Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Authentication flaws in the REST API (if you give 3rd party your private login info)

This site may earn commission on affiliate links.
#61
Can we agree that the authentication flaws, as listed, affect the Tesla API when used for third party Apps and services, but not when used by Tesla's own Apps?

Then, we can agree to disagree whether this, and all such, APIs should be treated as public and thus should be designed for third party use.

Reasonable conclusion?
 
#62
markwj said:
Can we agree that the authentication flaws, as listed, affect the Tesla API when used for third party Apps and services, but not when used by Tesla's own Apps?
Click to expand...

Third party apps like the Windows mobile app are not affected. Same with any third party tools that the user runs themselves without giving away their password to someone else.

I think this might be what you meant to write but it is not clear. You need to clarify if a "third party app" means an app written by someone other than yourself and Tesla (a third party author), or whether it means and app that architecturally sits between you and Tesla (a third party in the middle of the authentication flow). Big difference between the two meanings.

markwj said:
Then, we can agree to disagree whether this, and all such, APIs should be treated as public and thus should be designed for third party use.
Click to expand...

It is what it is. Let's focus on responsibly using what we have, and avoiding the creation of an embarrassing situation for Tesla that would causes us to loose it all.
 
#63
hans said:
Third party apps like the Windows mobile app are not affected. Same with any third party tools that the user runs themselves without giving away their password to someone else.
Click to expand...

Yes and no. You still have to trust the app. However, people can vet that the app isn't sending off your password to some other site and look at the code if it's open source. It's impossible to vet a website.
 
#64
gregincal said:
Yes and no. You still have to trust the app. However, people can vet that the app isn't sending off your password to some other site and look at the code if it's open source. It's impossible to vet a website.
Click to expand...

You always have to trust someone, or trust no one. I have to trust that the Tesla app doesn't have a virus in it that is sending off my password to some other site. I have to trust the Google Store or Apple Store that I downloaded the Tesla app from is really giving me the Tesla app. I have to trust that Verizon wireless hasn't had their DNS server hacked to redirect my request to download the app to a malicious download server. At least with third party apps distributed as open source I can verify the code easily.

You are correct that it is impossible to vet a website. Look at what happened to LinkedIn and Sony when hackers broke in and published millions of users names and passwords.
 
#65
nspollution said:
#1 Mint.com was a start-up once-upon-a-time. A lot of people trusted it with their banking credentials long before Intuit acquired them.

#2 Yes, Bank of America is stupid. In general, banks are among the least secure online systems.

Mint.com is actually a perfect example of the point I am trying to make. And so are the countless frequent flyer point tracking sites. And may other similar online systems that have grown up around half-assed API ecosystems.
Click to expand...

Personally I've always reacted to such sites with horror, and have never entered my credentials into any such thing. I've always found it astounding that people would give their banking credentials to a third party site. I agree about half-assed API ecosystems, but I disagree that companies have to participate in an API ecosystem at all. It comes at a cost to the company, because once you make the API public you have to worry about backwards compatibility. Current Tesla can change their API at any time and issue an update to their official apps. I can understand your desire to promote API ecosystems and encourage companies to design APIs with that in mind. I strongly disagree that companies need to decide to do so. Now whether it would be better if Tesla started to lock down the API to prevent third party use, I'm not sure (if I were at Tesla, I probably would have included some sort of app authentication from the beginning).
 
#66
hans said:
You always have to trust someone, or trust no one. I have to trust that the Tesla app doesn't have a virus in it that is sending off my password to some other site. I have to trust the Google Store or Apple Store that I downloaded the Tesla app from is really giving me the Tesla app. I have to trust that Verizon wireless hasn't had their DNS server hacked to redirect my request to download the app to a malicious download server. At least with third party apps distributed as open source I can verify the code easily. I can't do that with Tesla's app.
Click to expand...

Yes, that's exactly my point. As long as you have a way of trusting the app it's fine. I still wouldn't enter my credentials into Wingo's super snazzy closed source Tesla app just because it said it was OK and it was an app.
 
#67
gregincal said:
Yes and no. You still have to trust the app. However, people can vet that the app isn't sending off your password to some other site and look at the code if it's open source. It's impossible to vet a website.
Click to expand...

