Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tesla Model S REST API Authentication Flaws

Posted by Soulskill on from the honk-if-i-control-your-car-remotely dept.

An anonymous reader writes "New Tesla owner and Executive DIrector of Cloud Computing at Dell, George Reese, brings the Tesla Model S REST API authentication into question. 'The authentication protocol in the Tesla REST API is flawed. Worse, it's flawed in a way that makes no sense. Tesla ignored most conventions around API authentication and wrote their own. As much as I talk about the downsides to OAuth (a standard for authenticating consumers of REST APIs—Twitter uses it), this scenario is one that screams for its use.' While not likely to compromise the safety of the vehicle, he does go on to say, 'I can target a site that provides value-added services to Tesla owners and force them to use a lot more electricity than is necessary and shorten their battery lives dramatically. I can also honk their horns, flash their lights, and open and close the sunroof. While none of this is catastrophic, it can certainly be surprising and distracting while someone is driving.'"

1 of 161 comments (clear)

  1. Re:First World Priorites by AaronW · · Score: 3, Informative

    There is a setting in the car where you can disable remote access. It's trivial to set.

    --
    This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.