Yes, you did a good job of describing the differences. And you also explained how the benefits to OAuth would not provide any benefit that Tesla currently cares about. It does not increase security in any way for the designed use of the API.
Yes me too, but I'm sure Tesla also has their own people who could do this and will use it (or something similar) if and when they want 3rd party applications to be able to use the API. For full disclosure, I'm also a professor of computer security.
I still think Tesla should care about this, not really from the oAuth side, but from the fact that their API was reverse engineered from their app. The app and the API do leave Tesla, the brand, vulnerable. Normally, an app with a REST API acts pretty much like a website and doesn't expose much more functionality than normally found on the actual website a user needs to log into. So the worst thing you can ever do is mess with a single account at a time, only if you know the credentials. However, Tesla's app goes beyond what a user can do on a website, so a compromised online account can not only lead you into some personal and financial data, but it also provides a programmatic access to a machine that Tesla built for a customer. The fact that people could reverse engineer the app and the API is not good for the brand of Tesla if someone does something bad with this access. If someone were to compromise their account databases, they could then essentially unlock everyones car. This is a liability that goes far beyond stealing money off someones credit card. Not only does it provide remote functionality to another persons property, it tracks where the current user actually is as well. The larger their user base grows, the more potential for fraud and damage to their brand.
I am assuming someone just did a simple man-in-the-middle attack to watch what the app was doing? Don't get me wrong, I love that we have this API - I just think eventually this is going to become a liability to them, rather than something they can just let go because its a bunch of nerds monitoring and playing with their cars remotely
- - - Updated - - -
@skn, have you actually read about OAuth? It is no panacea. From the link you provided:
That's a little scary isn't it. So if I can acquire a token for your app I have unlimited access without any re-authentication until/unless the user notices and takes specific action to revoke the token. At least TMC's token do expire.
And from the
former lead of the OAuth efforts:
If I acquire a cookie for your car, I gain unlimited access to your car for 3 months, and you have NO WAY to revoke that cookie. If you change your password, cookie still works. 3 months is just as arbitrary as 1 year, 5 years, or forever.
oAuth is a means of "authorization" not "authentication". And the TTL of an oAuth token is not infinite, it can be, but it is up to the implementation to set the TTL and whether its a one time use-period, or a refreshable period (longer term access). But like you said, this also gives the user the ability to revoke access - in the case of changing password, losing device, website compromised, etc. oAuth also allows for users to set the "scope" of what the app is allowed to have access to...TM's cookies don't do that, do they? TM's cookie implementation is basically exactly what you are describing as the downside of oAuth. The cookie is generated once, then used in an unlimited way until it expires.
The real use of oAuth here is to protect the users from having to give their username/password credentials to anyone other than Tesla in addition to whats possible in my comments above. I downloaded VisibleTesla, and I logged in, who's to say that the developer didn't ship my password over to their servers? Then what if I use that same username/password for my banking info. Big win for that developer
Tesla is trying to grow into a much larger user base, and with more users, comes more problems, more lawsuits, etc. In my opinion, something bad will happen with the remote access one day, not from Tesla's app, but from an "unofficial" third party app and then its going to be game over for us. The fact that Tesla lets things like VisibleTesla exists means they are either oblivious it exists (doubt it) or they un-officially condone it. So, I would rather see them do it right, give me the user a trusted place on their website that I can put in my credentials and authorize a 3rd party app - and revoke it when I want to.