PSA: Don't use third-party apps and services, period.

[DopeGhoti]

Just a quick note that using Little Snitch, Wireshark, etc. will only give you a false sense of security in this case. A primary "attack" possible is authenticated use of the Tesla API unbeknownst to the owner, which you wouldn't be able to discern easily as legitimate or malicious, especially if you're not technically competent and inspecting each HTTP request and are familiar with the API to some level.

That's why it is important that the code is open-source, and can be reviewed by anyone who cares to- you're not reliant on packet-sniffing; you can see exactly what the code is doing with the API (unless the code is so obfuscated that a malicious use has been crafted to look like an innocuous one).

 

[daniel]

... Regardless of what you take away from this thread one thing you should do immediately.... start using a password manager like LastPass, Dashlane or 1Password. The #1 way people get "hacked" is by reusing passwords. Some sh*tty site you used gets hacked and the database with all the emails/passwords is unencrypted and then the hackers go around to popular sites and try those same email/password combos to see if they work. If every site has a unique password then this will never be an issue.

Password managers create passwords that are much more difficult to guess, but my concern is, What happens if the password manager company gets hacked? Or someone hacks my password to my password manager? One hack gives the hacker access to everything. I've heard the arguments but I'm not convinced it's an improvement. Maybe (okay, let's say definitely) I don't understand computer security well enough to properly assess the true risk level of a password manager vs using unique passwords that are effectively impossible to guess. But at present I don't trust password managers.

I have offered my TiVo software, pyTivo Desktop, completely free of charge for the last two and a half years. ...

You are not alone. There are hobbyist programmers who develop software that is free and produces no income for the developer. But unless someone knows the developer personally, one has no way to know whether an app is truly free, or is harvesting "legitimate" data for sale, or is stealing identity information for overtly criminal purposes. Most software is legitimate for-profit business, and is not using your data for overtly criminal purposes. The free version serves you ads, and tries to entice you to buy the upgraded version. For example a podcast that gives you extended content if you pay. Or a weather app that gives you finer gradation. But you're still at the mercy of their security measures, and for-profit apps get sold if they're successful enough to be worth something and the developer wants the money, maybe for a new project, or maybe to retire.

For me, the keys are strong unique passwords for any site that has my sensitive information, and severely limiting the number of sites that have my sensitive information to ones that offer me really essential services, such as my bank.

 

[huangm777]

Just a quick note that using Little Snitch, Wireshark, etc. will only give you a false sense of security in this case. A primary "attack" possible is authenticated use of the Tesla API unbeknownst to the owner, which you wouldn't be able to discern easily as legitimate or malicious, especially if you're not technically competent and inspecting each HTTP request and are familiar with the API to some level.

I don't doubt that the developer's intentions are in the right place though! Just saying that there is definitely a level of trust involved even with such an option.

Good point. Correct me if I'm wrong, but in this case, it's not the app itself that is the problem, it's a malicious intruder piggybacking off the API transaction itself in order to do more than what the app is supposed to do? If so I do see the point. I was concerned about traffic other than the API access there. This also makes it clear that a large part of the problem is with Tesla's API, not with the apps using it per se. The API simply allows too much access out of the box; there really does need to be a "read only" token instead.

Password managers create passwords that are much more difficult to guess, but my concern is, What happens if the password manager company gets hacked? Or someone hacks my password to my password manager? One hack gives the hacker access to everything. I've heard the arguments but I'm not convinced it's an improvement. Maybe (okay, let's say definitely) I don't understand computer security well enough to properly assess the true risk level of a password manager vs using unique passwords that are effectively impossible to guess. But at present I don't trust password managers.

This is a legit concern, as Lastpass was indeed hacked in 2015, but it is as far as I know the only incident of its kind and was several years ago. Hashes were stolen, but not the decrypted passwords themselves, so fortunately there's no record of actual passwords being exposed. IMO the benefits of password managers far outweigh the risks, since it makes it far easier to use randomly generated passwords and thus minimize the damage if one password is stolen.

If the security of the third party password manager is a concern, there's KeePass and its compatible derivatives where you can self-host the password file yourself. But it takes a bit of work compared to the popular managers. I use BitWarden happily right now.

 

[Dan203]

Password managers create passwords that are much more difficult to guess, but my concern is, What happens if the password manager company gets hacked?

That's not possible. If you read the white paper on how LastPass works it's impossible to hack as it's encrypted and decrypted on the client side. The only way someone is getting access to your vault is if they guess your master password, so make sure that's good.

Also the random passwords that are hard to guess aren’t what make password managers so valuable. It's the fact that you can use a different password for every site/app/etc... So if one of them gets hacked and your password for that site is stolen it's useless because you wont be using that password on any other sites.

