Lessons Learned From Hacking The Tesla API

Last week, Tesla announced it would not pursue lawsuits against people using its patents in “good faith.” But the company has not always been so open with its technology. Its Tesla Model S API was never meant to be public but almost from its start, Tesla owners started documenting its API calls on GitHub, eventually building their own on the Apiary platform.
At API Days in San Francisco, Apiary CEO Jakub Nesetrill discussed how the Tesla story shows there really is no such thing as a private API in the context of something like cars. The Tesla example shows the problems that can come from the start with private APIs, Nesetrill said in an interview at the conference. In Tesla’s case, people looking at the API learned it did not lend itself to the HTTP protocol and it had problems with GET methods being uses for API actions with real-life consequences such as unlocking the car and turning the heat on.
More troubling, security analysis showed that Tesla had built their own user authentication that did not hold up to strong security practices. The protocol was not well developed.
George Reese detailed what the API can do and how it could be exploited in a post last August. He wrote:
- It cannot safely operate over any channel but a trusted SSL connection (minor)
- It requires the sharing of the user’s password with third-parties (major)
- No mechanism exists for cataloging applications with active tokens (significant)
- Only an inconsistent blunt-force mechanism exists for revoking access to a compromised application (moderate)
- The automated expiration of tokens in 3 months encourages applications to improperly store your email and password (significant)
Apiary has documented 70,000 APIs. Most are built by companies new to building APIs . On first try, companies have problems with getting the API design right and that is a concern. Tesla is a leader in the car space for providing programmable services and did many things right such as remote updates. But often new API developers try to maker it simple and cut corners that could make it difficult for the end user to operate their own machinery.
Bottom line — with cars, don’t try to reinvent the wheel, Nesetrill said . It makes no sense to develop a private API, especially when there are a large motivated group of users who will document it to for their own purposes and create one that better suits their own needs.
Feature image via Flickr Creative Commons