back to article Tesla cars 'hackable' says Dell engineer

Slack authentication in Tesla's Model S REST API exposes the electric car to a variety of non-safety but non-trivial attacks, according to a Dell engineer and Tesla owner. In this post over at O'Reilly, Dell senior distinguished engineer and executive director of cloud computing George Reese says the “flawed” authentication …


This topic is closed for new posts.
  1. Anonymous Coward

    Enough is enough

    I'm cancelling my order.

    1. This post has been deleted by its author

    2. Richard Chirgwin (Written by Reg staff)

      Re: Enough is enough

      [Posted by the author on behalf of someone who's run into a Bad Internets Day]

      Why would you cancel an order for the most technically advanced and awesome device on the planet at the moment? Because one headline-grabbing techie identified a flaw that could be fixed in minutes by any-old-coder?

      I suspect it will be fixed quickly.

      Oh, and apparently I'm a "coward" for not wrangling with the authentication things here. Meh.

      1. Anonymous Coward
        Anonymous Coward

        Re: Enough is enough

        Why would you cancel an order for the most technically advanced and awesome device on the planet at the moment?

        What makes your friend think I was seriously ordering one? I'm not a multi squillionaire, I'm a Reg reader.

      2. Shannon Jacobs

        Already a bit late

        How do you think Michael Hastings was murdered? Hint: Start with the source code for all of the car's electronic systems, including the brakes, accelerators, GPS controls, wireless network, and of course the airbags, windows, and door locks. Make the evidence go away? Just run the hack from volatile memory so it disappears as soon as the power is lost. Chain of command to trace? Sorry, it was just an independent contractor operating on his own initiative. No orders given, none received, no reports filed. Just a wink and a nudge, and probably a bonus for unspecified special services on behalf of "national security". Nothing to see here.

        Remember, he was not drunk or chemically impaired. He was a cautious driver. And his leg was fractured from stomping on the brake pedal very hard. Obviously to no effect. Can't you just wait for the self-driving cars?

        Me? No thanks.

        1. Anonymous Coward
          Anonymous Coward

          @ Shannon

          That conspiracy story is getting a bit tired now, I thought you would realise how stupid it makes you look when I pointed out the obvious flaw last time.

          Do you really believe that car manufacturers specify to their software engineers that the API has a 'disable brakes' instruction built in?

          Even if that were possible (which it is not due to safety regulations mandating a mechanical connection in steering and braking systems), why would they?

          1. Surreal

            Re: @ Shannon

            you wrote: "Do you really believe that car manufacturers specify to their software engineers that the API has a 'disable brakes' instruction built in?"

            You obviously weren't at Defcon this year. Disable brake. Violently turn steering wheel with a servo (so it can parallel park, since you don't know how). Yank the seatbelt tight and startle the heck out of the driver... They didn't mention finding the accelerate API, but they were such nice boys they probably wouldn't. OnStar can tell my wife's car to slow to a crawl if it's reported stolen, so the "turn it down" call is there in her relatively non-techy 2011 Chevy Cruze.

            That said, I hadn't heard of this conspiracy since I don't get out of my cave often. Get the Reader's Digest version from google by searching: car-hacking-code-released-at-defcon

            It's adorable when people believe machines are trustworthy, safe, and unhackable.

      3. Pascal Monett Silver badge

        Re: I suspect it will be fixed quickly.

        I seriously doubt that.

        Attention has been brought to it, so something will have to be done. But this system, with the flaw of the 3-month token, was brainstormed, approved, designed and implemented as is.

        I'm not sure it will be easy to change, nor am I convinced that it is a priority job for Tesla.

        Of course, it is not good for the company image to have a "security breach", but Tesla can very well downplay the issues, obfuscate the consequences and play for time. It's not like they're selling the thing by the millions anyway.

  2. Azzy

    Uh, it's a little worse than the sunroof, since it unlocks doors.

    Since you know where the car is, and can unlock the doors (and even honk the horn if you need help finding it in the parking lot you know it's in)... if you get this security token for any tesla, you can use it to find the car and pilfer it's contents - and since the owner can afford a Tesla, they're rich, so there's gotta be something worth stealing in it too.

