Ok, disclosure: I am a paranoid security guy. It's what I do.
So I was reviewing my options to pull my data from my Model S. No offense to all the hard work of those who have put together websites to or binary apps to pull data (just provide them a username and password!) but for me, this option will not work. Too paranoid. Keys to the kingdom so to speak.
So I went to figure out how the API works so I can pull my own data. One thing I noticed, is I have to get an API token prior to making API calls, but I wanted to know how this worked, so I looked at a few options. It appears that to obtain a token you must provide a
OWNERAPI_CLIENT_ID and
OWNERAPI_CLIENT_SECRET as well as your username and password to get the API token you can use.
What are those values?
teslatoken, a python package at eric1980/teslatoken uses a value stored in https://pastebin.com/raw/YiLPDggh
This page: Tesla Model S JSON API · Apiary also references the pastebin post.
[JSON] "OWNERAPI_CLIENT_ID": "81527cff06843c8634fdc09e8ac0abefb46ac849f38fe1e431c2ef2 - Pastebin.com
teslajs actually hard codes it (in a very hidden/obfucated way at this line:
mseminatore/TeslaJS
So, what is this?
Where is it derived?
Is it the token that the app sends out from a phone and someone just MITMed the request to obtain it? Did they reverse engineer the tesla app to get it?
Is the pastebin post the same token as the one in teslajs? (I didn't reverse them yet)?
I see the pastebin post is from Jan 2017. How often does this change?
Is the token the same in everyone's Tesla App?
To the previous question: If these tokens are both the same, and the same as the Tesla app, then reusing them to obtain API tokens seems to be marginally fine. If now however, what is being identified on the back end? Like, if a bunch of use the same pastebin secret to obtain our API keys, are our cars somehow linked in a way that could cause a security issue later?
Do we have a way to revoke an API token? (This is sorta important).
I am not trying to be a naysayer, I want my data, I just like to understand all the things involved before jumping in. I'd be really interested in anyone's thoughts on this!
John
So I was reviewing my options to pull my data from my Model S. No offense to all the hard work of those who have put together websites to or binary apps to pull data (just provide them a username and password!) but for me, this option will not work. Too paranoid. Keys to the kingdom so to speak.
So I went to figure out how the API works so I can pull my own data. One thing I noticed, is I have to get an API token prior to making API calls, but I wanted to know how this worked, so I looked at a few options. It appears that to obtain a token you must provide a
OWNERAPI_CLIENT_ID and
OWNERAPI_CLIENT_SECRET as well as your username and password to get the API token you can use.
What are those values?
teslatoken, a python package at eric1980/teslatoken uses a value stored in https://pastebin.com/raw/YiLPDggh
This page: Tesla Model S JSON API · Apiary also references the pastebin post.
[JSON] "OWNERAPI_CLIENT_ID": "81527cff06843c8634fdc09e8ac0abefb46ac849f38fe1e431c2ef2 - Pastebin.com
teslajs actually hard codes it (in a very hidden/obfucated way at this line:
mseminatore/TeslaJS
So, what is this?
Where is it derived?
Is it the token that the app sends out from a phone and someone just MITMed the request to obtain it? Did they reverse engineer the tesla app to get it?
Is the pastebin post the same token as the one in teslajs? (I didn't reverse them yet)?
I see the pastebin post is from Jan 2017. How often does this change?
Is the token the same in everyone's Tesla App?
To the previous question: If these tokens are both the same, and the same as the Tesla app, then reusing them to obtain API tokens seems to be marginally fine. If now however, what is being identified on the back end? Like, if a bunch of use the same pastebin secret to obtain our API keys, are our cars somehow linked in a way that could cause a security issue later?
Do we have a way to revoke an API token? (This is sorta important).
I am not trying to be a naysayer, I want my data, I just like to understand all the things involved before jumping in. I'd be really interested in anyone's thoughts on this!
John