It's set to charge a couple hours prior to leaving, and heat the cabin about 2-3 minutes before. Since it only lets you do a fixed weekly schedule, I have to change it every few days. I just don't remember otherwise and this seems to work.
-
Want to remove ads? Register an account and login to see fewer ads, and become a Supporting Member to remove almost all ads.
PSA: Don't use third-party apps and services, period.
- Thread starter camalaio
- Start date
It's set to charge a couple hours prior to leaving, and heat the cabin about 2-3 minutes before. Since it only lets you do a fixed weekly schedule, I have to change it every few days. I just don't remember otherwise and this seems to work.
e-FTW
New electron smell
This is likely some service center worker’s reaction to the new-ish behavior where you need to authenticate in the car to turn off remote mobile access. Service Centers usually disable remote access so that an owner does not lock/unlock/honk the horn/enable Sentry mode on their car remotely while in service. They probably now have a method to override that and that employee was not aware of it.
The point of this thread is that the most effective countermeasure is to not be affected at all by not sharing credentials (the worst) or a token (not as bad) to begin with.
But if you get value out of the added features and data of third-party apps and services, at least have good practices around your account password, like using a very long and unique password for your Tesla account, and changing it regularly.
And if something does happen, change your password on the spot which should deny access to anyone but you.
This whole discussion is hypothetical: we are not aware of any widespread or targeted attacks against owners or their cars. Nor are we aware of owner’s data being sold or used without consent. But in either case, we will only learn of these things happening after the fact, which is why one should not wait to hear about such things before implementing some basic best practices.
You got the "well, actually" for the statement that Tesla should just incorporate all the functionality in their own app (which implied they should remove 3rd party API access). It's comes down to whether Tesla will allow an ecosystem to develop or lock everything down. I vote for an ecosystem with a proper set of OAUTH based authorization profiles that empower the user to control what the apps can do without giving them the master key, which is the state of affairs today.
The problem is that "I like to tinker and I understand the risks" doesn't translate to a world where millions of vehicles with this kind of connectivity and remote control are in the hands of the masses. App makers certainly aren't going to take the opportunity to educate their users about the risks of using their app, and users aren't going to take the time to understand the nuances of the settings. Even with granular controls, you know that the app developers will default them all to Allow and users will not bother to change them. Convenience at the sacrifice of security, always.
As far as the platform/ecosystem play goes, Tesla will have to decide if that actually benefits their business or not. I'm having a hard time finding a use case that expands and adds to their core value proposition. "Some hobbyists like to tinker" is nice for those hobbyists, but does nothing for the value of the business other than to introduce the security risks we're discussing here.
I get that I sound like an old man yelling at a cloud here, but I am yelling at that cloud in service of protecting people from themselves and protecting Tesla from the inevitable "Why Connected Cars Aren't Safe, Tonight at 11" news stories that will damage their credibility beyond repair and maybe take the entire business down with it. They already have enough of these hurdles with Autopilot ahead of them in the next decade or two, let's not knowingly add to the pile.
As far as the platform/ecosystem play goes, Tesla will have to decide if that actually benefits their business or not. I'm having a hard time finding a use case that expands and adds to their core value proposition. "Some hobbyists like to tinker" is nice for those hobbyists, but does nothing for the value of the business other than to introduce the security risks we're discussing here.
I get that I sound like an old man yelling at a cloud here, but I am yelling at that cloud in service of protecting people from themselves and protecting Tesla from the inevitable "Why Connected Cars Aren't Safe, Tonight at 11" news stories that will damage their credibility beyond repair and maybe take the entire business down with it. They already have enough of these hurdles with Autopilot ahead of them in the next decade or two, let's not knowingly add to the pile.
SDRick
Active Member
You are not pestering me in the least. We just have a difference of opinion as to the amount of risk. (Yours is probably more enlightened as I'm not in the industry). What would be the worst case scenario and what are the odds of that happening to an individual user?
As to insurance companies, Tesla gave me a great rate and I was ready to switch. I also knew that they have all the data and can track my driving. I have heard that some insurance companies will offer better rates if they can access more data and your driving habits. I do not have a problem with insurance companies knowing all that they can know about me. That's how they can more accurately assess risk.
DopeGhoti
Active Member
In this case it's not so much a worry about privacy as it is a worry about how much control the API key gives whomever you allow one over your car.
If you don’t understand the point of the OP, best to just not participate in the thread. He definitely wasn’t promoting a position of paranoia, just explaining that when you use a 3rd party service you’re handing them the master key to your car. A lot of people seemingly make that choice without understanding what they’re doing. If you do, fine. I personally do for one service, but that doesn’t invalidate the information given.
RobDickinson
Active Member
I'm a software dev, if you have to then generate a one off password for your tesla account and if poss gran the token and use that with 3rd parties.
dont use the same password as your email account... ...
Remember username/pw can sign into tesla.com and see documents with your address on etc. ..
dont use the same password as your email account... ...
Remember username/pw can sign into tesla.com and see documents with your address on etc. ..
I too am a developer and completely agree that it's a really bad idea for people give their credentials to these 3rd party apps.
I created my own data collecting script using python. No way in hell I will share my credentials with anyone.
I created my own data collecting script using python. No way in hell I will share my credentials with anyone.
SDRick
Active Member
While I am no fan of giving my keys away to a 3rd party, or even giving my keys to a valet, I would like to try to better understand the risks.
