Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

iOS Shortcuts + NFC

Ed_M

Member
Aug 29, 2020
14
15
Berkshire
I have been looking for a free and efficient way to trigger iOS shortcut actions for a while. All the articles I had previously seen looked to use paid for apps. These apps appear to be overpriced and not particularly well written.

I eventually stumbled on a Gitlab project where a direct set of iOS shortcuts are maintained. The link to the project is here: Projects · rummens / tesla_ios_shortcuts · GitLab

The trick is to navigate to the web page on your mobile device and then click on "Download Latest Tesla Shortcuts" in the Read Me section.

You generate a Tesla token which expires every 45 days, however the shortcut auto creates a reminder for you to renew it.

Once I got that working I paired it with NFC tags to trigger either the Charge Port of Frunk opening. From my testing the NFA213 tags are the ones to use. I tried the smaller 25mm ones and 45mm ones, the 45mm gave the best results due to the larger antenna. I bought mine from Amazon, here:

https://www.amazon.co.uk/gp/product/B075HQR6MY/ref=ppx_yo_dt_b_asin_title_o00_s00?ie=UTF8&psc=1

All seems to work very well.
 

rotor2k

Member
Sep 16, 2019
513
277
London
Came across that a couple of weeks ago but it still relies on the web hosted service that he runs and that he doesn’t provide the source code for.
 
  • Like
Reactions: CMc1

Ed_M

Member
Aug 29, 2020
14
15
Berkshire
Please don't go there unless you understand the security implications of any of these 3rd party apps.

Its also worth noting the Tesla app has a bunch of things you can do natively

Apple Siri commands for your Tesla
Wise words indeed and I second that. People need to be accountable for the choices they take in using these services. Your note applies to all third party apps, like Tesla Mate, TeslaFI etc. I think the key is to being able to see the source code if one desires.

Until the Tesla app provides these integrations directly with iOS Shortcuts, which it currently doesn't then apps/integrations like this will exist.
 

rotor2k

Member
Sep 16, 2019
513
277
London
Wise words indeed and I second that. People need to be accountable for the choices they take in using these services. Your note applies to all third party apps, like Tesla Mate, TeslaFI etc. I think the key is to being able to see the source code if one desires.

Until the Tesla app provides these integrations directly with iOS Shortcuts, which it currently doesn't then apps/integrations like this will exist.
If the guy posted the source code of the web service I'd be all over it! As it is, the fact that he doesn't seems just a little suspicious, and is enough to steer me clear.
 
  • Like
Reactions: Ed_M

Glan gluaisne

Supporting Member
Supporting Member
Sep 11, 2019
2,782
2,711
UK
Wise words indeed and I second that. People need to be accountable for the choices they take in using these services. Your note applies to all third party apps, like Tesla Mate, TeslaFI etc. I think the key is to being able to see the source code if one desires.

Until the Tesla app provides these integrations directly with iOS Shortcuts, which it currently doesn't then apps/integrations like this will exist.

Worth noting that there are no significant security issues with using Teslamate when self-hosted. Someone would need to physically break into our house to gain access to anything stored by Teslamate, and if doing that they could just nick the key fob or access cards.
 
  • Like
Reactions: Ed_M

GeorgeSymonds

Active Member
Mar 16, 2018
1,269
805
UK
Worth noting that there are no significant security issues with using Teslamate when self-hosted. Someone would need to physically break into our house to gain access to anything stored by Teslamate, and if doing that they could just nick the key fob or access cards.

Thats true and I use it. Its been tested to ensure they're not pushing the information out of the locally running software to themselves for nafarious reasons (its fairly simply to do if you monitor your own network). The tiny weeny risk is after a software update but of all the options this is by far the safest.
 

Ken-E

Member
Sep 4, 2020
12
7
Montreal
I found that a nice, clean way to add shortcuts, and automation is through the "Automate" app for Tesla.

https://apps.apple.com/us/app/automate-for-tesla/id1382111619

Comes with Apple Watch complications, has a widget for ios14, is enabled in Apple Shortcuts, Force Touch shortcuts to quickly heat the car, open the trunk, etc... and a bunch of other simple, nice features. Is only $1 / year in the app store.

Am not affiliated in any way to them.
 

Ed_M

Member
Aug 29, 2020
14
15
Berkshire
If the guy posted the source code of the web service I'd be all over it! As it is, the fact that he doesn't seems just a little suspicious, and is enough to steer me clear.