The biggest way people get hacked is by reusing passwords. We're human and we can only remember so many things. So we tend to reuse the same password (or 3), or a slight variant of it, for every site. So if one site gets hacked then the hacker just goes around with that password and tries it on every popular site. If they get access to something like your email then they have the ability to reset pretty much every password you have. They can then use your accounts for malicious purposes or hold them for ransom.

Using a different password for every site is impossible with memory alone, so a password manager is your only hope.

 

[DopeGhoti]

Relevant:

Password Strength

 

[Dan203]

LastPass passwords look like this....

R59mLQy$hpTV11R2

they're nothing you could remember, nor easily guess.

The biggest issue I have is when I buy a new device, like today with a new FireTV, and have to try to enter one of those passwords using the remote and that onscreen keyboard.

 

[daniel]

That's not possible.

Sounds like a candidate for Famous Last Words.

 

[Dan203]

Sounds like a candidate for Famous Last Words.

It's not possible for the service to be hacked and everyone's passwords to be exposed. Your master password isn’t even stored on their server. It's only ever used to encrypt and decrypt on the client side. Which is why it can sometimes take a while for multiple devices to sync new passwords.

 

[daniel]

It's not possible for the service to be hacked and everyone's passwords to be exposed. Your master password isn’t even stored on their server. It's only ever used to encrypt and decrypt on the client side. Which is why it can sometimes take a while for multiple devices to sync new passwords.

If everything is done on the client side, what's the server for? There are, indeed, things that are not possible because they violate the laws of nature. But "It's not possible" in any other context usually turns out to be wrong. Sure, if they're not storing the passwords, then the passwords themselves cannot be downloaded from the server. But I'd imagine that a clever hacker would have little difficulty figuring out how to get useful information if he once got admin privileges on the server. The trick would be hacking into the server, which I'm sure is extremely difficult since a good security company is going to have very good security itself. But such a high-value target is certain to be bombarded with attacks constantly.

Sorry. I'm not buying the "It's not possible" line. LastPass may indeed be more secure than just remembering my complex and unique passwords for every critical site. Without a lot more tech skills than I have, I cannot assess that. But I don't believe that anything is 100% impossible. The trick is to find the most secure system that is not unreasonably burdensome.

 

[TheWulf]

It's not possible for the service to be hacked and everyone's passwords to be exposed. Your master password isn’t even stored on their server. It's only ever used to encrypt and decrypt on the client side. Which is why it can sometimes take a while for multiple devices to sync new passwords.

It's not possible today. It is possible, and it's just a matter of time. We're getting closer to solving Shor's algorithm. Just a few months ago IBM Q offered only a 5 qubit circuit, and is now up to 14 for public access, and Google is up to 54 (non-public). Once we get to ~4-5k qubits, RSA cryptography will be useless.

 

[whatthe2]

Relevant:

View attachment 490389

Password Strength

While this was relevant some years ago, this method can easily be cracked in ~1 day using a dictionary attack.

 

[whatthe2]

If everything is done on the client side, what's the server for? There are, indeed, things that are not possible because they violate the laws of nature. But "It's not possible" in any other context usually turns out to be wrong. Sure, if they're not storing the passwords, then the passwords themselves cannot be downloaded from the server. But I'd imagine that a clever hacker would have little difficulty figuring out how to get useful information if he once got admin privileges on the server. The trick would be hacking into the server, which I'm sure is extremely difficult since a good security company is going to have very good security itself. But such a high-value target is certain to be bombarded with attacks constantly.

Sorry. I'm not buying the "It's not possible" line. LastPass may indeed be more secure than just remembering my complex and unique passwords for every critical site. Without a lot more tech skills than I have, I cannot assess that. But I don't believe that anything is 100% impossible. The trick is to find the most secure system that is not unreasonably burdensome.

The passwords are stored in an encrypted vault on LastPass servers. Here's the architecture.

How is LastPass safe from being hacked?
LastPass operates on a zero-knowledge security model. Sensitive data stored in LastPass is encrypted at the device level with AES-256 encryption before syncing with TLS to protect from man-in-the-middle attacks. We utilize industry best practices to protect our infrastructure, including regularly upgrading our systems, as well as utilizing redundant data centers to reduce the risk of downtime or a single-point-of-failure. LastPass is market-tested by over 43,000 companies, including Fortune 500 and leading tech enterprises.

 

[daniel]

The passwords are stored in an encrypted vault on LastPass servers. Here's the architecture.

How is LastPass safe from being hacked?
LastPass operates on a zero-knowledge security model. Sensitive data stored in LastPass is encrypted at the device level with AES-256 encryption before syncing with TLS to protect from man-in-the-middle attacks. We utilize industry best practices to protect our infrastructure, including regularly upgrading our systems, as well as utilizing redundant data centers to reduce the risk of downtime or a single-point-of-failure. LastPass is market-tested by over 43,000 companies, including Fortune 500 and leading tech enterprises.

