Can someone drive your car if unlocked remotely?

[Russinating]

Say my car needs to be moved by a friend or colleague, if I unlock it remotely via the app and give them the P2D number will they be able to drive it? Or will it ask for the key card as well?

If the latter, can that be overriden by entering your Tesla account login details (I believe I remember seeing that as an option in case you don't have your card)?

I don't need this to happen btw, just crossed my mind.

 

[.jg.]

After unlocking the car with the mobile app, you would next have to start the car (also from the mobile app) - and the friend has two minutes in which to start driving. I don't think they need your PIN for this - but the mobile app will ask you to confirm your Tesla login credentials.

 

[Cnixon]

So basically all a thief needs is your username and password. I hope all those nice Tesla friendly apps are as secure as they say.

I can confirm the PIN is not needed if you use the Start Car button on app.

 

[Tony Hoyle]

These apps can't start your car because you don't give them your password, you give them a token which you generate locally (ideally).

The token is still too powerful (someone with your token could open your boot, windows and doors for example) - A thing only Tesla can fix by allowing more limited tokens.

 

[Roy W.]

So basically all a thief needs is your username and password. I hope all those nice Tesla friendly apps are as secure as they say.

I can confirm the PIN is not needed if you use the Start Car button on app.

Not only the Tesla friendly apps to worry about. More of a problem is weak passwords. So many people recycle the same simple passwords for multiple different accounts. In my circle I’ve know people who use “redwine” for everything, or “Greece” (super secure with a Capital letter ).

I use a password manager for all my passwords, and all of them are unique 18-character strings of mixed characters including symbols. Not impenetrable, but more secure than “password” or “fluffy”

 

[timnd]

I use a password manager for all my passwords, and all of them are unique 18-character strings of mixed characters including symbols. Not impenetrable, but more secure than “password” or “fluffy”

Me too.

If you're happy to run teslamate, why not run your own bitwarden password manager: dani-garcia/bitwarden_rs
The android and browser add-ons are every bit as good as the commercial equivalents.

 

[NewbieT]

I tried this test today:

• Disable Bluetooth on phone;
• Unlock car with app;
• Use remote start in App= FAIL
• Get in the car.
• Menu > Safety & Security > Turn on Remote Starting
• Use remote start in App= Success / can now drive the car.

Tesla could easily reduce the risk by requiring a Bluetooth key be present (keycard or phone) to turn on the Remote Starting toggle switch inside the car.

 

[Russinating]

I think it's a useful feature. I was initially asking because a colleague may have needed to move my car to another space whilst I was out of the office.

The system is only as weak as your password (excluding a Tesla hack). As above use a password manager with 2FA.

 

[planehazza]

I think it's a useful feature. I was initially asking because a colleague may have needed to move my car to another space whilst I was out of the office.

The system is only as weak as your password (excluding a Tesla hack). As above use a password manager with 2FA.

I wonder how bad it would be if TeslaFi was breached all user data stolen. TeslaFi doesn't store the password though, and relies on a token as you say.

 

[J1mbo]

Treat the token like a set of car keys, as I am sure an insurance company would, if your car was stolen using a token you had provided to a third-party.

 

[NewbieT]

How could you steal it with a token, you’d still need the password to enable drive? Or am I missing something.

 

[up_north]

Not every app/website allows you to upload a token. Some do require your login details and although we might trust them, we don’t actually know 100% what they do with those details.

 

[NewbieT]

Yep, fair enough. Keep your tokens close and your passwords closer.

 

[.jg.]

As above use a password manager with 2FA.

Tesla ought to introduce 2FA and then make it a prerequisite for Tesla online accounts.

 

[Russinating]

Tesla ought to introduce 2FA and then make it a prerequisite for Tesla online accounts.

I'm surprised they don't already. Even just a text message code from unknown devices which is pretty common nowadays (as opposed to having to generate your own code from an auth app).

 

[Cnixon]

Personally I would feel better if the pin to drive was still required for remote starting. I would be happy to send the pin to a known person sitting in the car.

 

[MrBadger]

It might be useful using remote start if others are in the car to avoid revealing pin when entering to all occupants. Remote start avoids that reveal. Now, if they allowed a 'pin' to be entered via steering wheel controls, a bit like xbox controller, that would reduce chance of the code being compromised.

 

[Cnixon]

I tried this test today:

• Disable Bluetooth on phone;
• Unlock car with app;
• Use remote start in App= FAIL
• Get in the car.
• Menu > Safety & Security > Turn on Remote Starting
• Use remote start in App= Success / can now drive the car.

Tesla could easily reduce the risk by requiring a Bluetooth key be present (keycard or phone) to turn on the Remote Starting toggle switch inside the car.

Or the PIN (I like PINs can you tell?)

 

[DrJFoster]

How do people get their token without using an online service which means giving up your email and password and hence the problem? I'm sure I read how using a little script you run on a PC that only called Tesla APIs and was relatively numpty proof but can't recall where I read it (?).

But I don't trust any of them including Teslafi for what its worth so not that worried

 

[GeorgeSymonds]

I'm sure I read how using a little script you run on a PC that only called Tesla APIs and was relatively numpty proof but can't recall where I read it (?).

The instructions at the bottom of this page?

Tesla Info: Get your car configuration