Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Authentication flaws in the REST API (if you give 3rd party your private login info)

This site may earn commission on affiliate links.
Actually, if you take that to its logical conclusion, no one should ever say anything because someone might misinterpret it. Every fact can be spun to meet a specific agenda. That's not a reason to avoid communication.

Jeez. That's not what anyone is saying. Multiple media outlets and blogs took your so well written article to the extreme because it was not clear and well written for a non-tech audience at least. Yes, you wrote it on a tech blog but when people pointed out how it was being misused, you say 'not my problem'. Someone pointed out before that is like someone walking by a burning building and saying 'not my problem, I'm an engineer not a firefighter'. You didn't start the fire but did absolutely nothing to put it out. Purely irresponsible behavior. The fact that you still don't make clear that someone has to give out their private username and password to make this exploit a reality is bizarre and makes us question your motivations. How is this any different than me giving out my bank login info to a third party? Is that a violation of the 'Internet of Things' whatever that is?
 
2 Things here...

#1 How is it that the title of MY THREAD gets changed to wording that I neither agree with nor intend?

#2 Again, the focus of everyone's vitriol seems to be that I did not write the facts in a manner they approve of? My writing was clear and appropriate to the target audience. The idea that I did nothing to put it out is just a lie. The fact that what I did wasn't to your liking or visible to you is irrelevant.

When you write an article, you always write to a target audience. I did actually take precautions against misinterpretation by external audiences when writing the article. I started the article describing all the things that CAN'T HAPPEN as a result of this flaw. That's actually poor, defensive writing. You don't start out describing a negative. But I wanted to make sure no one ended up writing that someone could target a Tesla and cause a wreck. I had the Prius article in mind when writing that.

Having said that, what you all are annoyed with is that the press doesn't understand the difference between a flaw and a vulnerability. Those are technical terms appropriate to the article I was writing. That's not something easily addressed, even after the fact.

As a side note, banks are blameworthy for the **** authentication systems they support as well. That's a very heavily discussed topic.
 
Last edited:
#1: You don't own the thread. Changed after abundant evidence there is nothing to this unless you share your login information and the original title is still there. Is that factually incorrect?

#2: You still refuse to clearly state in your article that you have to give out your private login info. Why is that? You hint at it in the second article but don't explicitly say it. You are getting a lot of attention for it so maybe that is your motivation. A well written, non-scary article wouldn't have gotten any outside press or attention.

Are you saying username and passwords are not great security? That is hardly news and not Tesla specific. Handing out your only source of protection from a 'hack' either to your bank account or car to an unknown third party is hardly a 'hack' or major security flaw. Should someday something better be in place? You make it seem like Tesla should have hit this security out of the park with a perfect system when they have a lot of other things going on. If banks worth billions of dollars haven't come up with anything better than username and password yet, Tesla should? Your article made it seem like people would be dialing into your car and maliciously doing things to it. Not the case.
 
Last edited:
#1: You don't own the thread. Changed after abundant evidence there is nothing to this unless you share your login information and the original title is still there. Is that factually incorrect?

I started the thread and I am its author. No one else has the right to attempt to change what I wrote to reflect their agenda.

This isn't a flaw "if you give your credentials to third parties". It's a potential vulnerability if you give your credentials to third parties. It's a flaw regardless because a) it can become a vulnerability WHEN people give their credentials to third parties and b) there are reasonable precautions one is expected to take when building a REST API to reduce that likelihood.

#2: You still refuse to clearly state in your article that you have to give out your private login info. Why is that? You hint at it in the second article but don't explicitly say it. You are getting a lot of attention for it so maybe that is your motivation. A well written, non-scary article wouldn't have gotten any outside press or attention.

Actually, I did say it. You just want me to put it in big blinking letters. And you don't agree with my conclusions.

A well written, non-scary article wouldn't have gotten any outside press or attention.

A lot of people think it is a well-written, non-scary, accurate reflection of the situation. There's nothing wrong with the fact that it got outside press and attention.

You just don't like your precious Tesla getting any negative press.

