Authentication flaws in the REST API (if you give 3rd party your private login info)

[bonnie]

And I'd just never hand over my credentials. It's as simple as that. So I do think the title of this thread is still unnecessarily inflammatory. It should be a warning not to hand over credentials because of how Tesla implemented. Just my two cents.

 

[markwj]

The API is public whether it's called that or not. It's accessible by the public.

So, the API in the original iPhone SDK was public? The one hacked together by the community by jail breaking the first iPhone 2Gs, then reverse-compiling header files from the objects and resources?

I have a different definition of public. I call that an unauthorized API, or a private API, because I don't think the owner of the API should be held responsible for <B>flaws that only appear when the API is not used as intended</B>.

 

[markwj]

I'd additionally like to note that as a total incompetent when it comes to REST API I also felt it necessary to read this whole thread and the article (twice!) to reassure myself that my Tesla app is not likely to be, nor easily will be, hacked. Sometimes all this tech talk does is to scare us innocents.....just sayin'.

And that is exactly why I am pressing this issue.

Unless we are very clear about the extent of a vulnerability, in the original post/article/presentation, it is misinterpreted by both the end-users and the press (who look for sexy headlines). The emphasis of this should have been that these flaws only affect unauthorized third party apps/services of the API, and not normal users of the Tesla Apps. The emphasis should have been, IMHO, that you shouldn't be entering your credentials into random websites. But, that is not as sexy as a flawed API.

 

[nspollution]

The emphasis should have been, IMHO, that you shouldn't be entering your credentials into random websites. But, that is not as sexy as a flawed API.

Except that's not the point here. There's nothing wrong with leveraging value-add web sites. It's a flaw that Tesla doesn't provide a mechanism other than giving out your TeslaMotors.com credentials.

And I resent the repeated implications that I'm going for sensationalism. I don't need to, and I'm not. So, instead of attacking my integrity, why don't you focus on the facts?

 

[dirkhh]

And I resent the repeated implications that I'm going for sensationalism. I don't need to, and I'm not. So, instead of attacking my integrity, why don't you focus on the facts?

I think that's because so often here we have trolls and sensationalists and other annoying people to deal with. So many people develop a healthy dose of skepticism. Especially if the person posting hasn't shown themselves much in these forms before.
And the more your arguments sound like "proof by repeated assertion", the more people will attack you. I think you have some good points. But I don't understand why you are so insistent on "I'm the expert, you are all wrong" instead of trying to help us come up with a sane, balanced analysis of the situation.
And I simply disagree that anything in your analysis proves that there is a risk to users just using the Tesla apps. Yet you keep making that assertion. And to me that weakens your point and credibility of what your actual goals are.

 

[nspollution]

And I simply disagree that anything in your analysis proves that there is a risk to users just using the Tesla apps. Yet you keep making that assertion.

No, I'm not making that assertion.

 

[markwj]

Except that's not the point here. There's nothing wrong with leveraging value-add web sites. It's a flaw that Tesla doesn't provide a mechanism other than giving out your TeslaMotors.com credentials.

And I resent the repeated implications that I'm going for sensationalism. I don't need to, and I'm not. So, instead of attacking my integrity, why don't you focus on the facts?

To be clear, I'm not attacking anybody's integrity. I've been very careful not to. Please re-read my posts.

The sensationalists are the press (which is the reason for my comment about 'sexy headlines'). They take posts like yours and twist it to their own agenda.

 

[dirkhh]

No, I'm not making that assertion.

Oh cool. Then I misunderstood.
My apologies.

Now if we could make sure people understood that part... There is no need to panic, but there's a great opportunity for Tesla to improve their authentication solution when they release the official API.

 

[nspollution]

Especially if the person posting hasn't shown themselves much in these forms before.

Actually, I have been active around here since I placed my initial order in April.

But I don't understand why you are so insistent on "I'm the expert, you are all wrong"

That's not my argument. People keep questioning why I would write this stuff in the way I wrote it. The answer is because I am an expert in API design and I write about this **** as a result.