I have mailed him, let's see what he comes back with. If he released the source and I could adapt and run it behind the firewall then the risk becomes non-existent. I like the idea, just don't really want to dedicate a whole heap of time writing it myself at the moment. It would help reducing the risk if Tesla provided MFA on the account too.
 
Last edited:
  • Like
Reactions: CMc1

Ed_M

Member
Aug 29, 2020
14
15
Berkshire
I think the morale of the story is security. I started the thread this morning as I was eating my breakfast and reflecting on my testing. On further reflection I should have thought some more about the user base I was posting to. As said earlier if going down the 3rd party path you need to be cognisant of a few things:

There are quite a lot of useful looking 3rd party apps out there, I had a look at a few of them. As pointed out earlier all third party apps are a security risk, the risk is you are submitting your account details to a third party to generate an OAuth token, and this could then be used to access your account and your data without your permission. For users in the EU, From a data security point of view you could be sending your data out of the EU, which means you lose all your EU data privacy rights (TeslaFI).

Using an app from the App store does not make them any more trusted than running a script on the internet, you still do not know what it is doing.

You can reduce the perceived risks to to some degree by:
  • Choosing an app from a trusted software developer
  • Choosing an open source app, which you or other enthusiasts can vet the code
  • Writing something yourself.
  • Running something locally within your own network and behind a suitable firewall, aka as you can with TeslaMate.
It would help if Tesla enabled MFA on user accounts too.

I shall keep digging until I find a workable solution.
 
Last edited:

VanillaAir_UK

Well-Known Member
Jun 17, 2019
8,242
5,768
Surrey, UK
I think TeslaFi's security is pretty robust and has a wide enough audience that if it was rogue or serious shortcomings, its going to have been noticed, especially considering a large number of its audience will be very tech savvy.

No Tesla account info is stored within TeslaFi except for the auth token. The real risk, as in any system using the auth key, is the lax level of access that Tesla allows with this token. That shortcoming is down to Tesla, hopefully soon to be addressed, long overdue.

TeslaFi - Security
 

Glan gluaisne

Supporting Member
Supporting Member
Sep 11, 2019
2,782
2,711
UK
Hasn’t Elon promised dual factor authentication ‘soon’?

I believe so, although whether 2FA changes the way that subsequent access to the API works isn't clear. I believe that the intention may be to just change the username/password initial token generation element.
 

GeorgeSymonds

Active Member
Mar 16, 2018
1,269
805
UK
There are quite a lot of useful looking 3rd party apps out there, I had a look at a few of them. As pointed out earlier all third party apps are a security risk, the risk is you are submitting your account details to a third party to generate an OAuth token, and this could then be used to access your account and your data without your permission. .

At the end of thios article is a simple DIY method of getting your token without using a third party site - you just need to be able to run a powershell script on a PC but I dare say the principal is the same on a Mac. The risk though is still there with just a token, its just not as bad as the car can't be started and your account can't be accessed, the car can still be located, opened, etc without your knowledge, but if you are going to do it then I'd generate a tolken this way

Tesla Info: Get your car configuration

I think TeslaFi's security is pretty robust and has a wide enough audience that if it was rogue or serious shortcomings, its going to have been noticed, especially considering a large number of its audience will be very tech savvy.

No Tesla account info is stored within TeslaFi except for the auth token. The real risk, as in any system using the auth key, is the lax level of access that Tesla allows with this token. That shortcoming is down to Tesla, hopefully soon to be addressed, long overdue.

We only ever have their word to go on regarding what they store, and the popularity of them also makes them a target, I've read their security and it does look pretty comprehensive but we know even the biggest companies with the big IT budgets get it wrong. Your own Teslamate instance running on AWS would probably be undetectable in comparison. I was slightly worried about how quickly they lashed together a workaround when Tesla blocked AWS API connections - there is a time for haste and I didn't think it was then given the Token is passed on every API call to Tesla and slotting a proxy bodge in quickly almost certainly introduced another company to the security mix
 

M3-Newbie

Member
Jun 28, 2020
160
89
Scotland
Interesting... the siri thing is an interesting party trick, I've set it up but rarely use it - I like to press buttons! (quietly and discreetly...!)

I've not used NFC but know 'of it' but as more of an android thing as Apple couldn't program them (in late 2018 when I last investigated it for one of our businesses) does the use of NFC require me to be inside an app, like Qr codes need you to open your camera first - or is it simply my phone awake and held 'near' the little sticker? Do you get outdoor waterproof stickers?
 