Maybe if I understood that I'd believe that LastPass is more secure than remembering a unique complex password for every critical site. But from the phrase "We utilize..." that appears to be promotional material from LastPass itself. I am suspicious by nature. I do not doubt that their system is extremely secure. But there are two separate issues:

1. They may be as honest as the day is long, and probably are, and are certainly extremely competent, but I reject the notion that anything is perfect.

2. Using a password manager means trusting all my access to just one password, which I need to remember. If someone manages to get that, they have access to all my accounts. By remembering my own unique passwords, it's very unlikely anyone would get access to more than one of my accounts.

The weakest link here is me. Having just one master password is putting all my eggs in one basket. This would be convenient if I had more than just two or three critical accounts. But the trade-off is too few baskets in return for the convenience of only having to remember one password.

 

[ecarfan]

By remembering my own unique passwords,

Very few humans are capable of remembering multiple unique high strength passwords. See the example @whatthe2 posted upthread. Try to memorize that and recall it reliably. Now do that for a unique password for every website/app you use. You can’t do it. My cousin, a computer security expert who has worked for Google (I will not reveal what fundamental online security protocol he invented because that would reveal his identity) tells me that applications like LastPass are the most secure way to handle multiple high strength passwords.

 

[huangm777]

In my network security class, we learned a few principles:

• There's no such thing as 100% perfect security.
• There is almost always a trade off between security and convenience. They have to be balanced based on the use case.
• By far the most common and easiest way to breach security is not through technical hacking, but social engineering. All the encryption in the world is useless if someone can just trick you into giving up your password, or if you write your password down on a Post-It note, or you stick a random USB drive into your computer. (All these instances have led to major breaches.)
• When making security decisions, don't let perfect be the enemy of the good. Malicious actors won't wait for you to come up with the perfect plan.

Password reuse, I think, is the most common security problem for the average user. It happened to me—I had several accounts breached because I reused what I thought was a difficult password. And I should have known better. So I spent almost two whole work days just resetting all my passwords and making each one different with a password manager. This step, along with 2 factor authentication, is sufficient to localize any damage for most people.

Is it perfect? No, like all security. There are certainly more steps one could take. But to me, the balance between security and convenience is good when it comes to password managers. It's an individual decision, of course, and the more knowledgable about security one is, the more steps one could take (like OP, and my friend who works in cyber security). But if we want to stop breaches on the whole, we have to find solutions that will work for the majority of people.

To return to the original topic at hand, I think OP did a good job explaining why third party Tesla stats apps are uniquely vulnerable, and why the convenience/features gained may not be worth it given how easy it is to control the car remotely with the API. Personally I find the locally hosted TeslaMate solution to have the right balance of security and features, since it eliminates some of the original concerns and is open source, so is less vulnerable to hidden malicious features.

But as they say: your mileage may vary.

 

[whatthe2]

Maybe if I understood that I'd believe that LastPass is more secure than remembering a unique complex password for every critical site. But from the phrase "We utilize..." that appears to be promotional material from LastPass itself. I am suspicious by nature. I do not doubt that their system is extremely secure. But there are two separate issues:

1. They may be as honest as the day is long, and probably are, and are certainly extremely competent, but I reject the notion that anything is perfect.

2. Using a password manager means trusting all my access to just one password, which I need to remember. If someone manages to get that, they have access to all my accounts. By remembering my own unique passwords, it's very unlikely anyone would get access to more than one of my accounts.

The weakest link here is me. Having just one master password is putting all my eggs in one basket. This would be convenient if I had more than just two or three critical accounts. But the trade-off is too few baskets in return for the convenience of only having to remember one password.

I certainly understand your concerns. I work for a cloud security company (not LastPass) so I'm more knowledgable/comfortable with cloud security technologies than your average person. AES-256 is used in Top Secret/SCI networks and is currently the best option to secure data. Not to say it can't ever happen, but currently there is no method to crack it.

From a Brute-Force attack standpoint:
"Fifty supercomputers that could check a billion billion (10 to the 18) AES keys per second (if such a device could ever be made) would, in theory, require about 3×10 to the 51 years to exhaust the 256-bit key space."

 

[jeffnz]

Using a password manager means trusting all my access to just one password, which I need to remember. If someone manages to get that, they have access to all my accounts. By remembering my own unique passwords, it's very unlikely anyone would get access to more than one of my accounts.

LastPass, and others I presume, allow you to protect using your master password with 2FA and also can whitelist by geography (eg. this allows you to enable access only from your country) and requires two factor which you can use an app like Authy or a dedicated token, and you can also lock it down to only known devices like your PC or phone. If you don’t lock it down it provides notifications for any logins on unknown devices. Changing your master password causes it to reencrypt all your passwords locally and that breaks them immediately on all other devices.