Yes, we are agreeing. Sometimes I respond to people's posts, and quote them, and agree with them, all at the same time ;-)

For the record, I also agree that typing passwords into strange web sites and flossing with razor blades are also bad ideas
 
#69
dpodoll said:
Please confirm you are an owner by posting a private thread
Click to expand...

Wrong forum for that. TMC is not run by Tesla.

Let's not vilify @nspollution. If you do some basic internet research you can see that George is a Tesla owner. He has been open about who he is, and he has publicly defended Tesla against other crackpots and EV haters. He is also a computer professional so he does know a thing or two about what he is talking about.

Everyone needs to take a big deep breath and calm down and keep the dialog productive.

If you find a security flaw or have a concern, be a White Hat. Inform Tesla, be discrete, close the hole if you can.
 
#70
aviators99 said:
You can say it's flawed in your opinion, but not "thus flawed".
Click to expand...

The beauty of being someone who is an authority on API design is that "my opinion" matters.

It's flawed.

- - - Updated - - -

markwj said:
It was a self-MITM attack. A ssl proxy is placed so traffic passes through it, proxy CA installed onto iPhone as trusted, then App started. Not something that could happen on public wifi unless you manually installed the MITM SSL proxy's CA.
Click to expand...

OK, that's good.

- - - Updated - - -

drees said:
Exactly. I'm really surprised that a so-called "expert" did not bother to figure this out first before bagging on it.
Click to expand...

I did not. I said IF it were executed as a standard MtM attack, then it's a problem. I also went on to say that I don't know how, IN FACT, the reverse-engineering occurred.

- - - Updated - - -

dpodoll said:
Please confirm you are an owner by posting a private thread
Click to expand...

Does my ownership status change the facts in my article?
 
#71
nspollution said:
The beauty of being someone who is an authority on API design is that "my opinion" matters.
Click to expand...
So you claim to be the expert, but a bit later you explain you aren't aware of how the API was reverse engineered.

nspollution said:
I did not. I said IF it were executed as a standard MtM attack, then it's a problem. I also went on to say that I don't know how, IN FACT, the reverse-engineering occurred
Click to expand...
As you can see, since everything goes over SSL there is no way you can ever intercept a username + password without the App throwing a error. It probably won't connect at all.

The point still is that to exploit this you require the username and password.

The API is only used in the closed source iPhone and Android App. So I find it hard to see where the API is actually not secure and open to hacking. Unless you see a way to snoop my username en password without my SSL connection breaking. That's simply not possible.
 
#72
gregincal said:
I disagree that companies have to participate in an API ecosystem at all.
Click to expand...

This is an important philosophical difference.

I believe everything should have an API. And whether you want it or not, everything will have an API. All things become much more useful when they can interact with other things and when third-parties can add value that the original company neither has the resources of vision to implement.

The API-driven Internet of Things is inevitable.

* You can ignore it and become less useful than others (most companies).
* You can fail to plan for it and expose your customers (Tesla, Banks).
* You can embrace it and see your invention used in amazing ways (Amazon Web Services, Philips Hue).
 
#73
nspollution said:
This is an important philosophical difference.

I believe everything should have an API. And whether you want it or not, everything will have an API. All things become much more useful when they can interact with other things and when third-parties can add value that the original company neither has the resources of vision to implement.

The API-driven Internet of Things is inevitable.

* You can ignore it and become less useful than others (most companies).
* You can fail to plan for it and expose your customers (Tesla, Banks).
* You can embrace it and see your invention used in amazing ways (Amazon Web Services, Philips Hue).
Click to expand...
I totally agree that any API that is there will be used. Regardless whether it's documented or not.

I wonder, have you talked to Tesla directly about this?

My biggest worry right now is that this will blow up and they will shut the API down. And that would suck for the owners who are very careful with their credentials...
 
#74
The API is public whether it's called that or not. It's accessible by the public. But, the "flawed" concept is blown out of proportion. take for example the major issue listed:

* It requires the sharing of the user’s password with third-parties (major)

You know what, my ATM card/bank login/brokerage acount are all flawed. They all require sharing my PIN/username/password with third-parties for integration. This is not a good argument from a so-called expert. Just because some guy in China has put up a site and wants to "integrate" with my bank account doesn't REQUIRE crap from me.

The key concept missing is "authorized" third-parties. And until such time arrives it's user beware like anything else.
 
