PSA: Don't use third-party apps and services, period.

[Marius A]

That’s shocking.

When we took our car in for service last
month we were not asked for that information. I wonder what explains the disparate practices?

My car's been in for service every month since August, next appointment is 11th of December. 4 of these times one of the issues have been that I can't wake the car with the app. They are really struggling to reproduce and debug it, even with dozens of timestamps, pictures and video of the car having no connection. Last time I think they set up a phone with my credentials.
They shouldn't have to, I've had roadside assistance on the phone once, and they couldn't connect either. Don't know if the technicians are able to use the same systems as roadside assistance, though.

 

[polyphonic54]

Thanks for the post. I'm relatively new to Tesla and this information is invaluable.

I currently use Stats app, and due to my highly variable schedule the pre-conditioning feature is very useful. Auto-lock has also saved me on a few occasions where Tesla failed to lock the car on walk away (now I know to wait for the mirrors to fold).

Is there any way to (effectively) reach Tesla with this feedback?

 

[Garlan Garner]

IMHO.....there is no app ( other than Tesla's ) worth the data risk.

In these days of data breeches and identity thefts.....it just isn't the risk to me.


BTW.....I just hacked myself on the CAN bus while authenticating entry to my car using my android phone. I see the data, however I will have to play with it to properly encrypt it.

I captured the data off of the CAN bus and then re-sent the data, however it didn't open the car.

 

[jedi2b]

any comments regarding the free, hosted in your own computer, Teslamate?

 

[BikerPeaBody]

not even related to Tesla actually, in general, you shouldnt be giving your username and password out to strangers or 3rd party companies

 

[BEPA400]

My car's been in for service every month since August, next appointment is 11th of December. 4 of these times one of the issues have been that I can't wake the car with the app. They are really struggling to reproduce and debug it, even with dozens of timestamps, pictures and video of the car having no connection. Last time I think they set up a phone with my credentials.
They shouldn't have to, I've had roadside assistance on the phone once, and they couldn't connect either. Don't know if the technicians are able to use the same systems as roadside assistance, though.

Idk if it’s similar but I find if I park just far enough away from my house, car will pick up the wifi and lock on to wifi, but not have a strong enough wifi signal to do anything. The result is that I can’t wake or do anything to my car while it’s parked there until I go in the car and manually disable the wifi.

 

[Paddy3101]

It would not be very difficult for Tesla to setup their website as an oAuth2 provider, (like facebook, google, linkedin etc etc), and provide the tokens to the services.

You only then login to Tesla, and authorise distribution of a token to a third party app. The third-party then doesn't get the password. Only the token.

Requires some work on the part of Tesla IT, and some UI to monitor permissions/revoke permissions etc.

 

[DopeGhoti]

Kinda related to this. When I last had my car in for service, they needed to verify that I couldn't wake it with my app.
The guy at the service center said I had to send them my username and password by SMS, to a customer support number that stores that information in clear text, available to all Tesla employees (at least all Tesla employees that can see my service history).

Needless to say I changed my password after the service appointment.

That is shocking and unacceptable, and above all unnecessary. I'd be writing to Corporate if I this was asked of me. Service centres already have the ability to put the car into Service Mode, which locks out most API-based access. Tesla should never ask you for your password other than when you are personally actually logging into the app or web site. Ever

any comments regarding the free, hosted in your own computer, Teslamate?

I use it, and love it. I've also reviewed the source code and at no point does it send anything anywhere other than the Docker container in which it runs.

 

[camalaio]

Kinda related to this. When I last had my car in for service, they needed to verify that I couldn't wake it with my app.
The guy at the service center said I had to send them my username and password by SMS, to a customer support number that stores that information in clear text, available to all Tesla employees (at least all Tesla employees that can see my service history).

Needless to say I changed my password after the service appointment.

Sorry, what? This is not acceptable. Please contact Tesla and inform them of this. No Tesla employee should ever ask for your credentials, and they really do not need them. You were either working with someone that doesn't know what they were doing by asking for your password (hopefully this, in which case they need to be corrected ASAP) or an actual malicious employee. What is this number they got you to send your info to? (basically, is it something they post on their public website so that you can verify it's real?).

