-
Want to remove ads? Register an account and login to see fewer ads, and become a Supporting Member to remove almost all ads.
Authentication flaws in the REST API (if you give 3rd party your private login info)
- Thread starter nspollution
- Start date
-
- Tags
- Model S User Interface
I think in the security industry I work in, my view is the accepted one, and the majority.
I'll try one more time to explain the difference. Please read what I said carefully:
For Microsoft to not be accountable, (a) the API must work fine for its original purpose, and (b) someone unauthorized must re-purpose it for some other use that introduces this new vulnerability not present in the original use. That is the line that is drawn.
In the case of a straightforward Microsoft API (public or private), if a hacker exploits a vulnerability in that API in normal use, then Microsoft is accountable. If someone takes a Microsoft API and uses it for something different that introduces new flaws that were not present in the original use case, then I would not hold Microsoft accountable.
In the case of the Tesla API, Tesla designed it for Tesla Apps to talk to Tesla servers, and both authorizes and supports it as such. None of the identified flaws affect the API in that use case.
Now, others have MITM reverse engineered the API and are now using it for purposes not originally intended. These new purposes (third party Apps and web services) introduce grave security concerns and when used in that way, the API is flawed - or to put it another way, plainly not suitable. Nothing new here, we've been discussing this here for months, and whenever someone announces a new service based on this API, we all chime in with warnings. Caveat emptor.
Bottom line: To me, it comes down to the simple fact that using this API, for the purpose it was designed for, is secure (or at least not vulnerable to these flaws identified).
Regarding the more philosophical point of view of whether Tesla should have designed it this way, I would have hoped that Tesla would have had an API published and suitable for third party Apps and services by now. It would clearly be unacceptable for such an API to use the same authentication mechanism as this private one. Similarly for the apps on the 17" display. I believe that would be the best for Tesla, the community, and the product. But creating such an open ecosystem is certainly non-trivial, not least from a legal and support point of view, so I understand that Tesla may need some time to release this in a secure and supported way.
I really cannot write it clearer than that. This horse has truly been beaten to death. Perhaps all we can agree is to disagree and move on.
#2 is my biggest problem with the arguments so far.
Tesla produced apps. The apps were/are secure. Some folks figured out what the apps were doing and engineered their own apps.
So Tesla is at fault because the apps weren't so secure that an API couldn't be derived? It should've used encrypted communications that couldn't be tapped even by the customer? Are they at fault because rather than releasing an open API, they instead released an API that could be reverse engineered?
Tesla did #1; team that made mobile apps. Application users did #2; handed out creds to 3rd party sites. ... Tesla is at fault for the 3rd party app users?
Tesla is blameworthy here because, instead of following industry best practices in the way they handled API authentication, they made up their own scheme that makes support for third-parties weak.
NigelM
Recovering Member
This morning I'm talking to my wife and mentioned this subject and she had a whole new take on it. This is the gist of the conversation:
Mrs: These guys are hacking into the Tesla system and creating their own apps?
Me: Umm, basically yes.
Mrs: Isn't Tesla paying for those communications to the car?
Me: Yes.....
Mrs: So isn't that like stealing and then complaining that the bank made it too difficult?
Ouch.
Mrs: These guys are hacking into the Tesla system and creating their own apps?
Me: Umm, basically yes.
Mrs: Isn't Tesla paying for those communications to the car?
Me: Yes.....
Mrs: So isn't that like stealing and then complaining that the bank made it too difficult?
Ouch.
Personally, I would like to see two-factor authentication for all API access per device/system and token revocation -- all part of My Tesla. It would be a huge security improvement, and I think a necessity for large fleet management. (And, I think it would harden the overall security of the ecosystem as well.)
Johan
Ex got M3 in the divorce, waiting for EU Model Y!
Made me think of this, which is NOT an urban legend:
The burglar and the skylight: another debunking that isnt - Overlawyered
deonb
Active Member
Would you agree that the majority of the people in the world do not work in the security industry though?
Every Trojan in the world uses an API in a way that's not part of the original use case!
I think you're mixing a buffer overrun style attack on legit software with the ability to create malware using an API.
We don't have definitions of "normal use" vs. "abnormal use" in API design, and I doubt anybody else does either. You have to assume everything out there tries to DOS, EOP, MiTM, Key attack the API. Besides, sometimes a badly written piece of well intentional code can wreck more havoc than a well written virus. So you have to defend against everything anyway.
But maybe next time when we have a large Trojan, we'll just publish: "Oh, Slammer 2.0 wasn't using SQL in a way that we designed - so don't worry about it.".
The API is not secure. Tesla APP's are secure. But the security model of the API is simply based on "There can only be Tesla apps", but that stopped being true a while ago.
That's a pretty broad (and untrue) generalization. And again, you are comparing public APIs to private ones.
Most of the MS malware API attacks are indeed buffer overruns. But again, this is not an API in the sense of the Microsoft APIs, which are all meant to be used by 3rd parties.
That's good.
Horrible example. The API you are referring to is a public API. You claim there's no difference. If so, give me an example that is for a private API (and not one that MS made public by accident).
The security model of API is based on the fact that if someone wants security, they should only use the Tesla apps; not that there can only be Tesla apps. If someone is stupid enough to use a 3rd party app (like mine) without waiting for the SDK, caveat emptor.
Correct, which is why they come to experts for assistance in such matters.
Oh, good grief. At this point, I can only conclude that you must be deliberately missing the point.
What you are talking about is the exploit of an API in a way not originally intended, by a hacker. Fine, but irrelevant. Nobody has exploited this API in that way.
This is the use of an API in a way not originally intended, by a third party, that creates flaws to be exploited by a hacker. Tesla's API is for Tesla's Apps to talk to Tesla's server, and in that use case supported and authorised by Tesla, these 'flaws' do not exist.
Flossing with razor blades. I'm done.
Last edited:
NigelM
Recovering Member
Well they got the story from Forbes: newly-discovered-flaw-may-open-the-tesla-model-s-to-potential-attack-from-hackers/
I was being optimistic. Also, I figure "before 2014" is "soon" in Tesla terminology.
- - - Updated - - -
Pano shade?
- - - Updated - - -
Props for the reference.Fair enough. It's an honest philosophical difference. I realize that I sound like Commander Adamawhen I say I don't believe systems should be connected or networked.
NigelM
Recovering Member
The former is more aligned with my thinking, though the title isn't (I specifically have noted many times that there is no vulnerability; flaw != vulnerability).
Although it's odd they elected to refer to me as a "Dell Exec". I am most obviously NOT writing in my capacity as a Dell executive, but as an author and expert in REST API design (why it was published to the O'Reilly blog instead of the Dell blog).
These articles are only doing what you did: taking info and sensationalizing it. They don't bother to fact check. They don't bother to get it right. They go for the juicy headline and run as far as they can while doing the least amount of work. This was inevitable. It's one reason why so many took issue with your original thread title and article to begin with.
NigelM
Recovering Member
NigelM
Recovering Member
@nspollution: you're now famous in Holland= Tesla Model S Easy To Hack and also in France= The Tesla Model S can be hacked
Similar threads