 

[dirkhh]

People keep questioning why I would write this stuff in the way I wrote it. The answer is because I am an expert in API design and I write about this **** as a result.

That part I didn't question at all. I read (part of) your book...

 

[nspollution]

I read (part of) your book...

Thanks!

 

[timdorr]

It's a flaw that Tesla doesn't provide a mechanism other than giving out your TeslaMotors.com credentials.

It would be a flaw if Tesla was supplying access to this API in any official capacity. However, what I've reverse-engineered and documented isn't anything close to a car API. Technically, it's a mobile app API and fits in to only that use case. Tesla built it with the mobile app in mind, so saying the API is flawed for something far outside the designed task is disingenuous.

It would be like us figuring out how to gain root access to the firmware and then blame Tesla for having such lax security once we're inside, peering around at the internals of the system.

Realistically, the only way to use this app API securely is via code you can see and execute yourself. I wouldn't use anything other than open source software that you can run for yourself and ensure private operation. Again, this is not an open oAuth API with proper application registration, so access it only from the privacy of systems and code you control.

 

[kendallpb]

Except that's not the point here. There's nothing wrong with leveraging value-add web sites. It's a flaw that Tesla doesn't provide a mechanism other than giving out your TeslaMotors.com credentials.

Well, no. (a) You want them to provide a mechanism, and (b) they don't. It is not the case that they provide a flawed mechanism, and it's not a flaw that they don't provide a mechanism (or don't provide an unflawed one). They provide no mechanism; someone(s) reverse-engineered (I hesitate to say "hacked") private APIs and turned it into something people could use.

Hopefully this brouhaha won't result in Tesla cutting all you REST API folks off at the knees, but it's quite possible.

 

[gg_got_a_tesla]

But it would be difficult to do. They can't shut it down based on IP because of the mobile apps. They could use the user agent header, possibly, but you can still forge that.

The only real way would be to distribute a key with the app and use it to sign requests. But that would be relatively simple to reverse hack as well for a good mobile app developer (which I am not).

One way could be to force users to associate a single (or, maybe 2-3) device's IP in the My Tesla dashboard and enforce on the server for each account. Not very convenient (particularly for the less tech-savvy) for customers, I suppose. Well, then, there's always IP spoofing, I guess...

Speaking of Bank of America, what do you think of their SafePass setup as a gating mechanism? Is it meaningful for something like API-level access?

 

[aviators99]

That's my greatest concern as well. I've said elsewhere, I'd rather this API with this flaw than no API at all.

Well, that won't stop people from blaming you when the API gets taken away.

 

[aviators99]

The beauty of being someone who is an authority on API design is that "my opinion" matters.

It's flawed.

No, you don't get to say that. I *also* claim to be an authority on API design, and my opinion is that it is not flawed (other than the brute force problem).

 

[hans]

I am still waiting to hear some concrete recommendations from George (nspollution) on how Tesla could make things better. Something more than just "use OAUTH". Something practical too, given that they don't have an army of programmers to crank stuff out like Twitter and Facebook. What makes the community surrounding this API so special is the incredible willingness to share more than just opinions.

 

[hans]

I would have someone else try that, in order to still be able to measure the time it will work.

Also, I would have someone else try it and see if logging in to another device invalidates the previous token.

I don't have the patience to prove that it takes 3 months for the token to expire. Maybe someone else can try.

Logging in on another device doesn't invalidate anything. I routinely login to Tesla simultaneously on 4 or 5 devices and they all work.

 

[brianman]

That's my greatest concern as well. I've said elsewhere, I'd rather this API with this flaw than no API at all.

You can't have it both ways. You can't create a public ****storm and then expect Tesla to do anything other than react by shutting down the API. Sadly, I expect them to shut it down before 2014 because of the way your concerns were raised. So thank you for that. Not.

 

[brianman]

And this is important to me. I appreciate the technical analysis by an expert. But I want to make sure this doesn't turn into a press panic frenzy that confuses non-techies.

Too late.