Are you saying username and passwords are not great security? That is hardly news and not Tesla specific.

No, that's not what I am saying.

Handing out your only source of protection from a 'hack' either to your bank account or car to an unknown third party is hardly a 'hack' or major security flaw.

No. The fact that it's the only source of protection is the flaw. Especially since, with respect to APIs, there are much better solutions readily available and commonly implemented. It is only laziness and incompetence that leads someone to build a REST API in 2013 with no such protections.

Thus, it is a flaw.

Should someday something better be in place? Sure but your article made it seem like people would be dialing into your car and maliciously doing things to it. Not the case.

It is possible and I guarantee you that one day it will happen.

- - - Updated - - -

Let me put this in really simple terms:

If you build a non-SOAP web services API, authentication should only ever occur via application-specific credentials that may be revoked on a case-by-case basis.

Anything else is a flaw in your authentication design.

It's that simple.
 
Yes, they do. That's a well-described problem, and it's much more serious than this same problem in the Tesla.

Your article made it seem like you discovered some serious new flaw in Tesla's security and that it was unique. So basically you are saying an online password alone isn't good security. So this surprising discovery of Tesla's lack of security is the same as every single bank I know of then. Why wasn't this highlighted in your article then? It could have easily been about how insecure a password only authentication scheme is especially if the user gives out the password to a stranger. This is very basic and hardly worthy of publishing.
 
Your article made it seem like you discovered some serious new flaw in Tesla's security and that it was unique. So basically you are saying an online password alone isn't good security. So this surprising discovery of Tesla's lack of security is the same as every single bank I know of then. Why wasn't this highlighted in your article then? It could have easily been about how insecure a password only authentication scheme is especially if the user gives out the password to a stranger. This is very basic and hardly worthy of publishing.

My article obviously went way over your head. All of the points you made above have nothing to do with my article.
 
My article obviously went way over your head. All of the points you made above have nothing to do with my article.

Well maybe take this as an opportunity to explain the differences to those not considered API experts. How is Tesla's implementation any different that any bank, website....etc where you use a username and password only? If I never give out my login info, how can my car become compromised? As I understand it, the flaw you found can only be easily exploited if the user gave out their private login information.
 
Then your house has this flaw. If you give your key to someone they can access your house. You have no way to invalidate that key unless you change your lock or move.

Houses do have this flaw. But they aren't REST APIs, so the rules that apply to them are different.

Furthermore, there are no commonly accepted ways of dealing with the problem, as there are with REST APIs.

It's only a flaw if its reasonable for you to have done otherwise.

In the workplace, you are, in fact, expected to address this issue. If a company hands out physical keys to all of its employees, it's not simply considered a flaw, it's considered negligent and in violation of most commonly accepted physical security practices.

- - - Updated - - -

Well maybe take this as an opportunity to explain the differences to those not considered API experts. How is Tesla's implementation any different that any bank, website....etc where you use a username and password only? If I never give out my login info, how can my car become compromised? As I understand it, the flaw you found can only be easily exploited if the user gave out their private login information.

Given that you changed the title of this thread to reflect your agenda, forgive me if I don't see this request as being made in good faith.
 
Let me put this in really simple terms:

If you build a non-SOAP web services API, authentication should only ever occur via application-specific credentials that may be revoked on a case-by-case basis.

Anything else is a flaw in your authentication design.

It's that simple.
You're welcome to that opinion, but you might want to state this upfront as one of your assumptions when writing an article build on such assumptions. Journalistic integrity demands it.

- - - Updated - - -

I started the thread and I am its author. No one else has the right to attempt to change what I wrote to reflect their agenda.
Whether you started the thread or not, you are not the author. Everyone who has posted in the thread is the author. It's a community effort. As part of that community effort there are moderators, and they have powers to title threads whatever they feel is best. You don't "own" the title, and you never did. If you feel that you should have, then you might need to find a different forum (in the general sense) to express your thoughts.

- - - Updated - - -

You just don't like your precious Tesla getting any negative press.
Childish in content and tone.

