TIPmake sure only authorized employees have access to the data and how stored location data is
secured against external entities who may seek to gain unauthorized access to Tesla’s technol-
ogy infrastructure.
Handing Out Keys to Strangers
The Tesla iOS app uses a web-based API to communicate with and send commands to the
car. Tesla did not intend for this API to be directly invoked by third parties. However, third-
party apps have already started to leverage the Tesla API to build applications. For example,
the Tesla for Glass application lets users monitor and control their Teslas using Google Glass.
In order to use this functionality, Google Glass owners have to authorize and add the app.
Once this step is complete, the user is redirected to a login page, as shown in Figure 6-9. On
this page, the user enters the credentials she uses to log into her Tesla account and the iOS
app.
But when the user enters her login information and clicks on CONNECT, that username
and password are sent to a third-party server (teslaglass.appspot.com), as shown in
Figure 6-10! This is basically the electronic equivalent of handing one’s car key to a complete
stranger!
The screenshot in Figure 6-10 depicts the Burp Suite tool. This is a free tool that can be used as a
proxy server to capture and modify HTTP content. In this case, we have used it to capture the HTTP
request to teslaglass.appspot.com to figure out the actual content being transmitted.In other words, although the Tesla for Glass application is not written or officially sanc-
tioned by Tesla, it receives the actual credentials of users who choose to use it. This presents
the risk of malicious third-party application owners abusing this situation to collect the cre-
dentials of Tesla account holders. As we’ve seen before, these credentials can allow anyone to
locate the cars associated with an account, unlock them, and even drive them.
THE TESLA MODEL S 179