Security flaw in Summon implementation?

[gordo]

I noticed tonight that as my wife took the car out of the garage and I had the Tesla app open on my phone several rooms away, that the "Summon" button appeared, even though I was clearly well out of visible range of the car. That led me to start thinking about what it is exactly that allows Summon to become available as an option in the mobile app. I quickly came to the hypothesis that perhaps the Summon option becomes available if *either of an owner's FOBs is near the car and your phone app happens to be active (i.e. perhaps there's no GPS check on the phone side). That got me to thinking that if someone was able to access just my Tesla credentials, it's conceivable that they could initiate Summon by remotely polling for it from the REST API and then moving the car remotely as I get in range with my FOB.

Admittedly, to make this exploit work, it would still require someone to obtain my login credentials, and theoretically, the car should still do a fairly good job of not crashing into anything while summoning, but if true, this simple trick is possibly the first instance where an attacker could remotely move a Tesla without previously having had physical access (unlike those BlackHat exploits from a while back).

Also, I got to thinking that if I'm wrong about the lack of a GPS phone location requirement, it really shouldn't hinder the exploit as there are numerous apps that will spoof GPS location for Android as well as jailbroken iOS.

It seems the only way to close this theoretical hole for now (if anyone happens to care) is to turn off Summon. Inevitably, if Tesla felt it was significant enough to close themselves, I suspect that Summon functionality would simply have to be removed from the mobile apps (i.e. the REST API) and relegated strictly to FOBs. :frown:

 

[LetsGoFast]

If they have your login credentials, they can unlock the car, get in, start it and drive it away.

 

[AMPd]

If they have your login credentials, they can unlock the car, get in, start it and drive it away.

I did exactly this when I could not find my fob, spent the whole day running errands using the phone to unlock and start the car

Edit: Little tip, if you don't need the door closed, don't close it! it'll automatically lock and you'll have to use the app again.

 

[Soolim]

I did exactly this when I could not find my fob, spent the whole day running errands using the phone to unlock and start the car

Edit: Little tip, if you don't need the door closed, don't close it! it'll automatically lock and you'll have to use the app again.

So if I lost my phone, and if the thief get pass the phone log-in, using the app he/she could locate my car, get to the car, and drive away. :scared:

Should Tesla not implement some simple limitation, such as allowing driving with phone app only for a limited km or limited hours, and thereafter the fob needs to be used to reset the limit?

 

[cytranic]

So if I lost my phone, and if the thief get pass the phone log-in, using the app he/she could locate my car, get to the car, and drive away. :scared:

When you try to start the car, the phone asks for the password again even though its saved on the original opening.

If the theif has your password, well then...

 

[wk057]

So if I lost my phone, and if the thief get pass the phone log-in, using the app he/she could locate my car, get to the car, and drive away. :scared:

Basically anyone with your Tesla app login info, no matter how they get it, can locate your car, open it, and drive away, if you have mobile access enabled. They can even disable valet mode, disable mobile access, etc once they're in the car.

So never give your login and password to anyone. No third party websites or software/apps. Don't keep it written down. Make sure it's at least a moderately strong password, too. Keep an eye out for phishing attempts, since no one legitimate will ever ask for this password. Etc etc etc.

Most people don't realize that those credentials are literally like a copy of the keys to your car.

 

[AMPd]

So if I lost my phone, and if the thief get pass the phone log-in, using the app he/she could locate my car, get to the car, and drive away. :scared:

Should Tesla not implement some simple limitation, such as allowing driving with phone app only for a limited km or limited hours, and thereafter the fob needs to be used to reset the limit?

Correct, but it's no different than online banking, if someone has your log in, they can empty your account.
I'm not worried about anyone stealing my car

 

[LetsGoFast]

Also, just because the summon button appeared on your phone doesn't mean you could have activated summon. Lots of other conditions must be met too.

 

[luvnMyTS]

Phone app requires a PIN be entered that is not the same as your password. Similar to an ATM pin. So, if you lose your phone and have your password saved in your app, yes, someone could unlock the doors and use all the controls the app allows, however if they want to drive it, they would have to know your PIN, which cannot be saved into the phone.

 

[bridaus]

PIN, password, fob, what's the difference? All of them can be stolen. Live life, let actuaries worry about theft.

 

[Caligula]

My father in law lost his keys once a local sports event. Someone apparently found them and walked around the parking lot until they found the car that flashed its lights and beeped when they spammed the "lock" button on the key fob (were aasuming). They later found his car (sans stereo) a few miles away the next day. Keys still in the ignition.

Just saying.

 

[LetsGoFast]

Phone app requires a PIN be entered that is not the same as your password. Similar to an ATM pin. So, if you lose your phone and have your password saved in your app, yes, someone could unlock the doors and use all the controls the app allows, however if they want to drive it, they would have to know your PIN, which cannot be saved into the phone.

There is at least one phone app that can start your car without a PIN.

 

[bonnie]

Basically anyone with your Tesla app login info, no matter how they get it, can locate your car, open it, and drive away, if you have mobile access enabled. They can even disable valet mode, disable mobile access, etc once they're in the car.

So never give your login and password to anyone. No third party websites or software/apps. Don't keep it written down. Make sure it's at least a moderately strong password, too. Keep an eye out for phishing attempts, since no one legitimate will ever ask for this password. Etc etc etc.

Most people don't realize that those credentials are literally like a copy of the keys to your car.

Yep. But tons of people on this forum alone have handed off their credentials just to access third-party apps. I don't get it.

Don't give out your password. Period. Best security tip ever.

 

[green1]

I noticed tonight that as my wife took the car out of the garage and I had the Tesla app open on my phone several rooms away, that the "Summon" button appeared, even though I was clearly well out of visible range of the car. That led me to start thinking about what it is exactly that allows Summon to become available as an option in the mobile app. I quickly came to the hypothesis that perhaps the Summon option becomes available if *either of an owner's FOBs is near the car and your phone app happens to be active (i.e. perhaps there's no GPS check on the phone side). That got me to thinking that if someone was able to access just my Tesla credentials, it's conceivable that they could initiate Summon by remotely polling for it from the REST API and then moving the car remotely as I get in range with my FOB.

Admittedly, to make this exploit work, it would still require someone to obtain my login credentials, and theoretically, the car should still do a fairly good job of not crashing into anything while summoning, but if true, this simple trick is possibly the first instance where an attacker could remotely move a Tesla without previously having had physical access (unlike those BlackHat exploits from a while back).

Also, I got to thinking that if I'm wrong about the lack of a GPS phone location requirement, it really shouldn't hinder the exploit as there are numerous apps that will spoof GPS location for Android as well as jailbroken iOS.

It seems the only way to close this theoretical hole for now (if anyone happens to care) is to turn off Summon. Inevitably, if Tesla felt it was significant enough to close themselves, I suspect that Summon functionality would simply have to be removed from the mobile apps (i.e. the REST API) and relegated strictly to FOBs. :frown:

So what you're saying is that if someone manages to steal both your fob, AND your login credentials, they can steal your car.
Never mind the fact that for a very long time now they've been able to steal your car with either over of those and not need both.

Summon via the app is MORE secure than keyless driving,