First 3rd party app that I know of Tesla owners now have an even more obsessive companion app
Question is, would you give a third party access to your car?
Question is, would you give a third party access to your car?
-
Want to remove ads? Register an account and login to see fewer ads, and become a Supporting Member to remove almost all ads.
New app to connect to your Tesla
- Thread starter mrpseudonym
- Start date
-
- Tags
- Australia New Zealand
Mark E
Member
strykeroz
Member
Depends on the level of access you're granting. So that answer will be case by case, and I'd certainly consider it.
It is unfortunate that the Tesla API will only give access to all or none to the functionality. It would be much better if you could restrict access an app has so it can only access certain parts of the data (e.g. not real time location) and not access remote controls (e.g. lock/unlock, summon, climate controls, etc). The exact restrictions should be configurable (by the owner) for each app.
Tesla might be better then other car manufacturers in terms of security, but they are by no means keeping up with latest security standards.
Also another thing to consider: You might trust the app developer. However if his app is installed and connected to many cars, is a somewhat tempting target. Do you trust the developer's computer which he builds (and digital signs) the software on? Do you know what security practises the developer uses on their computer? Do they use the same computer to open untrusted emails, play untrusted games on, visit porn websites, etc?
While the above is somewhat outside Tesla's scope on what they can do/control (hopefully Tesla have secure practises for developing their apps), if there were restrictions on what the app could do, the damage would be limited. e.g. it wouldn't be possible for a Trojan-app to send a command "unlock doors" to every car it is linked to, because this command would be restricted.
Tesla might be better then other car manufacturers in terms of security, but they are by no means keeping up with latest security standards.
Also another thing to consider: You might trust the app developer. However if his app is installed and connected to many cars, is a somewhat tempting target. Do you trust the developer's computer which he builds (and digital signs) the software on? Do you know what security practises the developer uses on their computer? Do they use the same computer to open untrusted emails, play untrusted games on, visit porn websites, etc?
While the above is somewhat outside Tesla's scope on what they can do/control (hopefully Tesla have secure practises for developing their apps), if there were restrictions on what the app could do, the damage would be limited. e.g. it wouldn't be possible for a Trojan-app to send a command "unlock doors" to every car it is linked to, because this command would be restricted.
I don't disagree with anything said above. I just want to mention that, as far as I know, there is no official Tesla software API. What is out there is some unofficial documentation of the REST points that people sniffed through the network. It would be simple for Tesla to hide/encrypt the network traffic and don't allow this info to be public. They chose not to do it and this is why you see all these apps being able to read data and/or control your Tesla.
It would be nice for Tesla to offer an official API but then they would have to support it and that would create other issues.
Brian May - interesting reading your post. One thing which has been niggling in the back of my mind for some time.
Firstly I've got no issue with Tesla or what they are doing. However Tesla have full access to our cars. I'm not concerned about people knowing where I go or what I do - I'm sure they have more interesting things to think about. But the AP side of it has had me thinking - firstly when the car is using AP and we take control back by moving the steering wheel / disengaging - is this software or hardware based? Plus is there the ability to make the car turn suddenly through remote access I wonder. Through no fault of Tesla's if someone within their organisation or external became vindicative or maybe wanted to cause damage, and was able to take control of a vehicle, that concerns me. And as self driving becomes more prevalent amongst manufacturers and cars are all on line, I can't see how something like this won't happen unless there is some pretty strong security put in place (maybe legislative?). To me this is a big worry being in the I.T security area and seeing how easy it is for those to gain access to systems with plenty of time and who really want to...
Firstly I've got no issue with Tesla or what they are doing. However Tesla have full access to our cars. I'm not concerned about people knowing where I go or what I do - I'm sure they have more interesting things to think about. But the AP side of it has had me thinking - firstly when the car is using AP and we take control back by moving the steering wheel / disengaging - is this software or hardware based? Plus is there the ability to make the car turn suddenly through remote access I wonder. Through no fault of Tesla's if someone within their organisation or external became vindicative or maybe wanted to cause damage, and was able to take control of a vehicle, that concerns me. And as self driving becomes more prevalent amongst manufacturers and cars are all on line, I can't see how something like this won't happen unless there is some pretty strong security put in place (maybe legislative?). To me this is a big worry being in the I.T security area and seeing how easy it is for those to gain access to systems with plenty of time and who really want to...
I have not seen any indication it is possible to control steering, acceleration, or brakes remotely - except via summon feature which I expect to be very restricted. You can only do operations that the API allows you to do, and I very much doubt the above would be covered. It might be very disconcerting however if you are driving in a difficult situation and the horn suddenly starts sounding.
The API might be unofficial, if a car does get stolen, the fact the password was stolen via unofficial Trojan app would be very hard to prove, and even if it could be proven is still likely to taint Tesla's reputation.
Of course, there might be an easier way to unlock - if not steal a Tesla - ring up Tesla and claim you lost your key fob and phone and ask them to remote unlock it for you. Classic social engineering attack. You most likely will need to confirm the owner's name and birth date. In my case, not exactly secret. There might be other details they ask - I won't speculate here. I imagine it wouldn't be too hard to find details in advance. Or claim that you lost this information or don't have it handy.
Which also raises the point that it would appear that Tesla call staff have somewhat broad access to any car. Hope they can be trusted.
The API might be unofficial, if a car does get stolen, the fact the password was stolen via unofficial Trojan app would be very hard to prove, and even if it could be proven is still likely to taint Tesla's reputation.
Of course, there might be an easier way to unlock - if not steal a Tesla - ring up Tesla and claim you lost your key fob and phone and ask them to remote unlock it for you. Classic social engineering attack. You most likely will need to confirm the owner's name and birth date. In my case, not exactly secret. There might be other details they ask - I won't speculate here. I imagine it wouldn't be too hard to find details in advance. Or claim that you lost this information or don't have it handy.
Which also raises the point that it would appear that Tesla call staff have somewhat broad access to any car. Hope they can be trusted.
Similar threads
