform various tasks via their mobile devices. These tasks include honking the horn, opening the charge port, checking battery state, locating the vehicle, and controlling the climate control and panoramic sunroof.
The problem, according to Reese, is that Tesla uses a flawed authentication protocol in the Tesla REST API.
Users create an account on teslamotors.com to build their car. When they log in to their accounts, an authentication token that’s valid for three months is created.
Anyone who gains access to the login credentials or the authentication tokens can control the aforementioned functions of the car remotely.
The expert highlights that the attack can’t be used to take control of the vehicle and cause an accident. Instead, the damage is more of an economic nature.
“I can target a site that provides value-added services to Tesla owners and force them to use a lot more electricity than is necessary and shorten their battery lives dramatically. I can also honk their horns, flash their lights, and open and close the sunroof. While none of this is catastrophic, it can certainly be surprising and distracting while someone is driving,” Reese noted.
In addition, the vulnerability can be leveraged to track the car owner’s every move.
The expert explained, “The core issue, however, isn’t how bad an attack could be as a result of these specific flaws. Instead, I’m commenting on the larger picture of the Internet of Things in which everything has an API and everything needs to be secured reasonably.“