Forums

Tesla API - Drive & vehicle data in the wild?

Tesla API - Drive & vehicle data in the wild?

Hello everyone, I recently purchased model 3 and going through a learning curve. As a developer one of my eye catching feature is the Tesla API. Although Tesla does not support this,It is amazing to download ton of data and then later look at them.

There are several services such as teslafi.com or teslalog.com are doing a great job at this. Also I saw several "free" Apps and Alexa skills to control vehicle functions.

All these services needs Tesla App login to fetch the data. There are no controls on the Tesla side to limit the type of data. The data received through APIs are very exhaustive and make it nightmare on privacy.

With API data anyone can tell where I live, work, go shopping, eat out, and go on vacation. Anyone who has access to this data can learn great deal about me.

All these services secure and protect customer's data. But what if there is a data breach or some big company buy them out? What happens to the data then?

I'm torn between one side wanting the data and other side fearing of privacy. Will Tesla make this official at some point in the future?

Want to know how others feel about this?

xeanxensen | November 11, 2018

The sheer volume of Tesla's data would make it unlikely that a security breach would meaningfully violate the privacy of someone not specifically singled out at the time of the hack. Far worse would be Tesla selling that information to other parties as a service, but that would become a PR nightmare the instant it was even suggested.

Those third party apps that use your login info to mine your data, though? That's where your greatest vulnerability would be. If you're concerned at all about privacy, I'd MAYBE use some temporary credentials to do an API data pull to satisfy your curiosity, then immediately change your password to something rock solid.

The potential is intriguing, but ATM it is directly proportional to the risk to your privacy, IMO.

maztec | November 11, 2018

Just as E-ZPass has been used to reveal adulterers, your Tesla can as well! http://www.nydailynews.com/news/attention-cheaters-e-z-pass-watching-art...

ulrichard | November 12, 2018

Privacy is not the only concern, but they weak security of the account also makes it easy to open the car, or things stored inside. That is why I deactivated app access, and hope the security will improve.
https://ulrichard.ch/blog/index.php/2018/01/21/why-i-deactivated-tesla-a...

mattykolej | December 2, 2018

The security problem is definitely important. And frankly speaking, before this post I didn't think that data leak is possible. However, I believe that it's even more complicated than native app development https://clockwise.software/blog/hybrid-vs-native-vs-web/ to provide us with a totally secure API. Hope Tesla software engineers will solve this problem soon.

Yodrak. | December 2, 2018

"As a developer one of my eye catching feature is the Tesla API."

Developer of what? What is "API"?

reed_lewis | December 3, 2018

@Yodrak - the Tesla API is what the app uses to control the car, and what is used by other programs to effect changes to the car, and also get info about the car.

When he says he is a developer, he means that like me, he is a software developer. This does not mean that it is for Tesla software, just that he develops software of some type.

As has been pointed out, all that needs to access the API is a username and password. From that you get a token which is used to access the entire API calls.

What could perhaps be done is to segment the calls into distinct functionality. You would then login to the API with the username and password (and perhaps use some sort of 2 factor auth), and then authorize specific functionality with an oAuth like mechanism. Then that token could only be used to perform the operations that you expect instead of an 'all or nothing' level of access.

As an example, the operations could be segmented into location, control, and data. Location would be the GPS data. Control would be unlock, lock, etc. Data would be only to get status of the vehicle.

This would make things a little more secure (as long as the API itself is correctly secured), because a token in the wild would only allow the functionality that is was supposed to.

reed_lewis | December 3, 2018

The one comment I would make though is that the Tesla data does not seem to be historical in terms of location, vehicle data or the like. The only thing you can get is current data about location, status, etc.

So unless someone is constantly monitoring your data, it would be difficult to get a good idea about all the locations that you exist in.

Vegan | December 3, 2018

Well, I want to use fun tools to play with my car but I've stayed away from all those for the reasons mentioned:
-privacy about my lifestyle habits
-weakens car's security (risk of theft)

reed_lewis | December 4, 2018

@vegan - The token that is used to access the API is controllable by you. If you change your Tesla password, then all tokens are invalidated.

So there is very little risk of theft.

sahaskatta | July 15, 2019

@akmedia I'm the co-founder of Smartcar.com and we're solving this problem. We saw so much interest from Tesla owners to link their vehicle with all sorts of apps, but it is risky to hand over your username/password to a random app developer. We build OAuth2 and permission controls so that consumers can opt-in to only the specific permissions of their choice when using a 3rd party app. Are you planning on building something? Would love to chat and see if I can help!