Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

iOS Shortcuts + NFC

This site may earn commission on affiliate links.
E

Ed_M

M3LR Blue/Black - MYLR Blue/Black/Gemini
Aug 29, 2020
21
24
Berkshire
#1
I have been looking for a free and efficient way to trigger iOS shortcut actions for a while. All the articles I had previously seen looked to use paid for apps. These apps appear to be overpriced and not particularly well written.

I eventually stumbled on a Gitlab project where a direct set of iOS shortcuts are maintained. The link to the project is here: Projects · rummens / tesla_ios_shortcuts · GitLab

The trick is to navigate to the web page on your mobile device and then click on "Download Latest Tesla Shortcuts" in the Read Me section.

You generate a Tesla token which expires every 45 days, however the shortcut auto creates a reminder for you to renew it.

Once I got that working I paired it with NFC tags to trigger either the Charge Port of Frunk opening. From my testing the NFA213 tags are the ones to use. I tried the smaller 25mm ones and 45mm ones, the 45mm gave the best results due to the larger antenna. I bought mine from Amazon, here:

https://www.amazon.co.uk/gp/product/B075HQR6MY/ref=ppx_yo_dt_b_asin_title_o00_s00?ie=UTF8&psc=1

All seems to work very well.
 
  • Like
  • Informative
Reactions: dgaultiere, timpharrison, Js1977 and 1 other person
#5
GeorgeSymonds said:
Please don't go there unless you understand the security implications of any of these 3rd party apps.

Its also worth noting the Tesla app has a bunch of things you can do natively

Apple Siri commands for your Tesla
Click to expand...
Wise words indeed and I second that. People need to be accountable for the choices they take in using these services. Your note applies to all third party apps, like Tesla Mate, TeslaFI etc. I think the key is to being able to see the source code if one desires.

Until the Tesla app provides these integrations directly with iOS Shortcuts, which it currently doesn't then apps/integrations like this will exist.
 
#6
Ed_M said:
Wise words indeed and I second that. People need to be accountable for the choices they take in using these services. Your note applies to all third party apps, like Tesla Mate, TeslaFI etc. I think the key is to being able to see the source code if one desires.

Until the Tesla app provides these integrations directly with iOS Shortcuts, which it currently doesn't then apps/integrations like this will exist.
Click to expand...
If the guy posted the source code of the web service I'd be all over it! As it is, the fact that he doesn't seems just a little suspicious, and is enough to steer me clear.
 
  • Like
Reactions: Ed_M
#7
Ed_M said:
Wise words indeed and I second that. People need to be accountable for the choices they take in using these services. Your note applies to all third party apps, like Tesla Mate, TeslaFI etc. I think the key is to being able to see the source code if one desires.

Until the Tesla app provides these integrations directly with iOS Shortcuts, which it currently doesn't then apps/integrations like this will exist.
Click to expand...

Worth noting that there are no significant security issues with using Teslamate when self-hosted. Someone would need to physically break into our house to gain access to anything stored by Teslamate, and if doing that they could just nick the key fob or access cards.
 
  • Like
Reactions: Ed_M
#8
Glan gluaisne said:
Worth noting that there are no significant security issues with using Teslamate when self-hosted. Someone would need to physically break into our house to gain access to anything stored by Teslamate, and if doing that they could just nick the key fob or access cards.
Click to expand...

Thats true and I use it. Its been tested to ensure they're not pushing the information out of the locally running software to themselves for nafarious reasons (its fairly simply to do if you monitor your own network). The tiny weeny risk is after a software update but of all the options this is by far the safest.
 
#9
I found that a nice, clean way to add shortcuts, and automation is through the "Automate" app for Tesla.

https://apps.apple.com/us/app/automate-for-tesla/id1382111619

Comes with Apple Watch complications, has a widget for ios14, is enabled in Apple Shortcuts, Force Touch shortcuts to quickly heat the car, open the trunk, etc... and a bunch of other simple, nice features. Is only $1 / year in the app store.

Am not affiliated in any way to them.
 
#10
rotor2k said:
If the guy posted the source code of the web service I'd be all over it! As it is, the fact that he doesn't seems just a little suspicious, and is enough to steer me clear.
Click to expand...

