I noticed tonight that as my wife took the car out of the garage and I had the Tesla app open on my phone several rooms away, that the "Summon" button appeared, even though I was clearly well out of visible range of the car. That led me to start thinking about what it is exactly that allows Summon to become available as an option in the mobile app. I quickly came to the hypothesis that perhaps the Summon option becomes available if *either of an owner's FOBs is near the car and your phone app happens to be active (i.e. perhaps there's no GPS check on the phone side). That got me to thinking that if someone was able to access just my Tesla credentials, it's conceivable that they could initiate Summon by remotely polling for it from the REST API and then moving the car remotely as I get in range with my FOB.
Admittedly, to make this exploit work, it would still require someone to obtain my login credentials, and theoretically, the car should still do a fairly good job of not crashing into anything while summoning, but if true, this simple trick is possibly the first instance where an attacker could remotely move a Tesla without previously having had physical access (unlike those BlackHat exploits from a while back).
Also, I got to thinking that if I'm wrong about the lack of a GPS phone location requirement, it really shouldn't hinder the exploit as there are numerous apps that will spoof GPS location for Android as well as jailbroken iOS.
It seems the only way to close this theoretical hole for now (if anyone happens to care) is to turn off Summon. Inevitably, if Tesla felt it was significant enough to close themselves, I suspect that Summon functionality would simply have to be removed from the mobile apps (i.e. the REST API) and relegated strictly to FOBs. :frown:
Admittedly, to make this exploit work, it would still require someone to obtain my login credentials, and theoretically, the car should still do a fairly good job of not crashing into anything while summoning, but if true, this simple trick is possibly the first instance where an attacker could remotely move a Tesla without previously having had physical access (unlike those BlackHat exploits from a while back).
Also, I got to thinking that if I'm wrong about the lack of a GPS phone location requirement, it really shouldn't hinder the exploit as there are numerous apps that will spoof GPS location for Android as well as jailbroken iOS.
It seems the only way to close this theoretical hole for now (if anyone happens to care) is to turn off Summon. Inevitably, if Tesla felt it was significant enough to close themselves, I suspect that Summon functionality would simply have to be removed from the mobile apps (i.e. the REST API) and relegated strictly to FOBs. :frown: