TMC is an independent, primarily volunteer organization that relies on ad revenue to cover its operating costs. Please consider whitelisting TMC on your ad blocker or making a Paypal contribution here: paypal.me/SupportTMC

Cloud & EV Enthusiast!

Discussion in 'Introductions' started by Cloud_S, Aug 18, 2013.

  1. Cloud_S

    Cloud_S Member

    Joined:
    Feb 18, 2013
    Messages:
    12
    Location:
    Chicago
    Hi guys!


    Nick here from Chicago. Life long car guy (many Hondas, S2K, G35) Currenty driving a CT200H F-Sport that we bought in April with 30k on the odo. Came from an IS-F...power adjustment was hard at first however the technology and overall package compensates for it well!


    Even with the CT200H, Idling at a stop light seems so primitive now!


    We just bought a house in Lincoln Park with a garage, made sure we had 100 AMP service! Plan on keeping the CT for a few years till we buy a Tesla S in late 2014. Never going back to conventional cars for daily drivers.


    Life long Technology enthusiast, should have been a mechanical engineer but ended up in Cyber Security. Love what I do, love progress and the innovation that Tesla brings. Would love to do a penetration test against the Model S! Cloud connected IP driven cars are here, lets hope Tesla did their homework. #Game #Chgr
     
  2. twinklejet

    twinklejet Member

    Joined:
    Mar 10, 2013
    Messages:
    666
    Location:
    Singapore
    Welcome :)

    Late 2014 is actually exactly one year away give and take a few months! Have you taken a test drive?
     
  3. qwk

    qwk Model S P2681

    Joined:
    Dec 19, 2008
    Messages:
    2,817
    Probably not, otherwise he would be ordering right now! Lol
     
  4. Cloud_S

    Cloud_S Member

    Joined:
    Feb 18, 2013
    Messages:
    12
    Location:
    Chicago
    Driving one this Friday; fear I will fall in love an order 1 right away...
     
  5. qwk

    qwk Model S P2681

    Joined:
    Dec 19, 2008
    Messages:
    2,817
    Yes, you will.
     
  6. nspollution

    nspollution Member

    Joined:
    Jun 8, 2013
    Messages:
    161
    Location:
    Maple Grove, MN
    The authentication protocol for the REST API is lacking. Fortunately, there's very little intrusive that the REST API currently allows. Nevertherless, it's problematic.
     
  7. Cloud_S

    Cloud_S Member

    Joined:
    Feb 18, 2013
    Messages:
    12
    Location:
    Chicago
    Have you done any threat modeling or POC?
     
  8. nspollution

    nspollution Member

    Joined:
    Jun 8, 2013
    Messages:
    161
    Location:
    Maple Grove, MN
    Not explicitly, but my background is in API design.

    A couple of key problems with the API:

    1. It requires you to provide your Tesla email and password to third parties in order to authenticate
    2. Actual authentication between third-parties and Tesla occurs via a token that is valid for 3 months without any revocation mechanism

    The first should never, ever happen with any API. A third-party should NEVER have access to your core authentication credentials.

    The second means that if the third-party is compromised, an attacker has access to all tokens for all Tesla customers it is governing. Unless Tesla itself becomes aware of this, there's no revocation of the tokens and thus a wide-open exploit for up to 3 months.
     
  9. twinklejet

    twinklejet Member

    Joined:
    Mar 10, 2013
    Messages:
    666
    Location:
    Singapore
    The question is: Is Tesla aware of this? If they are, are they doing anything about it?
     
  10. nspollution

    nspollution Member

    Joined:
    Jun 8, 2013
    Messages:
    161
    Location:
    Maple Grove, MN
    I don't know if they are aware of it. But it is illustrative of a deeper problem that it even exists.

    This is just bad API design with little regard for the security of the systems. It shows that the people in charge of their external systems aren't that concerned with security.

    I know many will say, "But maybe this was just a mistake".

    No one who cares about security designs an API in this fashion. In fact, they went out of their way to design this authentication model. It's not a normal authentication model.
     
  11. zeron

    zeron Member

    Joined:
    Dec 30, 2012
    Messages:
    72
    Location:
    Milky Way
    I think you are confused. The API is not meant to be used by any third-parties. That is why the authentication is designed that way.
     
  12. nspollution

    nspollution Member

    Joined:
    Jun 8, 2013
    Messages:
    161
    Location:
    Maple Grove, MN
    I am not confused. Any API can and will be used by third parties.

    And even APIs "not designed to be used by third parties" should not authenticate like this.
     
  13. nspollution

    nspollution Member

    Joined:
    Jun 8, 2013
    Messages:
    161
    Location:
    Maple Grove, MN
  14. Cloud_S

    Cloud_S Member

    Joined:
    Feb 18, 2013
    Messages:
    12
    Location:
    Chicago
    Excellent find. API design is not my forte however I'm quite shocked that Tesla didn't use standard API conventions such as Oauth or SAML. However, in conversations with the lead engineer for Onstar, I believe GM took a similar route. Honestly, I'm more concerned about the segregation and trust relationships between the API and the CAN-BUS and LIN-BUS driven sub-comments. If the API does not perform validation of user provided input, perhaps it would be possible to inject commands to escalate privileges via CAN-BUS or LIN-BUS to system sub-comments for speed control, braking and related?

    Here is the unofficial documentation of the Tesla Model S REST API. Tesla Model S REST API—by apiary.io
     
  15. nspollution

    nspollution Member

    Joined:
    Jun 8, 2013
    Messages:
    161
    Location:
    Maple Grove, MN
    I agree with you 100%. As far as I can tell, they have done a good job on that front. Of course, we have very limited visibility into that from the outside.

    I said on Twitter, and I'll say it here:

    I'd rather have a car with an API with the flaws I wrote about than to have a car with no API at all.
     
  16. Cloud_S

    Cloud_S Member

    Joined:
    Feb 18, 2013
    Messages:
    12
    Location:
    Chicago
    My wife and I drove a Model S P85 yesterday. Overall impressions:

    Build Quality: Stunning
    Performance: V8 like, yet silky smooth
    Ride: Taunt (std suspension)
    Technology: Internet of things approved

    Minus:

    My wife felt it was too big, she is 5' 2", 120 lb. The main IP sceen isnt as responsive as I expected.

    In total, this is a game changer! We are sold, however I think I will buy a used one or demo. Can't justify the price increase and overall cost.
     

Share This Page