I have mailed him, let's see what he comes back with. If he released the source and I could adapt and run it behind the firewall then the risk becomes non-existent. I like the idea, just don't really want to dedicate a whole heap of time writing it myself at the moment. It would help reducing the risk if Tesla provided MFA on the account too.
 
Last edited:
  • Like
Reactions: CMc1
#11
I think the morale of the story is security. I started the thread this morning as I was eating my breakfast and reflecting on my testing. On further reflection I should have thought some more about the user base I was posting to. As said earlier if going down the 3rd party path you need to be cognisant of a few things:

There are quite a lot of useful looking 3rd party apps out there, I had a look at a few of them. As pointed out earlier all third party apps are a security risk, the risk is you are submitting your account details to a third party to generate an OAuth token, and this could then be used to access your account and your data without your permission. For users in the EU, From a data security point of view you could be sending your data out of the EU, which means you lose all your EU data privacy rights (TeslaFI).

Using an app from the App store does not make them any more trusted than running a script on the internet, you still do not know what it is doing.

You can reduce the perceived risks to to some degree by:
  • Choosing an app from a trusted software developer
  • Choosing an open source app, which you or other enthusiasts can vet the code
  • Writing something yourself.
  • Running something locally within your own network and behind a suitable firewall, aka as you can with TeslaMate.
It would help if Tesla enabled MFA on user accounts too.

I shall keep digging until I find a workable solution.
 
Last edited:
#12
I think TeslaFi's security is pretty robust and has a wide enough audience that if it was rogue or serious shortcomings, its going to have been noticed, especially considering a large number of its audience will be very tech savvy.

No Tesla account info is stored within TeslaFi except for the auth token. The real risk, as in any system using the auth key, is the lax level of access that Tesla allows with this token. That shortcoming is down to Tesla, hopefully soon to be addressed, long overdue.

TeslaFi - Security
 
#15
Ed_M said:
There are quite a lot of useful looking 3rd party apps out there, I had a look at a few of them. As pointed out earlier all third party apps are a security risk, the risk is you are submitting your account details to a third party to generate an OAuth token, and this could then be used to access your account and your data without your permission. .
Click to expand...

At the end of thios article is a simple DIY method of getting your token without using a third party site - you just need to be able to run a powershell script on a PC but I dare say the principal is the same on a Mac. The risk though is still there with just a token, its just not as bad as the car can't be started and your account can't be accessed, the car can still be located, opened, etc without your knowledge, but if you are going to do it then I'd generate a tolken this way

Tesla Info: Get your car configuration

VanillaAir_UK said:
I think TeslaFi's security is pretty robust and has a wide enough audience that if it was rogue or serious shortcomings, its going to have been noticed, especially considering a large number of its audience will be very tech savvy.

No Tesla account info is stored within TeslaFi except for the auth token. The real risk, as in any system using the auth key, is the lax level of access that Tesla allows with this token. That shortcoming is down to Tesla, hopefully soon to be addressed, long overdue.
Click to expand...

We only ever have their word to go on regarding what they store, and the popularity of them also makes them a target, I've read their security and it does look pretty comprehensive but we know even the biggest companies with the big IT budgets get it wrong. Your own Teslamate instance running on AWS would probably be undetectable in comparison. I was slightly worried about how quickly they lashed together a workaround when Tesla blocked AWS API connections - there is a time for haste and I didn't think it was then given the Token is passed on every API call to Tesla and slotting a proxy bodge in quickly almost certainly introduced another company to the security mix
 
#16
Interesting... the siri thing is an interesting party trick, I've set it up but rarely use it - I like to press buttons! (quietly and discreetly...!)

I've not used NFC but know 'of it' but as more of an android thing as Apple couldn't program them (in late 2018 when I last investigated it for one of our businesses) does the use of NFC require me to be inside an app, like Qr codes need you to open your camera first - or is it simply my phone awake and held 'near' the little sticker? Do you get outdoor waterproof stickers?
 
#17
on the security points;

What do you more tech security minded people know about the stats app? yay or nae on that one? I'm using that on my iphone and it powers my siri to do allsorts - I never thought about source code/security...

Also for my mac I just downloaded one called 'valet for tesla' currently on free trial but it shows the car's battery range on my top bar on mac and if click on it I can see all the same options as stats app has for opening trunk/frunk etc - its very handy for me and the 'can i get xyz out the car please' questions while working from home - but what are the security concerns that you have? a theft risk of the tesla? or the credit card thats on my account for the supercharging?

