TMC is an independent, primarily volunteer organization that relies on ad revenue to cover its operating costs. Please consider whitelisting TMC on your ad blocker or making a Paypal contribution here: paypal.me/SupportTMC

Accounts affected by Heartbleed bug?

Discussion in 'Model S: User Interface' started by anticitizen13.7, Apr 12, 2014.

  1. anticitizen13.7

    anticitizen13.7 Enemy of the Status Quo

    Joined:
    Dec 22, 2012
    Messages:
    2,551
    Location:
    United States
  2. alset

    alset Member

    Joined:
    Sep 7, 2012
    Messages:
    139
    Location:
    Boston
    Unclear if Tesla uses OpenSSL and if so, what version:
    LastPass - LastPass Heartbleed checker

    Tesla should really post something in their blog about it. There's a decent chance they'll recommend everyone to change their password but we need to be sure they're not running a vulnerable server first. If they're not vulnerable, I'd also love to know why (but we might not get that info).

    On a related note, anyone who shared their password with other sites that bridged over to the Tesla REST APIs should probably be discussed here too. I don't know what the sites are but a comment from the site maintainers would be good.
     
  3. TM Ownership

    TM Ownership Member

    Joined:
    Apr 15, 2014
    Messages:
    5
    Location:
    Palo Alto, CA
    #3 TM Ownership, Apr 15, 2014
    Last edited by a moderator: Apr 15, 2014
    Over the past week, there has been lots of online news regarding a security vulnerability within versions of OpenSSL, known as the Heartbleed Bug. After a comprehensive review of our services by our dedicated team of information security professionals, we would like to report that we have not found any evidence of compromised exposure to the OpenSSL vulnerability and that our systems, including our website and vehicle related resources, are not using a version vulnerable to the Heartbleed Bug. Your account details remain secure. Regardless, we recommend that our customers change their passwords as an added precaution.

    Whether it’s developing the car that has the highest safety rating or doing everything in our power to protect our customers against online incursions, security is Tesla’s top priority. Our dedicated team of best-in-class information security professionals protect our products and systems from vulnerabilities on an ongoing basis, and we continue to work with security researchers around the world who are incentivized to report any potential issues. To offer customers an extra level of confidence, two weeks ago, we updated our minimum password requirements from six to eight characters, and we encourage the use of passwords that are considerably stronger. We have also implemented a password lockout feature that requires MyTesla account holders to reset their passwords via our website after five failed login attempts.
    We have taken these steps because we consider the security of the website and mobile application of paramount importance. Just as we encourage customers to protect their MyTesla credentials with the same care they would dedicate to any of their other accounts (online or otherwise) with sensitive information, we are committed to doing what we can to ensure the maximum level of protection. It’s also important to note that, in case customers remain concerned about general online or mobile app security, we have given Model S owners the option of disabling mobile access through the Controls menu on the car’s touchscreen.

    We strongly encourage anyone to report security issues on any of Tesla’s products via the Responsible Reporting process on our website:https://www.teslamotors.com/about/legal#security-vulnerability-reporting....
    Through that process, we offer a range of rewards to security researchers who report valid issues to help us bolster online security and further protect our products.
     
  4. Kraken

    Kraken Member

    Joined:
    Nov 20, 2012
    Messages:
    799
    Location:
    Voltageville, CA
    Wow... The above needs to be posted elsewhere too... Probably as a blog entry on teslamotors.com

    bravo on the response.
     
  5. gg_got_a_tesla

    gg_got_a_tesla Model S: VIN P65513, Model 3 Res Holder

    Joined:
    Jan 29, 2010
    Messages:
    6,097
    Location:
    Redwood Shores, CA
    Cool! Welcome, 'TM Ownership'. Hope we get to see more posts from you on other topics as well.
     
  6. anticitizen13.7

    anticitizen13.7 Enemy of the Status Quo

    Joined:
    Dec 22, 2012
    Messages:
    2,551
    Location:
    United States
    Thanks, TM Ownership and welcome to the forum!

    It's great to get this level of detailed response :)
     
  7. Hybris

    Hybris Member

    Joined:
    Sep 14, 2013
    Messages:
    445
    Location:
    Sweden
    please also add SMS OTP option for the website, a pincode lock in the car for changing settings (to protect when valet, detailer etc), add GPS ringfencing function to the car. meaning I get an alarm if the car moves more than x meter/km in the phoneapp.
     
  8. alset

    alset Member

    Joined:
    Sep 7, 2012
    Messages:
    139
    Location:
    Boston
    First of all, credit to TM Ownership (and presumably internal security staff) for responding to this. The password requirement improvements and communicating a vulnerability reporting process is progress.

    However, this post really feels like an earnest communication effort from a security department overly edited by a marketing department, removing the ability to know the precise security situation. By 4/15, it is clear that most web sites that were vulnerable to Heartbleed were no longer running the vulnerable versions of OpenSSL, nor had they any evidence of exposure. (There would typically not be any evidence left in a successful exploit of Heartbleed.)

    What would be a better statement to make is whether Tesla was running a vulnerable version of OpenSSL during this period and that it was patched since. In that scenario, there was clear possibility of a leak and we should definitely rotate passwords - indeed many sites are requiring it. Given that you recommend that we all rotate passwords, I assume that is the case but it's a pity you are not clearer on the subject, as many web sites have been.

    These two statements seem in conflict in the context of Heartbleed:
    > Your account details remain secure.
    > we recommend that our customers change their passwords as an added precaution.

    How do you know our account details remain secure if there was ever Heartbleed exposure? If there was never exposure, please say so.

    Thank you!
     
  9. Kraken

    Kraken Member

    Joined:
    Nov 20, 2012
    Messages:
    799
    Location:
    Voltageville, CA
    Seemed simple to me. Perhaps a security risk at another site exposed someone's password there. Perhaps some people use the same passwords at Tesla too. Sounds like CYA to me.
     
  10. anticitizen13.7

    anticitizen13.7 Enemy of the Status Quo

    Joined:
    Dec 22, 2012
    Messages:
    2,551
    Location:
    United States
    This is a good point. Extra clarification would be welcome.

    I believe that the recommendation that customers change passwords exists because there are many people who use the same password for multiple sites, despite the practice being generally discouraged. If someone has used the password they use for Tesla on another website that was affected by Heartbleed, a hacker could conceivably have stolen the password and might try it on the Tesla website. EDIT - Kraken beat me to it. Should have read through the whole thread, LOL.
     

Share This Page