PSA: Don't use third-party apps and services, period.

[vogz]

You do understand the apps use the Tesla authentication that provides full access to the car to unlock, drive, etc right?

Therefore, your "access to data" statement is not sufficient, it should be "access to my car in all ways/methods including controlling all aspects of the car available remotely",



Ok, so you do understand that you have provided a third party full access to drive away your car, but you've additionally added PIN to drive (which many owners do not).

The point was made many times upthread, full access is the current situation. IF these user/passwords were to leak from this trusted third party, there is no practical way to prevent wide spread use of these authenticated access until the authentication tokens are invalidated by Tesla.

Since we are purely dealing in rather unlikely hypotheticals (that my data would be stolen and then someone would access my car IN PERSON when I'm not at home or at work), I guess I'll just say that's why I have insurance.

The far more likely scenario is that someone clones my BLE key while I'm actually unlocking my car with my phone, or someone straight smashes out the window to gain access. Either way, that's why I activated the pin-to-drive. Even with the key, they aren't stealing it unless it's a car-jacking situation which is also probably more likely that the hypothetical that you are positing.

We all decide the level of risk we are comfortable with in any situation. If Teslas were being accessed through stolen tokens, then I might reconsider my position. Until then I'm not going to go all chicken little about it and I'll sleep fine at night while my car is safely in my alarmed garage.

 

[vogz]

As an analogy: if you're okay with giving a third-party app your Tesla credentials, that is analagous to saying "well my house has smart locks, cameras, an alarm system, and a terminal where I can pay my electric bill without logging into anything. I am okay giving access to all of that to a third party.

There's a reason there was a collective "are you kidding?!" from the Internet when Amazon proffered the idea of "we'll give you a smart-lock if you let our underpaid subcontractors get access to your house to make deliveries indoors. oh, and we're not responsible if anything is lost or stolen"

Any Smarthome system that can integrate devices from differences like Google Assistant is basically exactly that. In that case Google would be the "Third party".

Your Amazon example is silly. Giving package delivery drivers access to the inside of your home as part of their job is completely different than using a third party app to control your car. For one, most here don't live in their cars and there is no part of any Tesla third party app that coordinates access to your vehicle by some subcontractor for some "service".

 

[SDRick]

This is pretty much a nonissue and will remain so until it becomes an issue.
Then once it becomes an issue it will be addressed.

 

[DopeGhoti]

This is pretty much a nonissue and will remain so until it becomes an issue.
Then once it becomes an issue it will be addressed.

"No one has ever come into my house uninvited and taken anything that belongs to me. Once it becomes an issue, I'll start locking my door."

 

[SDRick]

"No one has ever come into my house uninvited and taken anything that belongs to me. Once it becomes an issue, I'll start locking my door."

Exactly, that's how things evolve. In general, people are complacent. A good portion of my life was lived in a relatively safe place and the doors were unlocked. Once things changed (I moved) I addressed the new vulnerability by locking my doors.

Until Tesla's commonly get stolen through the users credentials this will remain off the radar of most owners.

 

[Sir Sceptalot]

Hopefully it's not too frowned upon to revive a thread like this, but has there been any change in this situation? Has Tesla given any news on providing safer support for third party apps or services?

I'd love to start using abetterrouteplanner in the car since Tesla's navigation isn't improving, but I'm still not too sure about the whole safety aspect.
Also, have there actually been cases of this being abused in any way?

 

[drtimhill]

Hopefully it's not too frowned upon to revive a thread like this, but has there been any change in this situation? Has Tesla given any news on providing safer support for third party apps or services?

I'd love to start using abetterrouteplanner in the car since Tesla's navigation isn't improving, but I'm still not too sure about the whole safety aspect.
Also, have there actually been cases of this being abused in any way?

If they can log into your account, they can order a car in your name and using your CC. Is that enough to worry you?

 

[DrDabbles]

If they can log into your account, they can order a car in your name and using your CC. Is that enough to worry you?

Overstating the problem by quite a bit.

 

[goRt]

If they can log into your account, they can order a car in your name and using your CC. Is that enough to worry you?

You mean pay the refundable deposit

 

[DrDabbles]

You mean pay the refundable deposit

They can certainly pay the deposit for you, that's for sure. But they'll need to use their own payment information since Tesla seems to be PCI compliant and doesn't just allow you to order things online without providing card info.