    1. Anonymous Coward
      Anonymous Coward

      Re: Uh, it's a little worse than the sunroof, since it unlocks doors.

      A lot of criminals just use the old fashioned method; break the glass or go through the door to unlock it. A thief that wants in, will get in.

      1. Pascal Monett Silver badge

        Yeah, but by unlocking the door he leaves no trace and makes insurance claims impossible.

        So double bummer.

  3. Hoe

    Re: Uh, it's a little worse than the sunroof, since it unlocks doors.

    Ha funny you should say that, first thing I thought when I read the article title and hated it straight away...

    "Everything is crackable, if you can write software to be secure, you can write more software to defeat it!"

    Extra layers of IT security just make it harder, bit like, oh what's a good analogy here... lol Car Alarms, Immobolizer's the lot.

    They are only ever deterrants, if someone wants to rob the White House given the right resources it could be done, just as the Titanic wasn't un-sickable, nothing is unbreachable.

  4. Anonymous Coward
    Anonymous Coward

    You can bet...

    ...that Elon will claim this is all untrue but is it really?

  5. NullReference Exception

    Kids these days

    When I was your age, the only API that my car had was a steering wheel and a gas pedal. And we liked it!

    1. Woza

      Re: Kids these days

      No hand crank?

      1. MrT

        When I were a kid...

        ... use of four-be-two, pram wheels, string for the steering and a big hill as engine were all it took for automotive entertainment.

        Crank handle was available, on my dad's Austin A35...

    2. spudmasterflex

      Re: Kids these days

      You were lucky.........

  6. T. F. M. Reader

    Enlighten me, please

    This may be the most technologically advanced vehicle on the face of the planet, but allowing any access through the Web looks completely silly to me. What functionality would be compelling enough to a car owner to trump the concern that there will inevitably be security problems once the air gap is eliminated? Why would anyone ever want to start a browser to unlock his/her car or open the sun roof?

    1. Robert Grant

      Re: Enlighten me, please

      I'd be willing to risk it if it turned on the climate control (and seat warmers if necessary) five minutes before I had to get in it :)

  7. Anonymous Coward
    Anonymous Coward

    IT Entrepreneurs

    This is what happens when IT types develop a car. They're used to tracking you on the Web, so they put the same functionality into the car. Presumably Tesla could sell pattern of life information on to advertisers?

    This all sounds like it's more useful to Tesla than it is to a user. Afterall the owner already knows where their car is and what can be seen out the windscreen; they're either driving it or have parked it somewhere.

    And if it's stolen what exactly are they going to do? Chase after it on foot? It won't get far anyway before running out of juice. And any serious car crim these days has probably heard of GPS tracking and has also heard of GPS jamming and black PVC tape (to obscure the camera).

    So it's a gimmick at best, a money maker for Tesla, and a liability at worst.

  8. Aoyagi Aichou


    That's why I'm never getting a car that connects to the internet, has some wireless functions (other than locking)...

    If I can avoid it anyway.

    1. Pascal Monett Silver badge

      And there's the issue : how long can we avoid it ?

      1. Jess--

        "And there's the issue : how long can we avoid it ?"

        for about as long as you can keep your current vehicle operational, in my case it's almost 23 years and coming up to 999999 miles (not too bad for a bit of rubbish from longbridge)

  9. Stretch


    sigh. SOAP.

  10. Tom 13
    Black Helicopters

    an attacker would be able to see everywhere the car goes.

    Well then. That explains some of the profitability. Black Ops funding from the NSA so they can track your car with their data slurping.

  11. Kevin McMurtrie Silver badge

    No REST for the stupid

    It's worse than having a durable login cookie. If the documentation is correct, HTTP GET is used to initiate significant changes to the car rather than the proper POST method. GET must be idempotent - safe to make or not make at any time. Resources with GET allow clients to pre-fetch it, cache it, asynchronously revalidate the cache, or attempt to fetch the resource in segments. This API is begging for massive malfunctions and the designer never should have passed a hiring interview.

  12. Allan George Dyer
    Black Helicopters

    Tesla did it on purpose...

    so they can blame the battery usage on "hackers".

    (can I have the black helicopters AND the joke alert?)

This topic is closed for new posts.

Other stories you might like