Charge HQ

[Vostok]

I downloaded ChargeHQ, but before I signed in with my Tesla account I emailed them to ask what security measures they have in place to prevent my Tesla account being hacked via the API interface. There was a report recently where a hacker showed how easy it was to access the Tesla App functions via a hacked password. I asked a week ago and haven't received a reply yet.

From what I’ve read, these Apps or services require you to log in once with your Tesla credentials (email address and password), and they do not store those credentials, since the authentication is done in real time directly with the Tesla auth server.

That authentication returns two tokens - an access token and a refresh token - and these are stored by the App or service. The access token is valid for 8 hours from creation, and provides access to all vehicle and Powerwall controls offered though the Tesla API. The third-party app or service needs that access in order to do what they do.

The refresh token has no expiry and is used to generate new access tokens after each one expires.

So while these third-party players can tell you with 100% honesty that they don’t store your Tesla login details, it somewhat avoids the question, because the tokens they do store provide them with all the control they need as if they did have your login credentials. A bad actor could use those tokens to control your car without your consent, for example, in perpetuity. They just keep using the refresh token to generate new access tokens.

The protection you do have is that a bad actor couldn’t change your Telsa password or access your Tesla account, which they could do if they stored your login details and not just the tokens. The tokens only allow API access. And if you change your Tesla password, any previously issued API tokens are invalidated, preventing any further unauthorised control. You’d need to log in again to use any of these third party services.

 

[evpaddie]

From what I’ve read, these Apps or services require you to log in once with your Tesla credentials (email address and password), and they do not store those credentials, since the authentication is done in real time directly with the Tesla auth server.

That authentication returns two tokens - an access token and a refresh token - and these are stored by the App or service. The access token is valid for 8 hours from creation, and provides access to all vehicle and Powerwall controls offered though the Tesla API. The third-party app or service needs that access in order to do what they do.

The refresh token has no expiry and is used to generate new access tokens after each one expires.

So while these third-party players can tell you with 100% honesty that they don’t store your Tesla login details, it somewhat avoids the question, because the tokens they do store provide them with all the control they need as if they did have your login credentials. A bad actor could use those tokens to control your car without your consent, for example, in perpetuity. They just keep using the refresh token to generate new access tokens.

The protection you do have is that a bad actor couldn’t change your Telsa password or access your Tesla account, which they could do if they stored your login details and not just the tokens. The tokens only allow API access. And if you change your Tesla password, any previously issued API tokens are invalidated, preventing any further unauthorised control. You’d need to log in again to use any of these third party services.

Thanks Vostok. Now I understand how the tokens function. I'd still like to ensure that ChargeHQ had adequate measures to ensure that the refresh tokens are secure before I committed to the system.

 

[israndy]

I am not sure what exciting things can be done with a hacked acct.

Turn on your AC remotely? Not a lotta Tesla are getting stolen as they can be tracked immediately.

 

[m4rtin]

Thanks Vostok. Now I understand how the tokens function. I'd still like to ensure that ChargeHQ had adequate measures to ensure that the refresh tokens are secure before I committed to the system.

This is the same process for any 3rd party service like Teslafi and so on since Tesla doesn't have another way for this to work AFAIK.
Anyway, at this point in time I trust Teslafi and Charge HQ.
Charge HQ is Sydney-based btw.

If smart summon worked they could get your car to drive to them. But we all know how good FSD is...

 

[evpaddie]

Maybe Tesla may introduce some charging smarts in the future into its app as noted on norateslapp.com notes for new release:

Wall Connector Integration​

Future Feature
This is an undocumented change in this release that may become a future feature.
In this update, Tesla has added a bunch of Wall Connector references to the app. Tesla's third generation Wall Connector comes built in with Wi-Fi, allowing it to receive software updates.
It's not clear what features this may enable, but it looks like Tesla may soon allow you to add the third-gen Wall Connector to the Tesla app, in a similar way that you can add a vehicle or Powerwall.

 

[Jones1]

I've been using Charge HQ app. For about a month now. Maybe a little longer. Is there any concern about components on the vehicle side being effected by the changing charge amp rate? I love the Charge HQ app. It works great. Just wondering about the fluctations of amps by the on board charger.

 

[israndy]

Has anyone looked at the app (I can't run it as they don't support Sense Energy Monitors) to see how low the charge rate goes before shutting off for lack of solar? Having written my own version of this app (TesSense) I found it difficult to get the amps down to two, originally I ended up powering off at 5 amps but having the flexibility to go down to two allows it to keep charging instead of turning off and later back on which can wear out the relay on the Wall Connector.

 

[Vostok]

Has anyone looked at the app (I can't run it as they don't support Sense Energy Monitors) to see how low the charge rate goes before shutting off for lack of solar? Having written my own version of this app (TesSense) I found it difficult to get the amps down to two, originally I ended up powering off at 5 amps but having the flexibility to go down to two allows it to keep charging instead of turning off and later back on which can wear out the relay on the Wall Connector.

