e-FTW
New electron smell
Did anyone report this to Tesla? This is a big deal, and easy to deploy.
Someone will get their car stolen/messed with.
Someone will get their car stolen/messed with.
-
Want to remove ads? Register an account and login to see fewer ads, and become a Supporting Member to remove almost all ads.
This is a new instance of old news, and is not Tesla specific problem.
It was hashed back then circled all around and the answer is ...drum roll... for Tesla to add 2 factor for Tesla credentials.
Tesla did not do it then and probably won't now for the login credential...
BUT
Tesla has recently added a new security control (console -> settings) which will enforce "car open" commands must come from the fob nearby with a double press. The fob's mere presence is no longer good enough. (Goodbye auto-present handles.)
So this is a 2nd factor: something you have, but also an "active factor" as well: something you must do with it. Of course, this kills the nifty auto-present door handle feature but is the price you pay (loss of convenience) in the name of security.
This new feature also kills the remote repeater fob sniffer attacks... because sniffing the fob is no longer good enough, the fob must emit a double press to open the doors. Cha-ching! Good one Tesla. But only if the user selects this feature, otherwise it's good ol' free entry with a handle touch.
It was hashed back then circled all around and the answer is ...drum roll... for Tesla to add 2 factor for Tesla credentials.
Tesla did not do it then and probably won't now for the login credential...
BUT
Tesla has recently added a new security control (console -> settings) which will enforce "car open" commands must come from the fob nearby with a double press. The fob's mere presence is no longer good enough. (Goodbye auto-present handles.)
So this is a 2nd factor: something you have, but also an "active factor" as well: something you must do with it. Of course, this kills the nifty auto-present door handle feature but is the price you pay (loss of convenience) in the name of security.
This new feature also kills the remote repeater fob sniffer attacks... because sniffing the fob is no longer good enough, the fob must emit a double press to open the doors. Cha-ching! Good one Tesla. But only if the user selects this feature, otherwise it's good ol' free entry with a handle touch.
Last edited:
this is the correct answer, beware of using public hot spots that you may stumble upon
as for auto present, as noted in the thread about the 13 car broken into near SF, I would rather give easy access to thieves, I keep nothing of value in the car and if they want in they will get in either by this sniffer attack or low tech smashing glass to get in, so I'd rather spare the troubles and expense of repairing glass and let them open the door. if the car is actually stolen, that's why I carry insurance.
Sir Guacamolaf
The good kind of fat
As far as vpns, yeah they keep you safe beyond the current network you are on.
But in that wifi subnet it is only your firewall protecting you.
Long story short, the only security is to not connect. If you must connect, ensure your firewall is not comprised, and you always enter credentials on https without cert warnings, and start vpn when you connect.
Did you know macs are shipped with firewall turned off? Even today.
But in that wifi subnet it is only your firewall protecting you.
Long story short, the only security is to not connect. If you must connect, ensure your firewall is not comprised, and you always enter credentials on https without cert warnings, and start vpn when you connect.
Did you know macs are shipped with firewall turned off? Even today.
e-FTW
New electron smell
Was thinking Tesla should be made aware just so they get more pressure on them to enforce two-factor authentication.
And anyone with a wireless device can check signal strength, locate the source of the malicious network, and you know... ummm... report it.
And anyone with a wireless device can check signal strength, locate the source of the malicious network, and you know... ummm... report it.
e-FTW
New electron smell
My money is on the Petsmart, as little else is within regular WiFi range. Some employee could have hidden a rogue wireless access point there to try and capture Tesla credentials.
Again, Tesla does NOT provide WiFi from Supercharger stalls. They do at Service Centers.
FutureShock
Best Coast Denizen
This is very good to know. Will keep my guard up, once I become a Tesla-ite (Teslanian?).
.
Canuck
Well-Known Member
I couldn't figure out what someone would want with Tesla credentials until someone posted that many people use the same passwords so I guess once they have that they can go to paypal, amazon, etc and do some damage. I use a different and complex password for my Tesla password since when I first got my vehicle there was talk about the app being used to run people off cliffs and stuff, which sounds ridiculous, but to us non-techies better safe than sorry was my view, especially with all the angry shorts out there. If they crashed every Tesla on the same day their short position would certainly pay off. I didn't even log into Visible Tesla because I was concerned that some private individual having a ton of login credentials and even though I am certain he is a fine and upstanding person, what if he gets hacked? But I now use VT and it's a great program.
What about Google Chrome? Do you enter your passwords manually every time? If not, it remembers them all and I often go into Password Manager in Chrome to find my passwords when I forget them.
What about Google Chrome? Do you enter your passwords manually every time? If not, it remembers them all and I often go into Password Manager in Chrome to find my passwords when I forget them.
rxlawdude
Active Member
That's an interesting question, as Chrome clearly stores this in the cloud so that all devices have access to the passwords. I suppose hacking one's Google account could reveal all passwords.
Are you sure you're talking about Visible Tesla? It's an open-source application that runs on your hardware, not a service that needs to store your credentials.
As far as password managers go, they're not all created equal(ly). I've found that 1Password works well for what I need, based in part on reading a lot of their published documentation on how their system works. Other people with different needs might choose something different, which works better for them.
Bruce.
Canuck
Well-Known Member
No, I'm not sure I even know what I'm talking about. I only know that when I have to enter my credentials on a site other than Tesla's it seems to me they have them. Whether they store it or not, I have no idea. Plus, I've read posts like this here:
Simple Log environment
But I will defer to others when it comes to this kind of stuff since it's beyond my knowledge.
