Dell engineer George Reese, says Slack authentication in Tesla's Model S REST API exposes the electric car to a variety of non-safety but non-trivial attacks.

In this post over at O'Reilly, Reese says the “flawed” authentication protocol in the Tesla REST API “makes no sense”. Tesla has decided to craft its own authentication, which Reese unpicked.

While the flaw doesn't offer access to any “operational” aspects of the car – like steering or brakes – the risks are still significant. An attacker could fool around with configuration settings, the climate control, the sunroof, open the charge port, and anything else supported by the API.

Reese links to an unofficial documentation of the API, which outlines its capabilities, here.