They aren't proving that the app developed by Tesla is the vulnerable, even though it probably is in some way. No, the weak link here is the human and his insatiable appetite for... burgers.
The supposed hackers created a free and open Wi-Fi hotspot, promising a meal at the nearby burger shop to anybody willing to install a particular app on their phone. This, in turn, is actually malware. So when the owner of the Tesla uses his Android app to check on his car, the username and password are revealed.
“The actions are performed by sending an HTTP request to the Tesla server. All the requests need to provide an OAuth token. This token is obtained by authenticating using the username and password. The first time the user logs into the Tesla app, the token is obtained and then stored in cleartext in a file in the app’s sandbox folder. When the app is restarted, the token is read and used for subsequent requests," Promon explains.
In truth, this vulnerability has nothing to do with Tesla. Using a similar method, you could take advantage of OnStar to unlock something as basic as a Corsa.
There are some things you can do to protect yourself. For example, disabling the keyless start function of the car. And if you are wealthy enough to own a Tesla Model S, do you need free Wi-Fi? I would never trust a public hotspot like that.
The Android app is another thing. Never install an app before reading the comments first, because they can tell you if it contains malware. An antivirus program wouldn't hurt either. And lastly, never use the same password for everything. From Yahoo Mail to the iClous, everything has been hacked already, with millions of accounts bought and sold by people with dubious intentions.