TMC is an independent, primarily volunteer organization that relies on ad revenue to cover its operating costs. Please consider whitelisting TMC on your ad blocker or making a Paypal contribution here: paypal.me/SupportTMC

Model S "Hacked" (again)?

Discussion in 'Model S' started by Gizmotoy, Jul 17, 2014.

  1. Gizmotoy

    Gizmotoy Active Member

    Joined:
    Sep 16, 2013
    Messages:
    3,155
    Location:
    Bay Area, CA
  2. qwk

    qwk Model S P2681

    Joined:
    Dec 19, 2008
    Messages:
    2,817
    All of the mentioned commands are accessible through the app, and nothing really noteworthy to access. I would be surprised if someone(not an owner who has a ton of time and access to the CAN bus) actually hacked the car.
     
  3. Gizmotoy

    Gizmotoy Active Member

    Joined:
    Sep 16, 2013
    Messages:
    3,155
    Location:
    Bay Area, CA
    I figured the same, which is why I used "hacked" in the title. There's some kind of vulnerability in Tesla's website/app, again, and probably not the car itself.
     
  4. yobigd20

    yobigd20 Well-Known Member

    Joined:
    Oct 28, 2012
    Messages:
    5,793
    Location:
    Skaneateles, NY
    This whole hack contest and winner is absolutely ridiculous. It sounds like someone came on these forums, found the REST API and library on github, and simply ran the program that was already coded to do exactly that. This is a public facing API. That should *NOT* qualify has a hack and most certainly should *NOT* have won the contest. Now, if somebody was able to unlock their S40 to an S60, or enable supercharging on their S40/S60 via software hack - THAT's a real hack worthy of the prize.
     
  5. markb1

    markb1 Active Member

    Joined:
    Feb 17, 2012
    Messages:
    2,318
    Location:
    San Diego, CA
    Agree that it's not a real hack. But Tesla probably should restrict these functions when the car is moving, shouldn't it?
     
  6. skn

    skn Member

    Joined:
    Jun 25, 2014
    Messages:
    104
    Location:
    Amsterdam
  7. qwk

    qwk Model S P2681

    Joined:
    Dec 19, 2008
    Messages:
    2,817
    I would be willing to bet that the article is wrong about the "while moving" part. You can't even honk the horn using the app while the car is moving.
     
  8. markb1

    markb1 Active Member

    Joined:
    Feb 17, 2012
    Messages:
    2,318
    Location:
    San Diego, CA
  9. skn

    skn Member

    Joined:
    Jun 25, 2014
    Messages:
    104
    Location:
    Amsterdam
    I thought they insisted on at least 8 with upper lower and number in it...
     
  10. mkjayakumar

    mkjayakumar Active Member

    Joined:
    Aug 18, 2012
    Messages:
    1,743
    Location:
    Plano, TX
    If someone steals my Tesla webapp password, or steals my iPhone with a stored password, and then executes these functions - is that considered a vulnerability in the Model S software ? - just asking
     
  11. skn

    skn Member

    Joined:
    Jun 25, 2014
    Messages:
    104
    Location:
    Amsterdam
    Well if they don't implement any lockout period after x unsuccessful attempts, don't insist on strong password etc., the system is weak and vulnerable in a strict security sense.
     
  12. markb1

    markb1 Active Member

    Joined:
    Feb 17, 2012
    Messages:
    2,318
    Location:
    San Diego, CA
    To wannabe security researchers desperate to make names for themselves, yes.

    - - - Updated - - -

    Arguably, such measures are not necessary, because what the password is protecting isn't that important. Of course, with the password, you can unlock the car or exercise controls that could potentially distract the driver, so you may deem security more important because of that.
     
  13. Canuck

    Canuck Active Member

    Joined:
    Nov 30, 2013
    Messages:
    3,962
    Location:
    South Surrey, BC
    From my understanding, and please correct me if I am wrong, but when using third party apps, such as Visible Tesla, I think you are giving your password to a third party not associated with Tesla, as well as to anyone who has access to that app's database.
     
  14. markb1

    markb1 Active Member

    Joined:
    Feb 17, 2012
    Messages:
    2,318
    Location:
    San Diego, CA
    Yes, don't do that.

    - - - Updated - - -

    Actually, I think Visible Tesla is an app that you run on your own computer, so you don't need to give your password to anybody. I haven't used it. Though you do have to trust the code to handle your password properly, of course, and not secretly send it to some server.
     
  15. Gizmotoy

    Gizmotoy Active Member

    Joined:
    Sep 16, 2013
    Messages:
    3,155
    Location:
    Bay Area, CA
    I think it used to be 6 until the last time the website/API was hacked, after which they increased the password requirements and implemented an incorrect password lockout mechanism.

    Depends on implementation. From my basic understanding, communication via the API actually occurs via something akin to cookies. In Visible Tesla, for example, you enter your password, but Visible Tesla keeps the cookie. It doesn't need to know the password other than as a means for it to get the cookie. Indeed, VT doesn't require you let it save your password. If you do let it, it's stored encrypted, but that's obviously up to the developer, whom you have to trust not to steal your password in either case. Maybe Joe will pop in and clarify.
     
  16. Pilot_51

    Pilot_51 Member

    Joined:
    Jan 18, 2014
    Messages:
    534
    Location:
    Metro Detroit, MI
    VT is open source, so you can check the code yourself if you know how. With the exposure it has received, if there was something malicious going on or a blatant security vulnerability, I'm sure someone in the community would have found it and made everyone else aware if the developer didn't fix it or accept someone else's fix in a timely manner.
     
  17. aviators99

    aviators99 Model S - R140

    Joined:
    Jan 1, 2010
    Messages:
    1,453
    Location:
    Weston, Florida, United States
    The API doesn't allow that stuff while the car is moving. I know because (at the request of a friend) I wrote some code to run in the background and honk the horn every time you approach the Tesla statue in Palo Alto. It doesn't work :)
     
  18. markb1

    markb1 Active Member

    Joined:
    Feb 17, 2012
    Messages:
    2,318
    Location:
    San Diego, CA
    I don't mean suggest that VT is doing anything malicious, just that in general, it's something to think about.
     
  19. skn

    skn Member

    Joined:
    Jun 25, 2014
    Messages:
    104
    Location:
    Amsterdam
    I find it surprising that in this day and age Tesla had to resort to a homegrown insecure way for 3rd party apps to use their APIs. Anyone who has used a Twitter client knows there is a better way to handle such scenarios - OAuth

    Only 2 reasons I can think of for Tesla not implementing OAuth:
    1. They think the APIs are not worth such protection: Strange given that it does expose personal location data, could potentially cause nuisance, power of APIs could themselves be beefed up at some point
    2. They never foresaw 3rd party hacks like VT: tsk, tsk....
     
  20. aviators99

    aviators99 Model S - R140

    Joined:
    Jan 1, 2010
    Messages:
    1,453
    Location:
    Weston, Florida, United States
    I don't find it surprising, because it's completely unnecessary to add any more security than they already have.
     

Share This Page