Tesla motors, the Silicon Valley darling co-founded and run by PayPal zillionaire Elon Musk is absolutely revolutionizing the way people buy, sell and think about automobiles. The company’s Model S electric vehicle was Motor Trend’s Car of the Year in 2013 – the first electric car to ever win that award and “proof positive that America can still make (great) things,” the magazine said. The car’s base model (sticker price: $62,000) has a 362 hp electric motor and gets the equivalent of between 74 mpg to 118 mpg and comes with a 17” flat screen display in the driver’s compartment. Like many next generation devices, the Model S isn’t just beautiful – its intelligent, with the ability to send and receive software updates and interact with its owner and with Tesla programmatically, using its own application program interface (API).
And that’s where Tesla’s otherwise flawless image gets some blemishes. According to a post by George Reese (@GeorgeReese) over at O’Reilly, the Model S’s API gave short shrift to some basic security principles, like authentication.
Tesla’s API allows the car’s owners to manage functions like locking and unlocking the doors, initiating and stopping vehicle charging, flashing the lights, opening the charge port, honking the horn and determining the driving position and state of the vehicle.
According to Reese, Tesla’s engineers gave short shrift to some basic security features, like a strong authentication mechanism. Specifically, Reese notes that Tesla’s software engineers spurned the widely used OAuth open protocol and wrote their own. As so often happens, “rolling your own” is a path that is fraught with challenges– especially in well trod terrain like web based user authentication. No surprise, then, that Tesla got it wrong. The company created an API that relies on a simple e-mail and password to authenticate to the API – the same authentication information that’s used to log in to Tesla’s web site, where owners design and order their vehicle. Furthermore, the username and password are cached for three months
The security implications of this are clear. First: a compromise of Tesla’s web site could potentially expose information that would allow remote attackers to interact with web-based portals that can send commands to Model S cars on the road. Such an attack would be valid for up to three months – the length of time Tesla allows a token to work before it expires.
Reese is careful to note that this isn’t a safety issue, per se. None of the features that are accessible via the API could conceivable be used to cause an accident, and Reese gives Tesla credit for implementing strong separation between the various operational components of the Model S.
The bigger problem is with the rush towards adding programmatic interfaces and interactive features to devices on the Internet of Things.
“I don’t think the Tesla software engineers have given the security of the (API) its proper due and I see a common theme among Internet-connected ‘things’ …of not thinking through the security impacts of what they are doing.”
In short: if even a top-flight, engineering driven, cutting edge firm like Tesla can stumble when it comes to application security, what about all the down market automakers rushing to add interactive features to their vehicles?
Expect more stories like this, as more and more “connected” vehicles hit the road. Already, the National Highway Traffic Safety Commission is calling for more attention to cyber security standards in vehicles but regulators are likely to be well behind the market in this area, as in so many others. And this blog has noted how concerns about security may blunt advances in other areas (like smart manufacturing) as well. We’ve also released an infographic to help inform car buyers about the security and privacy implications of smart vehicle ownership.
In the meantime, Reese said manufacturers of automobiles and other intelligent device makers need to start with security and work toward their desired functionality, not the other way around. That’s good advice.