When I give my keys to a valet (which I do try to avoid), I can pretty much imagine the variety and severity of risks. None of them particularly good, from minor damage or scratches inside or out to some very low probability but crazy scenarios that on occasion make news.
So for those of you in the software space (which I am not), can you help answer two questions to better understand the risks of third-party?
What would be the worst case scenario?
What are the odds of that happening to an individual user?
When I give my keys to a valet (which I do try to avoid), I can pretty much imagine the variety and severity of risks. None of them particularly good, from minor damage or scratches inside or out to some very low probability but crazy scenarios that on occasion make news.
So for those of you in the software space (which I am not), can you help answer two questions to better understand the risks of third-party?
What would be the worst case scenario?
What are the odds of that happening to an individual user?
DopeGhoti
Active Member
The worst case scenario (that I can think of) is that the third-party loses its store of API keys to a bad actor who lives near you, uses that API key to see the locations of all cars for which the API keys are "pwned", sees an opportunity, and uses that API key to unlock and start your car, to drive it away to a nearby chop shop. Your insurance company decrees that since you had given someone a copy of your car key, and that was used to take the car, it's not covered under your 'theft' coverage.
Very very low.
Dude, don’t even bother with this thread. I posted a sarcastic joke that went over most people’s heads. You won’t be changing any of the posters mind here and you’ll be downvoted for even trying. The poll for this thread still shows the majority, 37% (10:18am PST 2 Dec) saying they do and will use the 3rd party apps but some members are very upset about this.
I think the title of this thread could be more apt to what the OP is trying to say. It’s a bit much to title your post Public Service Announcement. Maybe “Caution when using 3rd party apps” or “The possible downsides”.
I bet 100 Internetz that some of the members on this forum are using the same password as their email, their Tesla login and possibly their banking info.
/unsubscribed
Last edited:
SmartElectric
Active Member
1. Would never use a 3rd party site that required my full Tesla user/password.
2. Personally use an OBDII adaptor to gather real time location, driving, charging and other items otherwise available on 3rd party tools.
3. Members who are telling people there is a real problem are 100% correct and not "upset" with others, but attempting to ensure that this isn't misunderstood.
There is a real and present danger that Tesla user/passwords could be stolen from any of these 3rd party sites. Yahoo and other large scale services have had similar breaches documented. Do you reasonably think Yahoo is worse at security than these small one-person 3rd party sites that have Tesla auth data.
The internet is a benefit that I enjoy and I need to "trust" sites like Yahoo, Google and Apple with my personal identity and other seriously important items. Oh well. But a small 3rd party having full control of my Tesla, no thanks.
SDRick
Active Member
I agree that theft would be one of the worst case type scenarios. I'm not so sure I agree that insurance would not cover. I did not give anyone permission to steal my car, much less even drive the car. Someone stealing my credentials does not let the insurance company off the hook.
SDRick
Active Member
Curious as to what your fears are or if you have examples of Tesla owners regretting having used third-party apps?
DopeGhoti
Active Member
I presumed that a worst-case scenario involved a malevolent insurance agency.
SmartElectric
Active Member
It's not fear, it's prudence. Nothing more. I don't need an example of a specifically exploited Tesla 3rd party online service to know they can easily be exploited as has been the case for Yahoo and countless other internet service providers.
640k
Member
just to expand on the content/context of this thread (without trying to beat a dead horse);
at the end of the day, these third party services cost money. they cost money to develop, to host and to distribute. the liabilities added in the clauses and TOS are standard lingo for deniability and to protect the issuing party. at the end of the day, they have ZERO interest in protecting you, as a consumer. yes there are implied warranties and agreements, but if an opportunity to collect additional revenue through basic data generation, the company/issuing party were to be sold, or the infrastructure was somehow hacked (at any level), the data they've collected from all of the tokens, logins, etc., are now exposed. this happens more often than you may know/realize.
honestly, i think most of the data collected and measured through most of the apps is benign at best, but there is important data like location history, VIN information, specific vehicle location and even personal data that is at risk. so while I agree there are far too many controls available at the API level, there is still a lot to be desired in terms of data collection and what it's used for.
as a modern IT professional, i love the thought that i can manipulate the data coming from my car to change my driving patterns, track my battery health, etc., but these tools are risky at best. if something were to happen to someone's vehicle as a result of a data breach, there will be a LOT of "i told you so's" being posted.
at the end of the day, these third party services cost money. they cost money to develop, to host and to distribute. the liabilities added in the clauses and TOS are standard lingo for deniability and to protect the issuing party. at the end of the day, they have ZERO interest in protecting you, as a consumer. yes there are implied warranties and agreements, but if an opportunity to collect additional revenue through basic data generation, the company/issuing party were to be sold, or the infrastructure was somehow hacked (at any level), the data they've collected from all of the tokens, logins, etc., are now exposed. this happens more often than you may know/realize.
honestly, i think most of the data collected and measured through most of the apps is benign at best, but there is important data like location history, VIN information, specific vehicle location and even personal data that is at risk. so while I agree there are far too many controls available at the API level, there is still a lot to be desired in terms of data collection and what it's used for.
as a modern IT professional, i love the thought that i can manipulate the data coming from my car to change my driving patterns, track my battery health, etc., but these tools are risky at best. if something were to happen to someone's vehicle as a result of a data breach, there will be a LOT of "i told you so's" being posted.
Similar threads