Sir Guacamolaf
The good kind of fat
Enable 2 factor auth on your google account, and then you are reasonably safe. Of course if they are able to get admin access to your laptop, you are screwed. However, imagine this -
- If you don't have 2fa
- They present a fake sign on page, and yes this can be https with an international URL to fool most users. (so instead of google.com it'd be g0ogle.com .. substitute the 0 for any unicode character that looks close enough, and they get a valid https cert for that fake URL).
- The page has logic to send whatever you type without you hitting submit.
- You casually enter the password, hit submit - they say "incorrect password" and redirect you to google.
- But by now they have your password.
Long story short, if password is your last line of defense .. you are doing it wrong!! Passwords are very easy to get around. Even 2fa auth that depends on an SMS message is incredibly easy to crack. They can easily spoof your phone and hijack your messages. You need 2fa auth with the google authenticator app, or something similar.
Now only if most banks understood this we'd be ok!
VisibleTesla runs on your computer. Yes you enter a username and password into it, but that never leaves your hardware which, theoretically is under your control. Moreover, if you so desire, the source code for VisibleTesla is available for you to look at, so you can verify that there are no backdoors or other nefarious code hiding in there. I am not suggesting that you need to do this, in fact I didn't for the time I used it. But some people (including me) place more trust in computers that are under their physical and logical control.
Some of the Web-based services ask for a username and password and store them, so that they can regenerate authentication tokens (these give access to your MyTesla information for a certain period of time...6 weeks?). You mentioned TeslaFi earlier. TeslaFi does this nicely in that it can generate an authentication token for you (if you give it a username and password, although it supposedly doesn't store the username/password beyond what's necessary to generate the token) or if you give it the token directly it can just use that. I'm not sure what other programs do.
I acknowledge some of this is difficult to think about if you don't have a background in information security or haven't had to think seriously about it. I'm lucky enough to have learned what little I know from some very smart people around me. We as an industry have a long way to go towards making it possible for "ordinary folks" to think about computer security and make rational decisions.
(And I'm very sorry for having gone off on this long tangent.)
Another thought to get on track: If Fountain Valley was in my 'hood, and I had first-hand confirmation of this, I'd: 1) try to report this to Tesla's security team (I know they mostly deal with product security but might have some opinion about it), 2) think about putting a sign next to the Supercharger warning people about this, 3) take a laptop with some WiFi analyzer software to try to find the rogue AP.
Bruce.
rxlawdude
Active Member
Please explain exactly how a cracker/hacker would be able to spoof my phone without knowing the number. Besides, spoofing only works for outbound calling from the "spoofed" number. Calls to the "spoofed" number go to the rightful owner's phone.
tizio
Member
Yes, it's phishing. Remember, with those credentials you can steal the car. All a thief has to do is set up a Wifi Pineapple with a TracPhone for internet access and harvest digital keys to peoples' cars. Then they can just drive it into a box truck or chop shop. By the time you come back from the outlet mall, your ride is gone. A prepared thief would know to pull the 12v battery and a couple fuses--suddenly the vehicle is no longer trackable online. Next thing you know, the wheels turn up in Norway and the glass is in Ukraine.
tizio
Member
SMS 2FA is mediocre at best. If someone was targeting you specifically (to, say, steal your $100K car) they wouldn't have to work hard to figure out your cell number and likely answers to your most common security questions. Then they just call your cel provider (not hard to figure out either) and pretend they are you and that you just got a new phone. By the time you realize your phone doesn't work anymore, they are in your Gmail, Tesla, PayPal, Bank, retirement, etc accounts.
Sorry to spread a bunch of FUD, but as a web security professional, I know you have to be on your toes.
View media item 117237
Last edited:
rxlawdude
Active Member
I'm thinking that's more FUD than fact. Again, explain how the hacker/cracker will have the "likely answers to my security questions."
tizio
Member
Your mother's maiden name can be found with a free account on any number of people search sites once someone knows your name and any city you've ever lived in. Birthdays, spouse info, degrees, anniversaries, your school history, and any number of related facts can be deduced by social media and public records searches. You don't even have to have much public info out there. If you have a Twitter account with three followers, there's a good chance one of those three is a close friend or relative and you can work backwards through their online presence.
I highly recommend reading Kevin Roose's piece from last year if you want a sense of just how easy it is for attackers once they target you specifically:
http://splinternews.com/i-dared-two-expert-hackers-to-destroy-my-life-heres-wh-1793854995
Regarding security questions, it's better to use an algorithmic approach to answer each question uniquely. A good example of an algorithmic answer would be to spell the first and last words of the question backwards. Just be sure to keep that algorithm a secret.
Last edited:
rxlawdude
Active Member
So let's see. No public presence on social media. Everyone that can fog a mirror knows that mother's maiden name is not a sufficient security question. I really don't think anyone (no matter how determined) could find the names of primary and secondary schools I went to back in the 1950s and 1960s.
I'll tell you a secret: the "core" of my password schema (modified for each site) are the license plates from my first two cars. There's NFW anyone (except a time traveler) would know those, so I'm not worried about being hacked.
But you are right that it's best to be ridiculed for being paranoid than pitied for having your bank account emptied.
I'll tell you a secret: the "core" of my password schema (modified for each site) are the license plates from my first two cars. There's NFW anyone (except a time traveler) would know those, so I'm not worried about being hacked.
But you are right that it's best to be ridiculed for being paranoid than pitied for having your bank account emptied.
Could probably do "what is my ip" on google. It would be equally likely to be someone's hotspot.
A traceroute to a few places would be even better.
Similar threads