#76
dirkhh said:
My biggest worry right now is that this will blow up and they will shut the API down. And that would suck for the owners who are very careful with their credentials...
Click to expand...

That's my greatest concern as well. I've said elsewhere, I'd rather this API with this flaw than no API at all.

But it would be difficult to do. They can't shut it down based on IP because of the mobile apps. They could use the user agent header, possibly, but you can still forge that.

The only real way would be to distribute a key with the app and use it to sign requests. But that would be relatively simple to reverse hack as well for a good mobile app developer (which I am not).
 
#77
widodh said:
So you claim to be the expert, but a bit later you explain you aren't aware of how the API was reverse engineered.
Click to expand...

I fail to see how these two things are in conflict. I am an expert on API design. That doesn't mean I know how every individual has managed to reverse-engineer every reverse-engineered API on the planet. You learn that by talking to the person who did the reverse-engineering, not being an expert.

If you doubt my credentials, look them up. But stop playing silly games because you're too lazy to do so.
 
#78
Time for everyone to take a deep breath and think nice thoughts......

- - - Updated - - -

Mod Note: I amended the title to make it more relevant to the original article.

I'd additionally like to note that as a total incompetent when it comes to REST API I also felt it necessary to read this whole thread and the article (twice!) to reassure myself that my Tesla app is not likely to be, nor easily will be, hacked. Sometimes all this tech talk does is to scare us innocents.....just sayin'.
 
#79
NigelM said:
Time for everyone to take a deep breath and think nice thoughts......

- - - Updated - - -

Mod Note: I amended the title to make it more relevant to the original article.

I'd additionally like to note that as a total incompetent when it comes to REST API I also felt it necessary to read this whole thread and the article (twice!) to reassure myself that my Tesla app is not likely to be, nor easily will be, hacked. Sometimes all this tech talk does is to scare us innocents.....just sayin'.
Click to expand...

And this is important to me. I appreciate the technical analysis by an expert. But I want to make sure this doesn't turn into a press panic frenzy that confuses non-techies.
Yes, the API is flawed. But as far as we know there is no actual danger as long as an owner doesn't hand credentials to a third party site.
 
#80
dirkhh said:
Yes, the API is flawed. But as far as we know there is no actual danger as long as an owner doesn't hand credentials to a third party site.
Click to expand...

I think there's a problem with the underlying assumption that empowering third-party sites to add value to your car is a bad thing.

I know I sorta suggested as much at one or more points in this thread. But it's not. They add value. Everyone legitimately does it all the time with a variety of web sites, including banking we sites. It is increasingly becoming an expectation.

If people think about it, they often think, "What is the worst that can happen?" And they still share their banking credentials with sites like Mint.com. In the case of Tesla, on the face of it, you might just think it's about honking horns.

For those that just don't agree with me and think I should never say anything negative about Tesla, someone else made a great point over on the Tesla Motors web site:

-> If one of these third-party sites gets hacked and it impacts a large number of Tesla owners, what do you think the press coverage is going to look like then? And who do you think will get blamed?

- - - Updated - - -

NigelM said:
Sometimes all this tech talk does is to scare us innocents.....just sayin'.
Click to expand...

I think, in this case, it should. At least a little. NOT in the sense that there's some kind of immediately exploitable hole that will crash your vehicle.

But instead that there are real things you need to consider when you leverage third-party tools that aren't true of other, better written environments out there. I think any environment is flawed if it requires you to have this kind of special knowledge.
 
You must log in or register to reply here.

Similar threads

Y
FUSC 3rd Party Dealer
Replies
8
Views
2K
Model S
ucmndd
ucmndd
S
Extended Warranty - Used Model S bought from 3rd party dealer or private party
Replies
9
Views
2K
Model S
ev-now
ev-now
RonMoralesCA
Will Free Supercharging Transfer in private party sale? 2013 Model S 60
Replies
30
Views
4K
Model S
RonMoralesCA
RonMoralesCA
AcidTest
Can't login to Slacker
Replies
46
Views
15K
Model S: User Interface
ahkahn
ahkahn
VerityZooms
Tesla login-token generator
Replies
11
Views
23K
Model S: User Interface
HankLloydRight
HankLloydRight
Top
Back
Blog
New
Forum list
Marketplace
Menu