Blog: Automotive Security
Who has access to your leased Tesla?
One of the cool features of a Tesla is controlling it through the mobile application. This gives a whole host of options such as controlling the air conditioning, opening the “frunk”, and setting charge limits. The most useful feature however is using you mobile as a car key. Walk up to the car and it unlocks, hop in and you’re ready to go. The alternative is tapping a key car to the door pillar and then tapping again in the centre console to enable driving.
To set up the application, you register with Tesla, download the application, log in, and you’re set.
Add another driver
There is also an option to allow others to drive it. To enable this, the owner uses the mobile app to generate an invitation link (typically sent in an email). Once the other driver has registered with Tesla and accepted your invitation, they have the same amount of control as you do.
Revocation of this access is done through the app and must be done by the owner account.
Leasing complicates things
This is where I ran in to a bit of trouble with a leased Tesla, specifically when it came time to give the car back.
When I first got the car, I had no access to the car through the mobile application, so I contacted the leasing company who took my email address and a few days later the car popped up in the mobile app and I was good to go. I gave no thought to the process behind the scenes as everything was working.
The car never showed up in the web app as an owned device. I’ve subsequently proved that this is the case when you give permission for another driver on your car. They don’t see it in the web portal, and only have access through the mobile app.
Two years later, a guy calls me to arrange pickup of the car at which point I did the right thing by disassociating my phone from the car and removing it as a key. I signed out of all the apps (Spotify and Netflix) and the next day I’m waving my car off down the road never to be seen again.
But wait… What’s this?
I still have access to my old car through the app.
As I unregistered my phone as a key, I wouldn’t be able to start the car, but I could still track it and control it. (Side note: When picking up the car, there were no checks performed to ensure I had unregistered my phone as a key, so I could have easily left it activated and started the car at any point).
Driver does not always equal Owner
Looking at the process my lease company used leads me to believe that they added me as a driver so I could use the app, but because I’m not the owner I have no way to remove the car from my app myself.
There is no way to remove yourself as a driver either from the car itself or through the mobile or web applications, which means I’m stuck with it in my Tesla account.
As the lease is over and the car has gone to auction, I’m assuming that the new owner will have to register ownership with Tesla at which point my access will be revoked, however this feels like a security issue to me.
If I was a less scrupulous person, I could have left my phone registered as a key, tracked the cars exact location, and then unlock and drive the car away. Or at the very least I could whack the air con on full and deplete the battery.
A colleague of mine had a much more streamlined experience as his leasing company. He was instructed to log in to the web portal and add the car directly with supporting documentation supplied by the leasing company. At this point as far as Tesla was concerned, he “owned” the car and could manage it completely.
Advice for leasing firms
I think there is a process control issue here, and we would recommend leasing companies all follow the following procedure:
- Ensure all Tesla ownership is managed through the web application rather than adding clients as an additional driver.
- Ensure that any phones are disconnected from the car at pickup.
- Ensure that no additional key cards have been registered to the car.
- Ask the client to perform a factory reset of the vehicle before collection.
Personal data and tracking
Whilst we’re there, one of the other impacts of the lease company being the ‘owner’ of the vehicle in the app is that they have access to vehicle position and other more personal data. One of my colleagues checked a couple of vehicle lease contracts and there was nothing in there to cover their access to that data.
In theory, the leasing company could track you in real time, unlock and lock your vehicle, revoke your access to your car and more. What steps are they taking to protect your privacy from their employees and 3rd parties?
This matter of personal data would also be resolved if the driver of the vehicle was granted ‘owner’ status in the app and the lease company was to revoke that access once the vehicle was returned.