Thanks for the post. I'm relatively new to Tesla and this information is invaluable.

I currently use Stats app, and due to my highly variable schedule the pre-conditioning feature is very useful. Auto-lock has also saved me on a few occasions where Tesla failed to lock the car on walk away (now I know to wait for the mirrors to fold).

Is there any way to (effectively) reach Tesla with this feedback?

I haven't found a way to do so, but I can recommend a few things.

• Enable "lock confirmation sound" (horn beep). Wait for the horn to beep every time. If it beeps three times quickly, it means a door is open and it didn't lock (I wonder if this has actually been your issue? The doors can be hard to close)
• Perhaps buy the physical key fob. Pressing a lock button habitually does help some people.
• I'm not sure how Stats helps with a variable schedule? But preconditioning the car just 5 minutes is sufficient for both the coldest and hottest of days. Whip out the official Tesla app and turn on the climate control, even just a minute does a lot.

It would not be very difficult for Tesla to setup their website as an oAuth2 provider, (like facebook, google, linkedin etc etc), and provide the tokens to the services.

You only then login to Tesla, and authorise distribution of a token to a third party app. The third-party then doesn't get the password. Only the token.

Requires some work on the part of Tesla IT, and some UI to monitor permissions/revoke permissions etc.

So the funny thing is that it appears they do have some form of OAuth setup. Problem is there is no way to register another service with it that I can find (to get your own client secret and client ID), and even then they don't provide any way for the user/owner to manage authorized services. This currently somewhat makes sense because it's not a publicly documented made-for-the-public API currently.

I'm not sure if or when they plan on putting more work into it. My understanding is that it's been this way for years.

 

[Marius A]

Sorry, what? This is not acceptable. Please contact Tesla and inform them of this. No Tesla employee should ever ask for your credentials, and they really do not need them. You were either working with someone that doesn't know what they were doing by asking for your password (hopefully this, in which case they need to be corrected ASAP) or an actual malicious employee. What is this number they got you to send your info to? (basically, is it something they post on their public website so that you can verify it

It is the same number used to provide details for your service appointment. I didn't like the practice myself, I'll ask at my next appointment.

 

[LM-5]

Actually, Tesla just needs to improve their authentication and authorization implementation. An app ecosystem with a platform API is a great thing. It allows for a lot of innovation. It just needs to be done in a more responsible way. There are standards out there to allow any platform to implement granular controls, and mechanisms to authenticate 3rd party apps in a much more secure way than the current one Tesla has implemented. Google, for example, allows you to connect 3rd party apps to its services and restrict the level of access (although most just take a "give me access everything" approach).

It's no different than apps on mobile devices. Over time, the platforms have gotten much better to provide visibility to end users about what they are allowing those apps to do and take away access when abused. Personally, I've turned off notifications on almost every app because they inevitably spam. And location access is almost always a no go.

I’m laughing that I got “well actually”-d and treated as if I have no clue how APIs and authentication work. I’ve worked in software my entire career, thanks.

The problem is that we’re not dealing with Google here (who, arguably, is the last company you want to give any data to btw). Most of the people making these third party apps are not thinking about the security of your data or access to your car. It’s only going to take one story about how someone’s Tesla got “hacked” (a.k.a. They handed out their credentials) and we’re going to have full blown congressional investigations and permanent marring of the Tesla brand. We’ll never hear the end of it from people that don’t understand the tech. It’s a massive security hole that they’ve left wide open and an improved authentication method still isn’t going to solve it.

They should hire some of these folks creating 3rd party apps, upgrade the official app with better functionality, and close off much of the access they currently grant to third parties. Tesla should strive to be the shining example of privacy, security, and trust - it’ll be a competitive advantage for them in the long run as other brands experience breaches and security issues.

Maybe they can start by implementing actual 2FA, which should’ve been available years ago? I love Tesla, but they have a lot of work to do here and I can’t just give them a free pass. We should demand more from them and every other company in this regard.

