PSA: Don't use third-party apps and services, period.

[DopeGhoti]

In general, for best practice, such tools should be configured so that either they can only be accessed at all from within your LAN (i. e. from your physical domicile), or if you want to access it remotely, either via a VPN (which effectively puts you inside your LAN) or through another layer of authentication under your control; even something as simple as an Apache proxy demanding Basic HTTP Authentication (preferably via HTTPS). The above-linked case of zillions of peoples' cars being exposed and potentially compromised was, if I recall, a bunch of people installing the otherwise excellent TeslaMate and opening access to the wider internet with no such restrictions.

 

[SDRick]

Can anyone provide examples of disastrous consequences relating to third-party apps and Tesla?

 

[israndy]

I have always defended a laissez-faire attitude about people getting your Tesla credentials, but others have come at me with eventualities like being able to find your home via the Tesla's GPS, being able to unlock your Tesla and start it such that they could drive it away when you are not looking. Even suggest that they could open your garage via the Tesla and steal your valuables.

My argument is, if your Tesla is home to open your garage, so are you. If they steal your car, you can track it or have Tesla find it for you as the registered owner. Even if they do get your credentials, they are in Bangladesh and you are in Alaska, is it worth their time to come and get it? And is it really that hard to change your credentials if you realize you let them slip?

Of course my car looks like this, so not as easy to steal w/o someone noticing:

 

[GeorgeSymonds]

Can anyone provide examples of disastrous consequences relating to third-party apps and Tesla?

Tesla did a forced password reset on tens of thousands of cars not long ago, they didn’t say why, but just like passwords getting leaked on the internet/darkweb you don’t get a massive sudden impact.

The impact might be cars randomly being broken into, stolen for parts braking (which is what typically happens in Europe at least), once the cars being driven they can block the mobile connectivity so it can’t be tracked.

MFA and P2D doesn’t stop remote start, even the ‘allow remote start’ being turned off in the car doesn’t prevent ‘remote start’ because Tesla don’t have any security on it being turned back on.

So I’m not sure we’d ever hear a significant event like ‘10k Teslas stolen overnight’, but we are likely to see the cleanup activity, and that’s been seen a few times.

 

[SDRick]

Tesla did a forced password reset on tens of thousands of cars not long ago, they didn’t say why, but just like passwords getting leaked on the internet/darkweb you don’t get a massive sudden impact.

The impact might be cars randomly being broken into, stolen for parts braking (which is what typically happens in Europe at least), once the cars being driven they can block the mobile connectivity so it can’t be tracked.

MFA and P2D doesn’t stop remote start, even the ‘allow remote start’ being turned off in the car doesn’t prevent ‘remote start’ because Tesla don’t have any security on it being turned back on.

So I’m not sure we’d ever hear a significant event like ‘10k Teslas stolen overnight’, but we are likely to see the cleanup activity, and that’s been seen a few times.

Sounds like the password reset was a Tesla problem not a third-party app problem? No matter the technology, vehicles are always vulnerable to thieves and malcontents.

If third-party apps are so risky, I would think we would see more evidence of problems here on the forum.

Are there any links you can provide?

 

[GeorgeSymonds]

Sounds like the password reset was a Tesla problem not a third-party app problem? No matter the technology, vehicles are always vulnerable to thieves and malcontents.

If third-party apps are so risky, I would think we would see more evidence of problems here on the forum.

Are there any links you can provide?

Your post suggests you fail to understand the nature of 3rd party access, tokens and how to force expiry of them.

If a 3rd party app is compromised and the details of many cars falls into the wrong hands, Tesla can save owners from the situation by forcing the expiry of all existing tokens via a password reset. As the 3rd party apps spoof the Tesla app there’s no way to know which is which so Tesla have to force the expiry of its own app access as well as 3rd party access, hence everyone getting logged out of the app and needing to either log back in and/or change the password. It’s nothing to do with Tesla having a problem, it’s Tesla cleaning up the problem on behalf of the car owners.

Here’s one example of news which illustrates it may have happened

Hacker claims to be behind Tesla resetting third-party app access to its vehicles

Many Tesla owners using third-party apps to monitor have found them not to be working in the last few days...

www.google.com

If someone gets hold of your token it is the direct equivalent of giving someone your car key, your pin code and a map to show where the car is parked. If you’d feel uncomfortable if that happened then be wary.

 

[SDRick]

George, you can spin it however you wish.

Owning a computer exposes one to a much higher risk of being hacked with thousands or millions of documented cases, yet we still use computers. Yes, using third-party apps, or driving a Tesla in general may increase your risks to hacking. Owning a car and driving is also a risk people are willing to take even though there is statistically significant injury and death.

Yes, theoretically lots of bad things can happen using electronic access, but tell me the odds? "Theoretically" is not how most make their decisions or spend their daily lives.

In reality, this is a nonissue in comparison to other risks owning a Tesla or other risks in life. Most are willing to take this risk especially in light of few if any problems reported in millions of posts on this site.

 

[GeorgeSymonds]

George, you can spin it however you wish.

Owning a computer exposes one to a much higher risk of being hacked with thousands or millions of documented cases, yet we still use computers. Yes, using third-party apps, or driving a Tesla in general may increase your risks to hacking. Owning a car and driving is also a risk people are willing to take even though there is statistically significant injury and death.

Yes, theoretically lots of bad things can happen using electronic access, but tell me the odds? "Theoretically" is not how most make their decisions or spend their daily lives.

