3rd party app leaked data to allow remote access to Teslas

[Dan]

Vice.com posted an article about security failures in a open source app for Tesla users. In  How a Hacker Controlled Dozens of Teslas Using a Flaw in Third-Party App a researcher, David Colombo, was able to access the functions of Teslas owned by others in disparate locations.

Tesla has been pretty hot on fixing security issues, and running bug bounties, but cannot control what third parties do with their API. If a third party app has poor code it can effectively be a Trojan horse for threat actors. No response from Tesla on the issue, probably a "not our app, not our problem" attitude. Though some older Tesla V2 API tokens have been revoked.

Weak APIs are a perennial issue, but methods exist to combat some aspects of lazy programming. Ultimately, if you are going to allow programmable access to a two-ton software-controlled vehicle, you need to make sure that third parties are doing a good job with the security.

DAN