M3-Newbie

Member
Jun 28, 2020
160
89
Scotland
on the security points;

What do you more tech security minded people know about the stats app? yay or nae on that one? I'm using that on my iphone and it powers my siri to do allsorts - I never thought about source code/security...

Also for my mac I just downloaded one called 'valet for tesla' currently on free trial but it shows the car's battery range on my top bar on mac and if click on it I can see all the same options as stats app has for opening trunk/frunk etc - its very handy for me and the 'can i get xyz out the car please' questions while working from home - but what are the security concerns that you have? a theft risk of the tesla? or the credit card thats on my account for the supercharging?

What is the risk so I can decide if i can tolerate it or not?

Screenshot 2020-10-05 at 11.28.00.png
 

GeorgeSymonds

Active Member
Mar 16, 2018
1,269
805
UK
They're all the same * - they take a request from you and turn it into a series of queries or instructions via the Tesla API for which they need your credentials or token.

* Teslamate is no difference in the sense it needs your credentials and works the same way, the key difference from a security perspective is that you have a copy of the code and it sits (assuming on a Raspberry Pi) on your own home and the only commands going in and out are to Teslas servers. The other apps perform the queries on their own servers over which you have no knowledge or control.

The risks depend on what you've done

- if you've given anyone your Tesla logon and password they have access to the car including diving and access to your "MyTesla" account, can bugger around with your setting, delete your car from your account, do anything you can do.

- the token (and the question is how did you get the token without using your uername and password) is much more limited to seeing where the car is, opening, turning on the heating, everything except starting the car.
 
  • Informative
Reactions: M3-Newbie

Jeeves

Member
Feb 12, 2020
508
286
UK
They're all the same * - they take a request from you and turn it into a series of queries or instructions via the Tesla API for which they need your credentials or token.

* Teslamate is no difference in the sense it needs your credentials and works the same way, the key difference from a security perspective is that you have a copy of the code and it sits (assuming on a Raspberry Pi) on your own home and the only commands going in and out are to Teslas servers. The other apps perform the queries on their own servers over which you have no knowledge or control.

The risks depend on what you've done

- if you've given anyone your Tesla logon and password they have access to the car including diving and access to your "MyTesla" account, can bugger around with your setting, delete your car from your account, do anything you can do.

- the token (and the question is how did you get the token without using your uername and password) is much more limited to seeing where the car is, opening, turning on the heating, everything except starting the car.
Whilst I value the convenience offered by various apps, I’ve always been a bit uncomfortable about providing my Tesla account details to them. Most of them provide assurances that they only store the tokens in a secure manner either on your device (e.g. Stats, Watch app for Tesla) or encrypted on their penetration-tested servers if they are doing something for you on a repeated basis (e.g. ev.energy, TeslaFi, ABRP).

Am I right in thinking that apps storing it locally on your device are much less risky than the server-based ones?
 

VanillaAir_UK

Well-Known Member
Jun 17, 2019
8,242
5,768
Surrey, UK
Am I right in thinking that apps storing it locally on your device are much less risky than the server-based ones?

Not necessarily. Two factors at play. What is the risk of a device or system being attacked and when attacked, what is the risk of that attack compromising important information.

A one off system is less likely to be worth actively targeting but may still be caught in less targeted mass hacks/probes. A well secured system with multiple levels of protection will be a lot harder to get anything useful from, but may attract specific attention. Active monitoring, typically afforded by larger organisations will also add security.

I've been involved in deploying commercial high risk customer facing systems and I am comfortable with for example the TeslaFi approach. I also self host my own server and wouldn't store anything sensitive on it. Not that its insecure, but its not protected by the sort of systems that I would use to protect more sensitive data.

At the end of the day, the system is only as secure as the weakest link. I wonder how many people have enabled touch/face etc ID within the Tesla app and keep a firm grip on their phone?
 
Last edited:

Products we're discussing on TMC...

About Us

Formed in 2006, Tesla Motors Club (TMC) was the first independent online Tesla community. Today it remains the largest and most dynamic community of Tesla enthusiasts. Learn more.

Do you value your experience at TMC? Consider becoming a Supporting Member of Tesla Motors Club. As a thank you for your contribution, you'll get nearly no ads in the Community and Groups sections. Additional perks are available depending on the level of contribution. Please visit the Account Upgrades page for more details.


SUPPORT TMC
Top