- - - Updated - - -

The change is not accurate and thus less clear.
Please elaborate on this. It's not at all clear to me that either assertion is true.
Whoever changed is being intellectually dishonest.
Incorrect conclusion. You're assuming malicious intent when "different interpretation" is far more likely. Evidence that you're willing to jump to very likely incorrect conclusions based on incomplete information.
Thread titles should not change against the wishes of the author of the thread.
Wrong. Thread titles are forum property and one of the values provided by moderators is to keep threads in line, despite misguided or confused authors.

- - - Updated - - -

(1) My article obviously went way over your head. (2) All of the points you made above have nothing to do with my article.
(1) Could be construed as an undeserved and inappropriate personal attack. Necessary to prove your point? If so, then your point is weak.
(2) My interpretation of most of the replies on this thread is that they would agree with his points and not yours. Perhaps "we're all too stupid" to "realize" that "your precious" article is perfect and we're all idiots? See how such phrasing and tone is counterproductive to a productive debate?
 
You're welcome to that opinion, but you might want to state this upfront as one of your assumptions when writing an article build on such assumptions. Journalistic integrity demands it.

Actually, I did state it in the article. But, no, it's not considered an opinion. It's considered a basic information security control that's part of most standards.

Whether you started the thread or not, you are not the author. Everyone who has posted in the thread is the author. It's a community effort. As part of that community effort there are moderators, and they have powers to title threads whatever they feel is best. You don't "own" the title, and you never did. If you feel that you should have, then you might need to find a different forum (in the general sense) to express your thoughts.

This is a unique feature of this forum that any moderator with an agenda can alter the title of a thread to reflect something in opposition to the original poster. Generally, the title IS the creation of the original poster.
 
I wouldn't worry about it too much. The press has died down. Three weeks after his misleading article, he got his 15 minutes of fame in the press and no one else is screaming "HACKABLE! HACKABLE!"

George still has his religion that every API must be open, regardless of its use or value, and regardless of the cost to implement things like an OAUTH service. No sane IT architect believes this -- and the ratings on my comment as well as other comments on his second post reflect that, but George is entitled to his opinion. API's are important, but to use such a broad brush is irresponsible.

Time to move on. Luckily, Tesla didn't close down the API. I'm still using it securely to collect data from my car. No one has stolen my car with any "spectacular" API failures yet.
 
Given that you changed the title of this thread to reflect your agenda, forgive me if I don't see this request as being made in good faith.
And you know dsm was the one that changed it how? Jumping to conclusions again?

So he asks a question and your answer is "I don't want to reply because I don't think you'll reasonably assess the response"? You do realize that there are other people reading the thread right? You think all of them "don't get it" and "don't want to"? If so, then why did you participate on this forum at all if we're a lost cause?

- - - Updated - - -

This is a unique feature of this forum that any moderator with an agenda can alter the title of a thread to reflect something in opposition to the original poster. Generally, the title IS the creation of the original poster.
No, it's not. It's commonly available forum software, not some magic TMC forum IP.

- - - Updated - - -

Time to move on. Luckily, Tesla didn't close down the API.
The jury's still out on that. I haven't been able to login since yesterday 9:30 AM PT (over 24 hours).

I've never seen it down for more than 2 hours until now.
 
And you know dsm was the one that changed it how? Jumping to conclusions again?

So he asks a question and your answer is "I don't want to reply because I don't think you'll reasonably assess the response"? You do realize that there are other people reading the thread right? You think all of them "don't get it" and "don't want to"? If so, then why did you participate on this forum at all if we're a lost cause?

I honestly didn't realize that this forum had the hostility towards anything negative of Tesla that the Tesla Motors forums do. I stand corrected. There are a large number of people who just can't deal with criticism of Tesla in any form.

I honestly don't think he's asking me the question in good faith. He certainly changed the title in bad faith.


No, it's not. It's commonly available forum software, not some magic TMC forum IP.

It's not about the software, it's about the practice of moderating a title away from the original poster's intent based simply on disagreeing with the original poster rather than a violation of forum rules.

The moderation capability exists to help enforcement of forum rules, not to alter the intent of the original poster.[/QUOTE]