I don’t think you can set the charge rate below 5A. I have three-phase power and I can’t set the charge rate below 5A per phase on the Tesla App (which is charging power of 3.6 kW). So I suspect if you send an API command to set the rate below 5A, Tesla will set it to the minimum allowable which is 5A.

It is probably similar to the approach to setting the target battery charge level. Sending an API command to set the charge level to, say, 30%, is accepted without error, but the charge level is still set to 50% which is the minimum Tesla allows. I know this because I have tried it.

 

[israndy]

It's by amps, and if you send the command to the API to set it to 1 amp, it'll use 2 amps, if you set it to two it's go to three, then above that it'll go to whatever amps you put up to the limit of the EVSE. To set any amps below 5 you have to send the command twice, but I do it many times everyday as my car charges from the sun.

You can't do it from the Tesla official app. Just curious if Charge HQ uses the API functionality

This is my app running on a cloudy day today:
Charging at 6 amps, with -85 watts surplus 63.3 F Sun 02:27 PM Wait two minutes... Charging at 6 amps, with -216 watts surplus 63.1 F Sun 02:29 PM Wait two minutes... Level: 55 %, Limit 75 %, 5.2 MPH 242 Volts 3.53 kWh added, 6 of a possible 40 Amps, 10.5 Hours remaining Charging at 6 amps, with -14 watts surplus 63.0 F Sun 02:31 PM Wait two minutes... Charging at 6 amps, with -424 watts surplus Slowing charging to 5 amps 63.0 F Sun 02:33 PM Wait two minutes... Charging at 5 amps, with 292 watts surplus Increasing charging to 6 amps 62.8 F Sun 02:36 PM Wait two minutes... Charging at 6 amps, with 803 watts surplus Increasing charging to 9 amps 62.6 F Sun 02:38 PM Wait two minutes... Charging at 9 amps, with 8 watts surplus 61.0 F Sun 02:40 PM Wait two minutes... Charging at 9 amps, with -1152 watts surplus Slowing charging to 5 amps 60.3 F Sun 02:42 PM Wait two minutes... Charging at 5 amps, with -342 watts surplus Slowing charging to 4 amps 60.1 F Sun 02:44 PM Wait two minutes... Charging at 4 amps, with -579 watts surplus Slowing charging to 2 amps 59.9 F Sun 02:46 PM Wait two minutes... Charging at 2 amps, with 147 watts surplus 59.7 F Sun 02:49 PM Wait two minutes... Charging at 2 amps, with 197 watts surplus 59.5 F Sun 02:51 PM Wait two minutes... Charging at 2 amps, with 24 watts surplus 59.5 F Sun 02:53 PM Wait two minutes... Charging at 2 amps, with -298 watts surplus Stopping charge 59.4 F Sun 02:55 PM Wait two minutes... Not Charging, free power is at 63 watts 59.4 F Sun 02:57 PM Wait two minutes... Not Charging, free power is at 85 watts 59.2 F Sun 02:59 PM Wait two minutes...

 

[Vostok]

It's by amps, and if you send the command to the API to set it to 1 amp, it'll use 2 amps, if you set it to two it's go to three, then above that it'll go to whatever amps you put up to the limit of the EVSE. To set any amps below 5 you have to send the command twice, but I do it many times everyday as my car charges from the sun.

Well I’ve never tried sending a command twice… I thought the API is stateless and memoryless so each command is treated on its merits and there is no memory from one command to the next.

If you set charging to 2A, and then you open the Tesla App, does the charging slider show 2A as the charging rate?

 

[Gareth Oakes]

If you set charging to 2A, and then you open the Tesla App, does the charging slider show 2A as the charging rate?

Yes.

 

[OzVic]

Has anyone looked at the app (I can't run it as they don't support Sense Energy Monitors) to see how low the charge rate goes before shutting off for lack of solar? Having written my own version of this app (TesSense) I found it difficult to get the amps down to two, originally I ended up powering off at 5 amps but having the flexibility to go down to two allows it to keep charging instead of turning off and later back on which can wear out the relay on the Wall Connector.

The minimum Charge HQ sets it to is 5A. It will hold off for 6 minutes before turning off (incase temporary clouds or boiling kettle). If shut off It will hold off turning back on for around 15 minutes (with the ability to click resume manually if desired) to minimise wear and tear on the contactors.

 

[israndy]

Smart. So how often does it check? The only dividers of 6 and 15 are 3 or 1. Mine is checking every 2 minutes to keep from overloading the API

 

[OzVic]

Smart. So how often does it check? The only dividers of 6 and 15 are 3 or 1. Mine is checking every 2 minutes to keep from overloading the API

It depends on the inverter and if cloud based, what their corresponding API allows.

