Latest EV Scare: Hackers Could Take Over Your Electric Car

By · August 28, 2013

Tesla Model S dashboard controls.

A lot of today’s new cars have Internet connectivity with remote capabilities. These functions, for example, allow electric cars with associated smart phone applications to remotely start a charging event or turn on AC. These capabilities have been sold as a benefit of electric cars. But a blog post last week by George Reese, a top Dell engineer, and a Model S owner, raised concerns about potentially dangerous security flaws in the Tesla Model S—and by extension, to other electric cars. That thoughtful post, unfortunately, can be interpreted as a new sky-is-falling worry about battery-powered vehicles.

Yes, any security flaw in a car-based API can leave the car open to attacks by hackers. Essentially an API, or Application Programming Interface, allows one application to make requests of another application, which can be running within the same computer, or on a computer on the other side of the planet.

Reese writes that a hacker could hack into a Model S to honk a horn, flash lights, or open a sunroof. “While none of this is catastrophic, it can certainly surprising and distracting while someone is driving (though not all functions are supported remotely while the car is in motion),” he writes. “Perhaps the scariest bit is that the API could be used to track your every move.” An attacker could also open a door lock—or potentially steal authentication data from Tesla for all Model S owners and then launch an attack against all existing Model S cars.

That sounds frightening, but let’s remain calm: No known exploit of the vulnerability exists in the wild. Reese is simply noting the potential risk.

Too Much Re-Invention?

Tesla likes to re-invent and build everything in-house. But perhaps this time, that wasn’t such a good idea. According to Reese, the Tesla Model S REST API does not use industry best practices for user authentication. Instead they use a homegrown weak authentication system that leads to several bad practices. That means the system has several vulnerabilities, which a nefarious application could exploit and remotely do unwanted things to a Model S. Or, if all the nefarious application wished to do is spy on Model S owners, it could read the GPS coordinates and speed.

Tesla, like other carmakers, has a worthy reason to implement APIs in their cars. They want to supply their own smart phone application so car owners can control their car, and they want third-party applications with integrated support for their cars. This is the cutting edge of car technology, and all carmakers are working on features that rely on remote API access to cars—regardless of how those cars are powered.

Reese noted that the big issue isn't the specific flaw in the Tesla Model S, but the bigger picture of the Internet Of Things. That concept sees network-connected-computers in every gadget, with some kind of remote API. Over time, every car will have a range of useful remote APIs to participate in this Internet Of Things. The question raised now is whether all those “things” will be implemented with proper security and authentication systems—with Tesla and other EVs serving as the most robust examples of the question applied to cutting-edge vehicles.

New to EVs? Start here

  1. Seven Things To Know About Buying a Plug-In Car
    A few simple tips before you visit the dealership.
  2. Incentives for Plug-in Hybrids and Electric Cars
    Take advantage of credits and rebates to reduce EV costs.
  3. Buying Your First Home EV Charger
    You'll want a home charger. Here's how to buy the right one.