Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Concerns about Tesla API Token process

This site may earn commission on affiliate links.
#41
f205v said:
@darth_vad3r
Thank you for all the info!
I'm using a method explained here (I'm nerdy, but not really a programmer, so I follow instructions but if something doesn't work I'm stuck!)
Tesla API Token Generator

Then I'm using the generated token in 2 apps: TeslaFi and ABRP.
When it happens that one of the apps asks for a new token I generate a new one, put it into the APP, and immediately I'm forced to put it also into the other APP; otherwise it will not work anymore.

maybe I'm doing something wrong, but this is my experience: I can only have one token at a time.
Click to expand...

I haven’t looked at the link, or underlying method, but it sounds like you are using one token on two apps?

I would generate two tokens. Give one to each app.

If the underlying method used is refreshing a token, that invalidates the old one. If you gave the same token to two apps, then they’ll both stop working. Maybe that generator doesn’t let you generate two tokens?
 
  • Like
Reactions: f205v
#43
I'm a long-term SW engineer and I can confirm that there are security concerns giving your API token to anyone, as they can potentially do anything with your can what you are able to do from the app:
- determine the car's VIN
- determine the car's location (GPS), speed
- honk the horn, flash lights
- long/unlock doors, open / close windows
- turn on/off climate control -- which could be a dangerous issue if you have dog mode on and someone remotely turned off your AC
- replace navigation target, etc.
- start charging, stop charging, modify charging limit, etc.
- obtain various statistics about your car

Moreover, they could possible do more things in the future once Tesla releases more features in their API.

That said, if you don't disclose your password or you have multi-factor authentication enabled, they cannot at least transfer your Tesla to a new owner (would be pretty f.. up if they could).

While I don't see why Teslafi or others would be ever interested in misusing user tokens but security leaks happen on a daily basis and any token that's stored somewhere can one day be stolen by one day. Most common exploits consist of stealing employees' developers' login credentials and SSH keys (like it happened in case of UniFi's networks and security cameras).

For someone, car statistics can be worth this risk. I just wanted to tell the whole story.
 
#44
davidand said:
I'm a long-term SW engineer and I can confirm that there are security concerns giving your API token to anyone, as they can potentially do anything with your can what you are able to do from the app:
- determine the car's VIN
- determine the car's location (GPS), speed
- honk the horn, flash lights
- long/unlock doors, open / close windows
- turn on/off climate control -- which could be a dangerous issue if you have dog mode on and someone remotely turned off your AC
- replace navigation target, etc.
- start charging, stop charging, modify charging limit, etc.
- obtain various statistics about your car

Moreover, they could possible do more things in the future once Tesla releases more features in their API.

That said, if you don't disclose your password or you have multi-factor authentication enabled, they cannot at least transfer your Tesla to a new owner (would be pretty f.. up if they could).

While I don't see why Teslafi or others would be ever interested in misusing user tokens but security leaks happen on a daily basis and any token that's stored somewhere can one day be stolen by one day. Most common exploits consist of stealing employees' developers' login credentials and SSH keys (like it happened in case of UniFi's networks and security cameras).

For someone, car statistics can be worth this risk. I just wanted to tell the whole story.
Click to expand...

The right way would be if Tesla implemented a per-app token policy where you could grant various permissions to various apps (e.g. only charging info, or only read-only access to everything) however I highly doubt it will happen in the near future as if Tesla would have been interested in it they had already done this.
 
#45
I just don't understand the blind trust people have for randoms on the internet when it comes to their most valuable possessions, and their own personal safety. It's just data people, you don't need it. Just drive the car and sleep easy knowing your car is secure from bad actors posing as 3rd party client providers. Most probably wont heed this warning, curiosity tends to find a way to kill the owner cat.
 
#46
jrscovill said:
I just don't understand the blind trust people have for randoms on the internet when it comes to their most valuable possessions, and their own personal safety. It's just data people, you don't need it. Just drive the car and sleep easy knowing your car is secure from bad actors posing as 3rd party client providers. Most probably wont heed this warning, curiosity tends to find a way to kill the owner cat.
Click to expand...

72695CE6-0AFA-40BE-9167-3362D7AB8C11.gif


Thanks for bumping this old thread. Much appreciate.
 
You must log in or register to reply here.

Similar threads

P
Refreshing the API token
Replies
1
Views
4K
Technical
Tz00
Tz00
T
bug with Tesla app energy totals (or user error)?
Replies
2
Views
2K
Tesla Energy
jgleigh
jgleigh
SylvainG
I love having access to my car remotely through the API
Replies
11
Views
4K
Technical
SylvainG
SylvainG
C
Tesla API lets people control your car?
Replies
2
Views
5K
Technical
ctm3p
C
kayrish
Multiple issues with my 2018 Model 3
Replies
29
Views
6K
Model 3
kayrish
kayrish
Top
Back
Blog
New
Forum list
Marketplace
Menu