Charge HQ - Monitoring Data Update Frequency

When used in Solar Tracking mode, Charge HQ relies on a stream of data which describes the solar production and (in some cases) household consumption to adjust the rate of charge. This data is supplied via an API from each device manufacturer or provider.

chargehq.net

I push the solar data myself using the "Push API" (unsupported inverter), which the developers suggest there is no benefit in updating any more frequently than every 30 seconds. I get the feeling it hits the Tesla API, if required, in the 30-60 second region.

 

[WoodWombat]

I would more than gladly pay for this type service if it integrated with Growatt inverter portal.

They have recently stopped work on the Growatt integration because of difficulties licensing the APIs or something of that sort, they also stopped work on Enphase as well for the same reason.

There is a push API that is under active development for those who are fairly technical. You could stand up something locally and use the local APIs to your Growatt inverter and push the required information to ChargeHQ. There are a heap of integrations listed on the page, although nothing for Growatt.

I couldn't get it to work. I have Powerwall and 2 x Tesla.

I too had trouble originally, it would never see my Powerwall and I nearly despaired before reaching out to support. They found that since I had a replacement PW Gateway under warranty, I actually had two setups linked to my account and the logic to choose in that case was a bit stupid, ending up choosing the older, inactive gateway. Their support people did something at the other end and then everything started working perfectly.

Looking at the UI now in place for managing a Tesla account, they now provide the ability to select the correct hardware.

I personally love this product. The team have made something amazing that just keep getting better with every release. Definitely worth giving it another go.

 

[WoodWombat]

I downloaded ChargeHQ, but before I signed in with my Tesla account I emailed them to ask what security measures they have in place to prevent my Tesla account being hacked via the API interface. There was a report recently where a hacker showed how easy it was to access the Tesla App functions via a hacked password. I asked a week ago and haven't received a reply yet.

The app provides two options for this. In neither approach will the password of your account (which should be protected with MFA anyway, making a leaked password less critical) is exposed.

1. The default behaviour is that an OAuth flow to the Tesla web-based IdP is used to obtain the tokens required to access the desired APIs.
2. You can generate the required API tokens in the Tesla developer portal and then provide them to the application.

The risk with this sort of this usually arises from apps that don't understand how this sort of security is supposed to work and then request the username and password inside the application before using a server-side or app-mediated flow of some sort. This is *not* best practice at all and requires you to trust the app developer more than you should. ChargeHQ look to be following best practice though.

As I mentioned before though, you definitely need to turn on multi-factor authentication on your Tesla account unless you want someone to steal your car.

 

[Vostok]

The app provides two options for this. In neither approach will the password of your account (which should be protected with MFA anyway, making a leaked password less critical) is exposed.

1. The default behaviour is that an OAuth flow to the Tesla web-based IdP is used to obtain the tokens required to access the desired APIs.
2. You can generate the required API tokens in the Tesla developer portal and then provide them to the application.

API tokens are almost as good as the Tesla account username/password credentials. The API tokens comprise an access token and a refresh token. The access token is valid for 8 hours, but the refresh token is valid forever (well, until you next change your Tesla account password) and is used to generate new access tokens - over and over again.

With an access token, the Tesla API can control everything in the car that the Tesla App can control, including telling you where the car is, and unlocking it and starting it. So give me your refresh token, and I can generate a valid access token, find your car, open it, and drive it away. Unless you have set PIN to drive.

So the real question that needs to be asked of any of these third party App developers is - do you ever sniff the API tokens and store them off the device? Are the tokens only ever held in a vault within the App itself, and only used when directly communicating with the Tesla API?

 

[israndy]

Would be nice if Tesla got an App Store, then all this could be hidden from developers and you just have a sign-in hook that Tesla made for connecting to your account, like Apple and Google have had for years.

 

[Vostok]

Would be nice if Tesla got an App Store, then all this could be hidden from developers and you just have a sign-in hook that Tesla made for connecting to your account, like Apple and Google have had for years.

Elon occasionally has thought bubbles about an App Store but nothing has come of it so far. But yes, that would be the way to do it - Tesla does the authentication then passes a unique single-use token to an App housed in its App store.

But that would also require Tesla to formally publish and support their API which they seem reluctant to do. Everything we know about the API has been reverse engineered or discovered through trial and error. Tesla occasionally makes API changes at random which breaks bits of these third party Apps which then have to scramble to issue new updates to fix whatever changed.

My distrust of third party developers pushed me to learn python, the Tesla API, and write my own code.

 

[WoodWombat]

A better solution would be to have finer resolution scopes available to request and approve that align with the way that the APIs are being used. This way the tokens used could only support the operations that are appropriate. In this case starting and stopping charge, determining current location and state of charge of vehicle and Powerwall, and energy flow from the Powerwall gateway. A vehicle app store would not help me access my Powerwall for example.