Forums

Tesla API - Drive & vehicle data in the wild?

Tesla API - Drive & vehicle data in the wild?

Hello everyone, I recently purchased model 3 and going through a learning curve. As a developer one of my eye catching feature is the Tesla API. Although Tesla does not support this,It is amazing to download ton of data and then later look at them.

There are several services such as teslafi.com or teslalog.com are doing a great job at this. Also I saw several "free" Apps and Alexa skills to control vehicle functions.

All these services needs Tesla App login to fetch the data. There are no controls on the Tesla side to limit the type of data. The data received through APIs are very exhaustive and make it nightmare on privacy.

With API data anyone can tell where I live, work, go shopping, eat out, and go on vacation. Anyone who has access to this data can learn great deal about me.

All these services secure and protect customer's data. But what if there is a data breach or some big company buy them out? What happens to the data then?

I'm torn between one side wanting the data and other side fearing of privacy. Will Tesla make this official at some point in the future?

Want to know how others feel about this?

xeanxensen | November 11, 2018

The sheer volume of Tesla's data would make it unlikely that a security breach would meaningfully violate the privacy of someone not specifically singled out at the time of the hack. Far worse would be Tesla selling that information to other parties as a service, but that would become a PR nightmare the instant it was even suggested.

Those third party apps that use your login info to mine your data, though? That's where your greatest vulnerability would be. If you're concerned at all about privacy, I'd MAYBE use some temporary credentials to do an API data pull to satisfy your curiosity, then immediately change your password to something rock solid.

The potential is intriguing, but ATM it is directly proportional to the risk to your privacy, IMO.

maztec | November 11, 2018

Just as E-ZPass has been used to reveal adulterers, your Tesla can as well! http://www.nydailynews.com/news/attention-cheaters-e-z-pass-watching-art...

ulrichard | November 12, 2018

Privacy is not the only concern, but they weak security of the account also makes it easy to open the car, or things stored inside. That is why I deactivated app access, and hope the security will improve.
https://ulrichard.ch/blog/index.php/2018/01/21/why-i-deactivated-tesla-a...

mattykolej | December 2, 2018

The security problem is definitely important. And frankly speaking, before this post I didn't think that data leak is possible. However, I believe that it's even more complicated than native app development https://clockwise.software/blog/hybrid-vs-native-vs-web/ to provide us with a totally secure API. Hope Tesla software engineers will solve this problem soon.

Yodrak. | December 2, 2018

"As a developer one of my eye catching feature is the Tesla API."

Developer of what? What is "API"?

reed_lewis | December 3, 2018

@Yodrak - the Tesla API is what the app uses to control the car, and what is used by other programs to effect changes to the car, and also get info about the car.

When he says he is a developer, he means that like me, he is a software developer. This does not mean that it is for Tesla software, just that he develops software of some type.

As has been pointed out, all that needs to access the API is a username and password. From that you get a token which is used to access the entire API calls.

What could perhaps be done is to segment the calls into distinct functionality. You would then login to the API with the username and password (and perhaps use some sort of 2 factor auth), and then authorize specific functionality with an oAuth like mechanism. Then that token could only be used to perform the operations that you expect instead of an 'all or nothing' level of access.

As an example, the operations could be segmented into location, control, and data. Location would be the GPS data. Control would be unlock, lock, etc. Data would be only to get status of the vehicle.

This would make things a little more secure (as long as the API itself is correctly secured), because a token in the wild would only allow the functionality that is was supposed to.

reed_lewis | December 3, 2018

The one comment I would make though is that the Tesla data does not seem to be historical in terms of location, vehicle data or the like. The only thing you can get is current data about location, status, etc.

So unless someone is constantly monitoring your data, it would be difficult to get a good idea about all the locations that you exist in.

Vegan | December 3, 2018

Well, I want to use fun tools to play with my car but I've stayed away from all those for the reasons mentioned:
-privacy about my lifestyle habits
-weakens car's security (risk of theft)

reed_lewis | December 4, 2018

@vegan - The token that is used to access the API is controllable by you. If you change your Tesla password, then all tokens are invalidated.

So there is very little risk of theft.

sahaskatta | July 15, 2019

@akmedia I'm the co-founder of Smartcar.com and we're solving this problem. We saw so much interest from Tesla owners to link their vehicle with all sorts of apps, but it is risky to hand over your username/password to a random app developer. We build OAuth2 and permission controls so that consumers can opt-in to only the specific permissions of their choice when using a 3rd party app. Are you planning on building something? Would love to chat and see if I can help!

PhilMB | September 1, 2019

I feel the same as OP. Such potential and after a year after the post was created, no official position from Tesla. I'd love to get all insights about my car on my online account page - or in a more secured third party page, but in the current format the risk is bigger than what I'm willing to take... Frankly today it is difficult (impossible?) to even measure how much you're spending on your car without purchasing a 3rd party meter or giving away access to all your data to someone else.

Frank99 | September 1, 2019

So much angst about the data.

I understand the issue of car control - I want Tesla to make the API for CONTROLLING the car (door unlock, etc) absolutely bulletproof and separate from the data function (location, SOC, temperature, etc). I really don't care if a hacker can access my car and know that the internal temperature is 105F, or that it's on firmware 28.7. However, I really don't want them to be able to pop the trunk or unlock the car.

As far as things like location data, unless you've committed to not carrrying a cellphone, it has far more location data about you than your car. The car might know that you drove to the grocery store - your phone knows that, plus it know what shop you went into, which aisle you went down, and what products you're standing in front of (using Bluetooth location). It can know that you likely bought ice cream, broccoli and a box of condoms based on your location in the store. When you park at the parking garage for your apartment, your car knows what apartments you live at - but your phone knows exactly which one is yours, and whether you're in the bedroom or the kitchen.

And this doesn't address issues like your phone turning on the microphone and listening to your conversations (currently only if it's hacked, but in the near future likely 100% of the time, like Alexa), or knowing your bank account, username and password as well as more embarrassing information like your porn viewing habits. And if all this information isn't currently reported to Google or Samsung or Apple, in the next few years it will be.

And you're worried about Tesla knowing where you've driven?