TMC is an independent, primarily volunteer organization that relies on ad revenue to cover its operating costs. Please consider whitelisting TMC on your ad blocker or making a Paypal contribution here: paypal.me/SupportTMC

iPhone app login credentials and a big security hole?

Discussion in 'Model S: User Interface' started by HankLloydRight, May 17, 2015.

  1. HankLloydRight

    HankLloydRight Fluxing

    Joined:
    Jan 18, 2014
    Messages:
    5,757
    Location:
    Connecticut
    I recently posted about my charge port door opening overnight here: Phantom charge port door opening?

    Now also my rear hatch has opened up by itself once over night, and I'm sure I'm not hitting the remote.

    So I think someone might have my Mytesla login credentials and is hacking their way around my car.

    So I just went to the my.teslamotors.com website and changed my password.

    But my iPhone and iPad apps are still connected to my car!

    I'm stunned that these apps do not re-authenticate themselves at least every time the app is opened up. I even did a "force quit" on them and they still open up connected to, and controlling my car with no re-login authentication.

    Now if someone does have my OLD credentials, they can still happily go along and control my car. This seems like a really strange oversight to me.
     
  2. mibaro2

    mibaro2 Member

    Joined:
    Dec 2, 2012
    Messages:
    958
    Location:
    Georgetown, ON
    That is strange.

    When I changed mytesla password, I had to enter my new password in the app. I think the message was Failed To Connect.
     
  3. markwj

    markwj Moderator, Asia Pacific

    Joined:
    Apr 10, 2011
    Messages:
    3,655
    Location:
    Hong Kong
    Technically, when you authenticate with the App you are given a token and that token is used for future authentication until it expires (or is deleted on the server).

    Tesla should be deleting all tokens if you change your password on My Tesla. I've heard this reported before (in the API threads somewhere), and your report sounds like they still aren't doing it.
     
  4. Rockster

    Rockster Active Member

    Joined:
    Oct 22, 2013
    Messages:
    1,005
    Location:
    McKinney, TX
    I changed my login credentials after Tesla's April 26th server issue and my phone still hasn't asked me to reauthenticate.
     
  5. HankLloydRight

    HankLloydRight Fluxing

    Joined:
    Jan 18, 2014
    Messages:
    5,757
    Location:
    Connecticut
    That's not good. Wow.
     
  6. Zythryn

    Zythryn MS 70D, MX 90D

    Joined:
    Mar 18, 2009
    Messages:
    1,660
    Location:
    Minnesota
    Wouldn't it be simpler to turn off remote access and see if the odd behavior continues?
     
  7. HankLloydRight

    HankLloydRight Fluxing

    Joined:
    Jan 18, 2014
    Messages:
    5,757
    Location:
    Connecticut
    Good idea, I'll try that. Thanks.
     
  8. Obsoletion

    Obsoletion Member

    Joined:
    Feb 21, 2014
    Messages:
    67
    Location:
    Alta Loma, CA (Southern California)
    Can that be opened from the app?
     
  9. markwj

    markwj Moderator, Asia Pacific

    Joined:
    Apr 10, 2011
    Messages:
    3,655
    Location:
    Hong Kong
    I remember now where I first read about this. Back in 2013, George Reese's 'the API is flawed' blog:

    Authentication Flaws in the Tesla Model S REST API - O'Reilly Broadcast

    I really hate to bring it back up here, given that George and I disagree philosophically on the possible existence of private APIs, but he has some insight into this.

    In his original post he wrote:

    In a later revision (based on community feedback), he retracted that and put:

    So, seems that at that time, changing the my tesla password resolved this, but that was subject to some unspecified caching interval.
     
  10. AllenWong

    AllenWong Member

    Joined:
    Dec 9, 2014
    Messages:
    648
    Location:
    Orlando, FL
    I can answer this question since I played around with the API extensively for the past month. The answer is no, not even a 3rd party app like VisibleTesla can do it. I suspect something else is going on.
     
  11. RAW84

    RAW84 Member

    Joined:
    Oct 6, 2014
    Messages:
    340
    Location:
    Boston
    I agree this is a significant hole. I have confirmed that changing my password did not prevent my Android app from connecting.
     
  12. Trustno1

    Trustno1 Member

    Joined:
    Mar 25, 2015
    Messages:
    24
    Location:
    Norway
    I expirienced something similar when I sold my old P85.

    I had access to the car through VisibleTesla several weeks after it was removed from my tesla account.
     
  13. RAW84

    RAW84 Member

    Joined:
    Oct 6, 2014
    Messages:
    340
    Location:
    Boston
    It looks like they fixed this. It promoted me for a password this morning, finally. I then changed my password again, and it promoted me for a password when I tried the app an hour later.

    This is for the Android app, btw, tho I bet it is the same for iOS
     
  14. HankLloydRight

    HankLloydRight Fluxing

    Joined:
    Jan 18, 2014
    Messages:
    5,757
    Location:
    Connecticut
    Yes, I've been meaning to post an update to this thread.

    After I posted this thread, I was contacted by a Tesla engineer who was working to fix the issue, which he told me they did. It did require expiring a lot of tokens that day, so a lot of people may have had to re-login as a result, but they did tell me the issue that I had has been fixed. They also told me that they hope to offer more control over auth tokens and device access in the future.
     
  15. thecloud

    thecloud As rhythm raced inside, the ship came alive

    Joined:
    Nov 24, 2014
    Messages:
    565
    Location:
    Sunnyvale, CA
    Interesting! I noticed a few days ago that I had to log in unexpectedly when I was checking my charging status. Guess this explains it.
     
  16. AnOutsider

    AnOutsider S532 # XS27

    Joined:
    Apr 3, 2009
    Messages:
    11,923
    Good to know they're on it. Perhaps with the "hacker princess" gone, Tesla should get a new security team in place to do pen tests and such on a regular basis (if they don't already)
     

Share This Page