In reality, this is a nonissue in comparison to other risks owning a Tesla or other risks in life. Most are willing to take this risk especially in light of few if any problems reported in millions of posts on this site.

Once you give your token to someone, your risk is linked to their security, not just your own. Many of the 3rd party apps are built by hobbiest developers in a spare room, just try looking at their privacy information, where located or even how you can contact them.

I find it ironic that my stance is ‘do what you want, just be aware of the risks’ and your stance is that even that is unreasonable. I don’t understand why you feel the need dismiss the potential risks, I don’t particularly care. We’ll agree to disagree and allow anyone reading the thread to form their own opinion on which is reasonable.

 

[SDRick]

I find it ironic that my stance is ‘do what you want, just be aware of the risks’ and your stance is that even that is unreasonable. I don’t understand why you feel the need dismiss the potential risks, I don’t particularly care. We’ll agree to disagree and allow anyone reading the thread to form their own opinion on which is reasonable.

If you stated that your stance is "do what you want, just be aware of the risks" we are in total alignment. Perhaps I missed this statement or conflated your opinion(s) with the title of this thread "Don't use third-party apps and services, period."

You say you don't understand why "I feel the need to dismiss the potential risks". For me, risk is dismissed when the level or probability of the risk occurring are de minimus. Since I have yet to see evidence, the risk is currently slim to none. You ask to be aware of the risks (I am) and I asked you what are the odds. You have not answered. Can you at least give me a ballpark?

My level of risk tolerance to third-party apps may change once you or someone shows me verified actual cases.

 

[DopeGhoti]

If you stated that your stance is "do what you want, just be aware of the risks" we are in total alignment. Perhaps I missed this statement or conflated your opinion(s) with the title of this thread "Don't use third-party apps and services, period."

At the time of the original post in this thread and its ancestors, the only way these Tesla API-driven apps and services could work is by storing your literal actual Tesla account credentials. This means that at the time, if you were using TeslaFi, TeslaMate, or any of the (admittedly spiffy) homebrew Tesla mobile applications, whomsoever was hosting the tool had literal, actual access to your Tesla credential. This could be used to locate your car, and turn it on to allow someone to drive off with it. It also could be used to purchase things including e. g. a keychain but not limited to starting the process of purchasing a car from the Tesla web site.

Being able to generate an API key is a relatively new development and does mitigate -- but not eliminate -- the risks inherent in using such tools.

 

[israndy]

It actually is the same, either Username and Password or a Key, but can be used to get into the API equally, nothing particularly secure about either. But if you have a successful app that many people are using, and you want to be a success you don't take advantage of your position. Just like banks don't take people's money, bad for business

 

[GeorgeSymonds]

A token is some respects is worse than a username and password now we have MFA. The later are pretty much useless with MFA enabled

The risk isn’t the so much the 3rd party, it’s their security. Most of them are one man operations, do they invest in pen testing, security audits, run a bounty scheme for weaknesses to be reported? Take one of the largest, Teslafi, they could be being attacked all the time and every code change and release they make could introduce a weakness

And the argument “where’s the evidence” doesn’t really wash, there are thousands of examples of it security failures, I’ve posted a link to an article where tesla forced password changes, and 2hats more, IT security is dealt with in private where it can be, no organisation comes out and voluntarily says ‘I’ve had an issue’.

Everyone assesses risk differently and has a different threshold to whats acceptable. Many are over weight or drink or smoke or don’t do enough exercise even though there’s a risk that will shorten their life, others are more careful. Neither are wrong as such.

I’m happy running teslamate on a home server, my instance would need to be hacked to get my details but they wouldn’t even know my IP address to start with. Teslafi gets breached and 50k cars are available, their details are known and prize is lots if car details, that makes them considerably more a risk than my setup.

 

[israndy]

Are you replying to me? I use a Username/Password setup to get into my car, but that gets saved by TeslaPy as a token, either can be then used to get into my car, that's all I was saying.

 

[Omnipisix]

You could always develop an app or service that takes the token as an input. Of course, users shouldn't trust that you aren't storing said token, but if you publish the source code then more technical people could host their own web app/build their own app.
I've considered creating my own web app using blazor or something like that, would just put it in github so everyone could use it. I use 1pass so it wouldn't be a problem to store a token for re-use (or you could put it into a config file if you have a personal amazon/google/azure/whatevs subscription).

Without a good authorization implementation by Tesla you can never build an app or host a web site that other people can trust.

I developed an app to control the car from the smartwatch and I ask for the token, then save it encrypted locally. Did this because as said before, giving credentials to others is a very risky idea. Anyone can use a Fiddler proxy and test my claims. And after that, I hope people will think before giving access to the car or even worse, to their account!

 

[Omnipisix]

Not the sa

It actually is the same, either Username and Password or a Key, but can be used to get into the API equally, nothing particularly secure about either. But if you have a successful app that many people are using, and you want to be a success you don't take advantage of your position. Just like banks don't take people's money, bad for business

not the same, the account credentials give access to all cars and charging history and payment options and so on, a token gives access to less than that

 

[LadyOnikara]

Since I have an Android phone, I'm careful about what apps I download anyway. (It's easier for me to use an Android phone than an iPhone. I like having a headphone jack since earbuds do NOT stay in my ears.) The only really personal data I have on it anyway is the Tesla official app (and the car is registered in my mom's name anyway, I'm just an insured driver on it) and my pictures. I don't use my phone for my entire life like others do.