What is the risk so I can decide if i can tolerate it or not?

Screenshot 2020-10-05 at 11.28.00.png
 
#18
They're all the same * - they take a request from you and turn it into a series of queries or instructions via the Tesla API for which they need your credentials or token.

* Teslamate is no difference in the sense it needs your credentials and works the same way, the key difference from a security perspective is that you have a copy of the code and it sits (assuming on a Raspberry Pi) on your own home and the only commands going in and out are to Teslas servers. The other apps perform the queries on their own servers over which you have no knowledge or control.

The risks depend on what you've done

- if you've given anyone your Tesla logon and password they have access to the car including diving and access to your "MyTesla" account, can bugger around with your setting, delete your car from your account, do anything you can do.

- the token (and the question is how did you get the token without using your uername and password) is much more limited to seeing where the car is, opening, turning on the heating, everything except starting the car.
 
  • Informative
Reactions: M3-Newbie
#19
GeorgeSymonds said:
They're all the same * - they take a request from you and turn it into a series of queries or instructions via the Tesla API for which they need your credentials or token.

* Teslamate is no difference in the sense it needs your credentials and works the same way, the key difference from a security perspective is that you have a copy of the code and it sits (assuming on a Raspberry Pi) on your own home and the only commands going in and out are to Teslas servers. The other apps perform the queries on their own servers over which you have no knowledge or control.

The risks depend on what you've done

- if you've given anyone your Tesla logon and password they have access to the car including diving and access to your "MyTesla" account, can bugger around with your setting, delete your car from your account, do anything you can do.

- the token (and the question is how did you get the token without using your uername and password) is much more limited to seeing where the car is, opening, turning on the heating, everything except starting the car.
Click to expand...
Whilst I value the convenience offered by various apps, I’ve always been a bit uncomfortable about providing my Tesla account details to them. Most of them provide assurances that they only store the tokens in a secure manner either on your device (e.g. Stats, Watch app for Tesla) or encrypted on their penetration-tested servers if they are doing something for you on a repeated basis (e.g. ev.energy, TeslaFi, ABRP).

Am I right in thinking that apps storing it locally on your device are much less risky than the server-based ones?
 
#20
Jeeves said:
Am I right in thinking that apps storing it locally on your device are much less risky than the server-based ones?
Click to expand...

Not necessarily. Two factors at play. What is the risk of a device or system being attacked and when attacked, what is the risk of that attack compromising important information.

A one off system is less likely to be worth actively targeting but may still be caught in less targeted mass hacks/probes. A well secured system with multiple levels of protection will be a lot harder to get anything useful from, but may attract specific attention. Active monitoring, typically afforded by larger organisations will also add security.

I've been involved in deploying commercial high risk customer facing systems and I am comfortable with for example the TeslaFi approach. I also self host my own server and wouldn't store anything sensitive on it. Not that its insecure, but its not protected by the sort of systems that I would use to protect more sensitive data.

At the end of the day, the system is only as secure as the weakest link. I wonder how many people have enabled touch/face etc ID within the Tesla app and keep a firm grip on their phone?
 
Last edited:
You must log in or register to reply here.

Similar threads

Mario Veras
Is using NFC tags on your Tesla safe?
Replies
1
Views
1K
Technical
E90alex
E90alex
V
New iOS Shortcuts support - How to use if you have more than one Tesla?
Replies
25
Views
5K
Software: Firmware Updates, Features, Tesla App
whsbuss
W
IronCoffee_Max
  • Locked
Vendor Yōjin - Sync your Tesla's Navigation Destination to Waze on your iPhone
Replies
2
Views
784
Software: Firmware Updates, Features, Tesla App
IronCoffee_Max
IronCoffee_Max
Jacob Vega
$89 Tera Level 2 Charger on Amazon
Replies
29
Views
2K
Model Y: Battery & Charging
davewill
davewill
Proppilot
RGB Ambient Lighting project for Palladium Model S - lets do it
Replies
193
Views
7K
Model S: User Interface
Proppilot
Proppilot
Top
Back
Blog
New
Forum list
Marketplace
Menu