There’s a bunch of articles coming out claiming the Tesla car is at risk of being hacked. They all trace back to a single blog post by George Reese, a Tesla owner and exec of Dell.
But if you read and understand the blog post, there’s a key point all the news coverage missed. You are only at risk if you give other people or 3rd party apps your password! Yes, what he’s saying is that if you give your Tesla username and password to others, someone might get them and use them to unlock your car or change the air conditioning temperature! I put that in the “Duh!” category.
If you don’t give out your password, you can’t get hacked!
At the end of the day, what I think Mr. Reese is really saying is he thinks Tesla should have provided an API that supports 3rd party developers in a way that doesn’t require giving out your username and password. Fair enough, but as far as I know Tesla has never said it supports giving 3rd parties access to it’s API.
But I take issue with the tone of Mr. Reese’s article because it casts the lack of this 3rd party support as a security risk with the Tesla API rather than simply recognizing that Tesla never intended for 3rd parties to talk to it’s API. You could say that Tesla might as well have implemented an Oauth API rather than the one it did so that 3rd party support is built in, and that’s a fair point.
But this is a far different point from claiming the current API is a security risk. It’s only a risk if you use 3rd party apps, and as far as I know the API is undocumented and any non-Tesla use of it us unauthorized. It’s only possible if the car owner gives others their username and password, which I’d say is clearly not a smart thing for anyone to do.