 

[SmartElectric]

I’m using an alternative method to get stats on our Tesla. It’s Fleet Carma. Does not require access to Tesla account or token. It’s a OBD II type device with integrated cell modem.

 

[DopeGhoti]

It is the same number used to provide details for your service appointment.

Sorry, but no, it is not. I was not asked for my Tesla account password for my service appointments. And if I were, I would be raising hell with management. Just as if a teller at my credit union were to ask for my password. This should never happen. Ever.

 

[SDRick]

I did not realize the extent of this threat. Approximately how many Teslas have experienced being hacked?

 

[camalaio]

It is the same number used to provide details for your service appointment. I didn't like the practice myself, I'll ask at my next appointment.

This is confusing to me. A phone number does contact me for service via text, but only for appointment confirmations. Any actual info about the car, problems, etc. is done via the official Tesla app and potentially email to official Tesla addresses. The only other phone numbers I've seen for service are what seemed to be personal cell phones calling me to say the work is done and to come pick up the car (mobile service team).

The people at your appointment may be the problem, see if you can get in touch higher up or at least with a more general support line. It's entirely possible Tesla is simply intentionally employing a very poor practice here, but that doesn't make it any less appalling.

I’m laughing that I got “well actually”-d and treated as if I have no clue how APIs and authentication work. I’ve worked in software my entire career, thanks.

The problem is that we’re not dealing with Google here (who, arguably, is the last company you want to give any data to btw). Most of the people making these third party apps are not thinking about the security of your data or access to your car. It’s only going to take one story about how someone’s Tesla got “hacked” (a.k.a. They handed out their credentials) and we’re going to have full blown congressional investigations and permanent marring of the Tesla brand. We’ll never hear the end of it from people that don’t understand the tech. It’s a massive security hole that they’ve left wide open and an improved authentication method still isn’t going to solve it.

They should hire some of these folks creating 3rd party apps, upgrade the official app with better functionality, and close off much of the access they currently grant to third parties. Tesla should strive to be the shining example of privacy, security, and trust - it’ll be a competitive advantage for them in the long run as other brands experience breaches and security issues.

Maybe they can start by implementing actual 2FA, which should’ve been available years ago? I love Tesla, but they have a lot of work to do here and I can’t just give them a free pass. We should demand more from them and every other company in this regard.

I agree with many of your points, including the original one that Tesla should just improve what the app can do. Unfortunately that alone isn't really productive for most of their users, and mostly a waste of Tesla's time. People using these third-party services are doing and reading a lot more with their vehicles than the average EV driver who unplugs, drives to work, drives home, plugs back in, and then leaves it until the next day. EVs attract these folk for sure, but they're still not a majority of Tesla owners.

Given that the API is publicly usable right now, there are two options for improvement (one you sort of mentioned): Prevent public access (rendering the services and apps useless), or enhance their authorisation schemes.

There are a large variety of services and apps simply because one can always think of a new way to use an API, or contextualise some data. If Tesla closes off the API because they now have a better app and info service, they will likely be missing things that a small minority does actually want to see or reimagine.

I did not realize the extent of this threat. Approximately how many Teslas have experienced being hacked?

I want to avoid using the word "hacked", since it's not "hacking" if you willingly give a stranger access to your account.

Due to that, it's nearly impossible to tell as an owner. We have no insight to who is getting data from our vehicles. Control of a vehicle would be more obvious, but also not necessarily noticeable if done at opportune times.

Even if nothing bad has happened yet, it may in the future. This isn't a "sky is falling" scenario, but giving a stranger the full-access key to your car that anyone can use from anywhere in the world has some obvious theoretical problems when phrased as such.

 

[Marius A]

I did not realize the extent of this threat. Approximately how many Teslas have experienced being hacked?

Not sure how many occurrences of hacking there have been, but imagine this scenario:

One of the more well-standing Tesla shorts manages to bribe someone with admin access to Teslafi.
Suddenly all cars start up, all of them turn the heaters to max, trunks and frunks open, doors unlock, lights are blinking, horns are honking, windows go up and down.

