While this was not my direct intent, I now realize the impact this thread may have on the revenue stream of these third-party services. Of course, that naturally follows for those who follow my advice, however it wasn't obvious to me at the time and I had not thought of it. I feel a little bad since they are obviously offering valuable services and Tesla's non-ideal system that they
need to use is not
their fault. I'm going to reach out to some parties and see what can be done, I have an idea that might help everyone. Anyone happen to know who I can contact at TeslaFi, Stats app, etc.?
I still stand by my statements and won't retract them, I just didn't look at the overall impact. Whoops :S
While I am no fan of giving my keys away to a 3rd party, or even giving my keys to a valet, I would like to try to better understand the risks.
When I give my keys to a valet (which I do try to avoid), I can pretty much imagine the variety and severity of risks. None of them particularly good, from minor damage or scratches inside or out to some very low probability but crazy scenarios that on occasion make news.
So for those of you in the software space (which I am not), can you help answer two questions to better understand the risks of third-party?
What would be the worst case scenario?
What are the odds of that happening to an individual user?
"Worst case" depends on what matters to you. The obvious theft case was outlined. Since this is equivalent to handing strangers the virtual key to your vehicle (like a valet), what they do with your vehicle is outside of your control.
Unlike a valet, there isn't social pressure of maintaining a job or from coworkers to not do something stupid with your car.
Anyone could end up with your key from
anywhere in the world when you willingly expose it outside of the environment it was designed to be used in.
"Worst case" could also be harvesting your data for direct or indirect use. Again, insurance was an example (which you were personally OK with) that could be used to raise your rates. Another could be mapping out when you seem to leave home with your vehicle, so one could plan an opportune time for a home robbery without interruption. A sophisticated individual could even set up an alarm to let them know when you're on your way back home so they can get out of there!
As for the odds, I'll separate it.
- Control: The odds of someone maliciously controlling your car are very low. This is because they benefit from keeping it on the down low. If leaked access suddenly becomes widely known because too many people's Tesla's are being maliciously controlled, someone goes "hey wait a minute" and now Tesla needs to do something to lock that down. They then lose control access.
- Data/info: Controversially, I'm going to say the odds of your data being used without your knowledge is guaranteed to happen one day if you share your password/token with third parties. This will happen either by intentional arrangement of the third party service selling the data (they want to make money, this is a good way to do so) or by a leak of passwords/tokens (in which case only Tesla can detect, and would have a very hard time doing so). The first case doesn't even have to involve your password/token being given to a data company: the service/app you gave the keys to can simply get the data and sell it alone instead of giving direct access to the data. This is extremely common. But in the case of a leak, it's all too attractive to siphon up everyone's data because there would be zero backlash for doing so, with potentially great benefit (including selling off the data alone while continuing to acquire more).
I agree that theft would be one of the worst case type scenarios. I'm not so sure I agree that insurance would not cover. I did not give anyone permission to steal my car, much less even drive the car. Someone stealing my credentials does not let the insurance company off the hook.
I suppose this gets into all sorts of legal precedent (which may also vary by place of residence), but if you gave someone your keys... did you not give them permission to access and potentially drive your car? Naturally I would think so, however I have no idea how that holds up in legal reality. The reality is you did indeed give the access and means. Knowing my own provincial insurer, they might be wary of potential insurance fraud if something bad happened to the car (because insurance fraud is indeed a real thing).
Dude, don’t even bother with this thread. I posted a sarcastic joke that went over most people’s heads. You won’t be changing any of the posters mind here and you’ll be downvoted for even trying. The poll for this thread still shows the majority, 37% (10:18am PST 2 Dec) saying they do and will use the 3rd party apps but some members are very upset about this.
I think the title of this thread could be more apt to what the OP is trying to say. It’s a bit much to title your post Public Service Announcement. Maybe “Caution when using 3rd party apps” or “The possible downsides”.
I bet 100 Internetz that some of the members on this forum are using the same password as their email, their Tesla login and possibly their banking info.
/unsubscribed
Others have covered this (my position is not simply paranoia nor mild annoyance, it's concretely factual and advisory and really is meant to be as urgent as I titled it). I do have a few points for others:
- 37% isn't a majority. It's the most popular option, but not a majority.
- Combining current responses at the time of writing, the numbers are actually fairly close.
- 37.4% plan to keep using or will use a third party service/app in the future
- 32.1% stopped or won't use one precisely because of the problems outlined in this thread
- 30.5% just aren't interested in a third party service/app
Of course, the group of forum users vs. the group of all Tesla owners is very different and these stats are not at all representative of the average Tesla owner. In fact, it seems TeslaFi (they're the only one I could find a number for) has about 9000 users, whereas I understand there a few hundred thousand Tesla vehicles out on the roads. These numbers do not jive with the 37.4% portion above, and we should all be aware of that. We should also be aware of the fact that the 8.9% who found value in this thread is shockingly high (in my opinion) and I'm glad we could collectively inform a few people on the risk. Likewise, the 1.6% who read through this and choose to still use the service are at least in a more well informed position now even if I (and others) would prefer if no one gave up the keys to their cars. That's a win in my books, I aim to inform.
Just want to say thank you for this post. I'm a software developer myself (though security is not my main domain; I do understand the basics of API tokens and authentication basics), and I had been considering using one of these tracking apps once I got my car, but this is a good reminder that Tesla's security leaves much to be desired. I noticed that I couldn't paste my long randomly generated password into my Tesla account when changing passwords, which encourages people to use easy or reused passwords. I know they are also working on 2FA but it's long, long overdue for an account that can control a car.
You'd think for a car that is very popular with software engineers that these issues would have been identified and fixed long ago through posts like yours. I hope Tesla will do better on this front. In the meantime, I'm going to stay away from the stats apps.
To you and all others who have chimed in (either in support or otherwise), thank you. I'm glad I (and others!) could provide some more information or even simply reminders for everyone. I'm also glad to hear from those who I initially disagreed with because honestly, I had not thought of your perspectives before. Especially as a non-user of the services/apps, I understand they have significant value but I haven't
experienced that value myself, so it's much easier to be on the side I am than if I was gleaning value from one of these services currently. It would be hard for me to switch off of them and I'd be trying to debate many of the same questions and points that have come up!
But back to your points. The password thing, you specifically mean when you change the password and the prompt in the app doesn't let you autofill from a password manage? If so, yeah, just experienced the same myself and that was a bit mildly annoying.
I'm not shocked that little has been done to address this. Tesla's business goes on without it. Whether I like it or not, I've learned that in this industry that you need to put your resources only where the dollars are, not where the features are nice to have. ¯\_(ツ)_/¯