 

[drtimhill]

You mean pay the refundable deposit

Come now you get the point .. they can also order parts and accessories, charge them, and ship them to a random pickup point. The point is, you should be VERY careful with any set of credentials that give access to any financial instruments.

 

[daniel]

I would have thought that it would be obvious that you should never give a third party access to any on-line account that has any of your personal information, and especially not one that has your credit card.

I'd love to start using abetterrouteplanner in the car since Tesla's navigation isn't improving, but I'm still not too sure about the whole safety aspect.

Why not just use an app on your phone that does not access your Tesla account?

 

[drtimhill]

I would have thought that it would be obvious that you should never give a third party access to any on-line account that has any of your personal information, and especially not one that has your credit card.



Why not just use an app on your phone that does not access your Tesla account?

Because ABRP can use the actual data from your car very effectively to improve its route planning. It's a legitimate use, and a good service, but it has its risks as the earlier poster noted.

 

[daniel]

Because ABRP can use the actual data from your car very effectively to improve its route planning. It's a legitimate use, and a good service, but it has its risks as the earlier poster noted.

What data from the car would affect route planning? When to stop at a supercharger, I suppose. But I cannot imagine planning a trip that cuts charger stops so close to empty that real-time data from the car would make a difference. But then I only took one long road trip in my Model 3 before deciding to move to an island in the middle of the Pacific ocean where there aren't any long trips you can take.

For that matter, I didn't know that real-time data was available from your account.

 

[drtimhill]

What data from the car would affect route planning? When to stop at a supercharger, I suppose. But I cannot imagine planning a trip that cuts charger stops so close to empty that real-time data from the car would make a difference. But then I only took one long road trip in my Model 3 before deciding to move to an island in the middle of the Pacific ocean where there aren't any long trips you can take.

For that matter, I didn't know that real-time data was available from your account.

Mostly it uses your actual Whr/mile etc to better predict SoC and increase accuracy of routing to superchargers when planning. This is not real-time data, just historical driving, so it can get some insights into your driving patterns.

 

[goRt]

Come now you get the point .. they can also order parts and accessories, charge them, and ship them to a random pickup point. The point is, you should be VERY careful with any set of credentials that give access to any financial instruments.

Doesn't MFA stop that?

 

[DrDabbles]

I don't understand why you're lying about this? The token generated for vehicle API access DOES NOT authenticate for the online store. And you aren't giving these services your user/pass, you're giving them a token that Tesla generates, that allows them to access the API as well as request refreshes on the token.

Putting that aside, if you're worried about them logging your user/pass, then enable MFA. Like. You're vastly overblowing the risk here. The actual risk you should be concerned about is the tracking possibilities of your vehicle, and if you allow a token to be generated that can access controls for your vehicle, then the operator of those sites or anybody dumping unencrypted tokens could find your car, open it, start it, and drive away with it. Your $45k+ Tesla is wort way more than your credit card.

 

[daniel]

Mostly it uses your actual Whr/mile etc to better predict SoC and increase accuracy of routing to superchargers when planning. This is not real-time data, just historical driving, so it can get some insights into your driving patterns.

So if it's just using historical data, not real-time, then the same functionality could be had by just inputting that data at the time of route planning. Sounds like the app provides minimal convenience. (I will admit to using apps that are just fun, not even providing convenience, but I don't give them access to websites with personal information.)

 

[DrDabbles]

So if it's just using historical data, not real-time, then the same functionality could be had by just inputting that data at the time of route planning. Sounds like the app provides minimal convenience. (I will admit to using apps that are just fun, not even providing convenience, but I don't give them access to websites with personal information.)

Well, except for the fact that it accounts for weather and conditions changes, as well as your running consumption, not just your historical consumption, and it will re-route you. You could bother to look up the features rather than engaging in conjecture.

 

[daniel]

Well, except for the fact that it accounts for weather and conditions changes, as well as your running consumption, not just your historical consumption, and it will re-route you. You could bother to look up the features rather than engaging in conjecture.

It's more fun to make fun of an app I have no use for myself. I could drive all the way around the island on one charge if there were a coastal road all the way around. And still, if running consumption requires a re-route, I'd say you cut it way too fine in your original route plan.