Tesla Motors Inc (NASDAQ:TSLA)’s Model S sedan has been praised as one of the best (by Consumer Reports) and safest vehicles on the road, but one executive at Dell Inc (NASDAQ:DELL) believes hackers could pose a threat to the vehicle. George Reese posted an article on the topic at the O’Reilly Community.
Tesla’s Model S uses an API
According to Reese, the threat lies in the application programming interface (or API) used by Tesla. The Tesla REST API is quite handy, enabling drivers to check the battery charge of their Model S, adjust the climate control and panoramic roof, honk the horn and more. “Identify where the hell you [sic] car is and what it’s doing” is also on his list, in those words exactly.
In his book, The Dhandho Investor: The Low–Risk Value Method to High Returns, Mohnish Pabrai coined an investment approach known as "Heads I win; Tails I don't lose much." Q3 2021 hedge fund letters, conferences and more The principle behind this approach was relatively simple. Pabrai explained that he was only looking for securities with Read More
He said the threat posed by the API isn’t a matter of the vehicle being taken over by hackers and forced to crash. Instead, he said it’s more “economic damage” that drivers should be concerned about.
Reese said the authentication protocol used by Tesla Motors Inc (NASDAQ:TSLA)’s API is “flawed in a way that makes no sense.” He said the automaker wrote its own API authentication rather than following most of the conventions which exist around API. He said when Tesla customers create an account with their email address and password, a token is created, and that token is good for three months. Users don’t have to log in again until the token expires in three months.
Without going into the details here, he highlights five areas of concern with the API, four of which he lists as either significant or major.
What hackers could do in Tesla’s API
Reese said if a hacker gains access to Tesla Motors Inc (NASDAQ:TSLA), he or she could theoretically cause the vehicle to use more electricity and force the batteries to wear more quickly than they should. He said hackers could even get access to all the authenticated tokens on a website, giving them free access to all of the vehicles on that sight for up to three months “with no ability for the owners to do anything about it.”
In addition to the economic issues Reese names like wearing down the battery of the Model S, he said the hacker could possibly even do things like open and close the sunroof or honk the horns of the vehicle while the driver is on the road. He said although none of this would directly cause an accident, it would be pretty distracting to a driver who doesn’t know what’s happening.
He says that the scariest thing is that hackers could track drivers using the API.
It’s not about Tesla
Reese owns a Model S sedan, and he said his concerns are not meant to be aimed at Tesla Motors Inc (NASDAQ:TSLA). He said it’s mostly about API design and how we should be approaching it “in a world in which everything has an API.”