Cloud & EV Enthusiast!

[Cloud_S]

Hi guys!


Nick here from Chicago. Life long car guy (many Hondas, S2K, G35) Currenty driving a CT200H F-Sport that we bought in April with 30k on the odo. Came from an IS-F...power adjustment was hard at first however the technology and overall package compensates for it well!


Even with the CT200H, Idling at a stop light seems so primitive now!


We just bought a house in Lincoln Park with a garage, made sure we had 100 AMP service! Plan on keeping the CT for a few years till we buy a Tesla S in late 2014. Never going back to conventional cars for daily drivers.


Life long Technology enthusiast, should have been a mechanical engineer but ended up in Cyber Security. Love what I do, love progress and the innovation that Tesla brings. Would love to do a penetration test against the Model S! Cloud connected IP driven cars are here, lets hope Tesla did their homework. #Game #Chgr

 

[twinklejet]

Hi guys!


Nick here from Chicago. Life long car guy (many Hondas, S2K, G35) Currenty driving a CT200H F-Sport that we bought in April with 30k on the odo. Came from an IS-F...power adjustment was hard at first however the technology and overall package compensates for it well!


Even with the CT200H, Idling at a stop light seems so primitive now!


We just bought a house in Lincoln Park with a garage, made sure we had 100 AMP service! Plan on keeping the CT for a few years till we buy a Tesla S in late 2014. Never going back to conventional cars for daily drivers.


Life long Technology enthusiast, should have been a mechanical engineer but ended up in Cyber Security. Love what I do, love progress and the innovation that Tesla brings. Would love to do a penetration test against the Model S! Cloud connected IP driven cars are here, lets hope Tesla did their homework. #Game #Chgr

Welcome

Late 2014 is actually exactly one year away give and take a few months! Have you taken a test drive?

 

[qwk]

Welcome

Late 2014 is actually exactly one year away give and take a few months! Have you taken a test drive?

Probably not, otherwise he would be ordering right now! Lol

 

[Cloud_S]

Probably not, otherwise he would be ordering right now! Lol

Driving one this Friday; fear I will fall in love an order 1 right away...

 

[qwk]

Driving one this Friday; fear I will fall in love an order 1 right away...

Yes, you will.

 

[nspollution]

The authentication protocol for the REST API is lacking. Fortunately, there's very little intrusive that the REST API currently allows. Nevertherless, it's problematic.

 

[Cloud_S]

The authentication protocol for the REST API is lacking. Fortunately, there's very little intrusive that the REST API currently allows. Nevertherless, it's problematic.

Have you done any threat modeling or POC?

 

[nspollution]

Not explicitly, but my background is in API design.

A couple of key problems with the API:

1. It requires you to provide your Tesla email and password to third parties in order to authenticate
2. Actual authentication between third-parties and Tesla occurs via a token that is valid for 3 months without any revocation mechanism

The first should never, ever happen with any API. A third-party should NEVER have access to your core authentication credentials.

The second means that if the third-party is compromised, an attacker has access to all tokens for all Tesla customers it is governing. Unless Tesla itself becomes aware of this, there's no revocation of the tokens and thus a wide-open exploit for up to 3 months.

 

[twinklejet]

The question is: Is Tesla aware of this? If they are, are they doing anything about it?

 

[nspollution]

The question is: Is Tesla aware of this? If they are, are they doing anything about it?

I don't know if they are aware of it. But it is illustrative of a deeper problem that it even exists.

This is just bad API design with little regard for the security of the systems. It shows that the people in charge of their external systems aren't that concerned with security.

I know many will say, "But maybe this was just a mistake".

No one who cares about security designs an API in this fashion. In fact, they went out of their way to design this authentication model. It's not a normal authentication model.

 

[zeron]

I think you are confused. The API is not meant to be used by any third-parties. That is why the authentication is designed that way.

 

[nspollution]

I am not confused. Any API can and will be used by third parties.

And even APIs "not designed to be used by third parties" should not authenticate like this.

 

[nspollution]

Formal write-up here: http://broadcast.oreilly.com/2013/08/authentication-flaws-in-the-tesla-model-s-rest-api.html

 

[Cloud_S]

Formal write-up here: http://broadcast.oreilly.com/2013/08/authentication-flaws-in-the-tesla-model-s-rest-api.html

Excellent find. API design is not my forte however I'm quite shocked that Tesla didn't use standard API conventions such as Oauth or SAML. However, in conversations with the lead engineer for Onstar, I believe GM took a similar route. Honestly, I'm more concerned about the segregation and trust relationships between the API and the CAN-BUS and LIN-BUS driven sub-comments. If the API does not perform validation of user provided input, perhaps it would be possible to inject commands to escalate privileges via CAN-BUS or LIN-BUS to system sub-comments for speed control, braking and related?

Here is the unofficial documentation of the Tesla Model S REST API. Tesla Model S REST API—by apiary.io

 

[nspollution]

Honestly, I'm more concerned about the segregation and trust relationships between the API and the CAN-BUS and LIN-BUS driven sub-comments. If the API does not perform validation of user provided input, perhaps it would be possible to inject commands to escalate privileges via CAN-BUS or LIN-BUS to system sub-comments for speed control, braking and related?

I agree with you 100%. As far as I can tell, they have done a good job on that front. Of course, we have very limited visibility into that from the outside.

I said on Twitter, and I'll say it here:

I'd rather have a car with an API with the flaws I wrote about than to have a car with no API at all.

 

[Cloud_S]

My wife and I drove a Model S P85 yesterday. Overall impressions:

Build Quality: Stunning
Performance: V8 like, yet silky smooth
Ride: Taunt (std suspension)
Technology: Internet of things approved

Minus:

My wife felt it was too big, she is 5' 2", 120 lb. The main IP sceen isnt as responsive as I expected.

In total, this is a game changer! We are sold, however I think I will buy a used one or demo. Can't justify the price increase and overall cost.