 

[camalaio]

Not sure how many occurrences of hacking there have been, but imagine this scenario:

One of the more well-standing Tesla shorts manages to bribe someone with admin access to Teslafi.
Suddenly all cars start up, all of them turn the heaters to max, trunks and frunks open, doors unlock, lights are blinking, horns are honking, windows go up and down.

Honestly, I wouldn't even be mad if someone did this. Would be a far more effective PSA than this thread
(which is exactly why if someone were to use your credentials they wouldn't want to draw attention to it or do it on a large scale)

 

[SDRick]

I want to avoid using the word "hacked", since it's not "hacking" if you willingly give a stranger access to your account.

Due to that, it's nearly impossible to tell as an owner. We have no insight to who is getting data from our vehicles. Control of a vehicle would be more obvious, but also not necessarily noticeable if done at opportune times.

Even if nothing bad has happened yet, it may in the future. This isn't a "sky is falling" scenario, but giving a stranger the full-access key to your car that anyone can use from anywhere in the world has some obvious theoretical problems when phrased as such.

The risk of someone just gathering data about the vehicle, while not ideal, does not bother me enough to stop using Tesla Fi and Stats. Apparently, at this point there is no evidence of even this type of activity. I also do not like someone having my health records but if it is not used for criminal purpose risk is low.

Controlling my vehicle would be another matter. If there has yet to be nefarious control of a Tesla I am not too concerned so the odds remain in my favor. When the unfortunate happens, (I'm sure it will) I would hope countermeasures would be quickly implemented.

 

[camalaio]

The risk of someone just gathering data about the vehicle, while not ideal, does not bother me enough to stop using Tesla Fi and Stats. Apparently, at this point there is no evidence of even this type of activity. I also do not like someone having my health records but if it is not used for criminal purpose risk is low.

Controlling my vehicle would be another matter. If there has yet to be nefarious control of a Tesla I am not too concerned so the odds remain in my favor. When the unfortunate happens, (I'm sure it will) I would hope countermeasures would be quickly implemented.

Any service that has authorisation to read info for your vehicle today also has the means to control your vehicle. The odds are not in your favour if you've willingly given out full access to your vehicle, they are fully stacked against you just waiting for a leak or direct malicious use. I'll drop it after this post for fear of pestering or bothering you (sorry!), but I hope to accurately communicate the risk you are taking.

The problem with evidence is there never is any until it is too late, the thing has already happened. We do know lots of use cases for your data that would not necessarily be in your favour (e.g. insurance) but may be used even today without you really knowing. Honestly, who knows how insurance companies arrive at a rate for you? No one does because that's a protected trade secret!

And as an operator of these third party Tesla-related services, it would be extremely tempting to do a little shady business on the side for much, much more money than users are paying for the service. It just costs a little integrity, and they can easily justify it because "no one will notice". Again, not saying this is happening, not saying any current service for Tesla does this... but it's very much a thing that happens anywhere with a valuable user base.

EDIT: Oh yeah, regarding countermeasures. Again, the damage/extraction/whatever is done. But as far as malicious or undesirable access to your account goes, this is not something Tesla seems to have improved for years. I hope it does improve, but it's clearly not a priority.

 

[Marius A]

The risk of someone just gathering data about the vehicle, while not ideal, does not bother me enough to stop using Tesla Fi and Stats. Apparently, at this point there is no evidence of even this type of activity. I also do not like someone having my health records but if it is not used for criminal purpose risk is low.

Controlling my vehicle would be another matter. If there has yet to be nefarious control of a Tesla I am not too concerned so the odds remain in my favor. When the unfortunate happens, (I'm sure it will) I would hope countermeasures would be quickly implemented.

Countermeasures would be changing your credentials or blocking your account. So the consequence of malicious intent would be that you are left without a useable Tesla account until you can reset it.
But humans are horrendously bad judging risks. "Never happened before" "my uncle/gramps/cousin smoked for 70 years without getting cancer" "some company in Cambridge can get all my data? Well I don't have anything to hide".