TMC is an independent, primarily volunteer organization that relies on ad revenue to cover its operating costs. Please consider whitelisting TMC on your ad blocker or making a Paypal contribution here:

Be More Careful With Giving 3rd Parties Your Token Starting with 2.12.126

Discussion in 'Model S' started by MarkS22, Feb 26, 2016.

  1. MarkS22

    MarkS22 Member

    Apr 6, 2015
    Morris County, NJ
    #1 MarkS22, Feb 26, 2016
    Last edited: Feb 26, 2016

    While testing app functionality on 2.12.126, I noticed there were changes made to the API that can allow you to bypass the password requirement of Keyless Start, requiring only the token.

    Before .126, driving away in the car required a secondary authentication: Your Tesla password (or fingerprint in the case of Remote S). That's no longer the case under certain circumstances I've identified. Of course, you still need to use your login and password to generate a token. This concerns you only if you're thinking about giving your generated token to a 3rd party. If you have any concerns, you can change your password on Tesla's official site to generate a new token.

    I don't believe there is a risk here if 3rd party developers use proper security procedures, but the API behavior did change, so I wanted to let everyone know. My concern is that a lazy/inexperienced/malicious 3rd party could request your token. If someone gains access to your token, they can identify your exact location (via GPS), open your garage door, and perform a workaround "Keyless Start."

    I've already notified Tesla (and submitted it via Bugcrowd) if they feel like it's necessary to modify the way their API works.

    To be clear, there is NO risk at all if you have not given your token to a 3rd party or the 3rd party is using good security policies. Special thanks to Allen (Remote S developer) for additional information about it. And, also of note, Remote S is NOT at risk as it uses Apple's secure Keychain to protect your token.

    NOTE: I'm specifically not mentioning the exact method of performing this workaround until Tesla has enough time to respond. For all I know, they may be aware and not think it's necessary to change.
  2. TampaRich

    TampaRich Member

    Jul 7, 2013
    Tampa, FL
    Just to be clear, by logging into a 3rd party app you are giving them your authentication token, correct?
  3. msnow

    msnow Active Member

    Jul 14, 2015
    #3 msnow, Feb 27, 2016
    Last edited: Feb 27, 2016
    If you are using your Tesla logon credentials yes.
  4. scottm

    scottm Active Member

    Jun 13, 2014
    Which is why me no use any 3rd party app for the car.

Share This Page