The car does not have a publicly reachable IP. It is using message bus (Kafka pub-sub, I believe) to bridge phone and car. Tesla does publish an API for anyone that wants to control a car (uses OAUTH for authorization.) Other than being unable to revoke tokens from within the car, it works great and solves the fleet management problem. (It is possible to simply entirely disable remote access from within the car, so this is a partial solution that Tesla does already.)