Besides the obvious reason to protect bank accounts, probably the most important account to protect is your email which I always advise has it’s own unique strong password and 2FA. With access to your email a person can lock you out and change most of your other accounts passwords by using the ‘forgot password’ mechanism.

I have hundreds of strong passwords and no way could possibly remember them never mind which ones goes to which account. Password reuse is THE most common mechanism for ‘hacking’. If you are wondering if one of your passwords has been leaked by some site, check out https://haveibeenpwned.com/. Chances are it has.

Password managers that encrypt locally on your device with a master password never leaves your device are pretty darn secure when coupled with the other schemes above. Much more secure than your memory.

 

[DopeGhoti]

While this was relevant some years ago, this method can easily be cracked in ~1 day using a dictionary attack.

I don't have the link handy, but I recently read a white paper analyzing this assertion. The conclusion drawn was that while this may be true for one or two words, four or more randomly selected words (and the key word here is random) still has abundantly sufficient entropy with which to defeat most dictionary-based attacks. Entropy goes down signifigantly when the words chosen for one's passphrase are not randomly selected, though. As soon as a meatbag gets four words and thinks "I like them better in this order" or "the third word reminds me of _____, I'll replace the fourth word with that" entropy shoots way way down.

Indeed, I just looked at a few of the articles purported to debunk the 'correct horse battery staple' password regime, and all of them talk about passwords chosen by the user, not ones randomly generated.

 

[whatthe2]

I don't have the link handy, but I recently read a white paper analyzing this assertion. The conclusion drawn was that while this may be true for one or two words, four or more randomly selected words (and the key word here is random) still has abundantly sufficient entropy with which to defeat most dictionary-based attacks. Entropy goes down signifigantly when the words chosen for one's passphrase are not randomly selected, though. As soon as a meatbag gets four words and thinks "I like them better in this order" or "the third word reminds me of _____, I'll replace the fourth word with that" entropy shoots way way down.

Indeed, I just looked at a few of the articles purported to debunk the 'correct horse battery staple' password regime, and all of them talk about passwords chosen by the user, not ones randomly generated.

Yeah, valid point. The problem is most people use common words. So if they happen to use four of the most common 5,000 words, it can be cracked in about 1.5 minutes.

 

[Dan203]

If everything is done on the client side, what's the server for? There are, indeed, things that are not possible because they violate the laws of nature. But "It's not possible" in any other context usually turns out to be wrong. Sure, if they're not storing the passwords, then the passwords themselves cannot be downloaded from the server. But I'd imagine that a clever hacker would have little difficulty figuring out how to get useful information if he once got admin privileges on the server. The trick would be hacking into the server, which I'm sure is extremely difficult since a good security company is going to have very good security itself. But such a high-value target is certain to be bombarded with attacks constantly.

Sorry. I'm not buying the "It's not possible" line. LastPass may indeed be more secure than just remembering my complex and unique passwords for every critical site. Without a lot more tech skills than I have, I cannot assess that. But I don't believe that anything is 100% impossible. The trick is to find the most secure system that is not unreasonably burdensome.

Your passwords are all stored in a single encrypted blob aka vault, which is encrypted by the client using your master password and sent to the server. The server does not ever store your master password. You login to your account, to download the vault, using your master password but they do this by creating a hash of your username that is encrypted by your master password on the local system and then storing that on their server. So basically when you login your "password" is really just your username encrypted locally using your master password and is just as secure as the vault itself. Your master password is never sent to the server or stored on the server. The password is only ever used on the local device.

Here's the whitepaper if you're interested...

https://enterprise.lastpass.com/wp-content/uploads/LastPass-Technical-Whitepaper-3.pdf

In addition to all the encryption they protect the server side with extra hashing, so your encrypted user name is encrypted again using their own server side encryption. They also cut off brute force attacks by locking and account after a few failed attempts. And they also offer two factor authentication which won't even allow you to try to download without a code and they only accept authenticator apps or special security key devices for 2FA, no SMS, so there is no way to spoof that.

But lets say they cracked the server and downloaded everyone's vault file. Every single one is encrypted using a different master password using AES256 encryption. A brute force decryption of even just one file would require hundreds of years using current technology. And because they're not stored with any identifying information, only that encrypted and hashed user name which would also take hundreds of years to decrypt, it is literally impossible for them to crack your vault without knowing, or guessing, your master password.

So I stand by my statement that it's impossible. Unless you use a stupid master password that's easy to guess.

Another technique I heard about recently that increases security even more is setting up an email with an anyone@ domain. An anyone@ domain will accept email addressed to anything @yourdomain.com and route it to a single inbox. You then use the password generator in LastPass to generate both a unique email AND a unique password. Talk about impossible to crack. If someone happened to hack a site and gain access to your email and password for that site not only would the password be unique but the email would be unique, so they'd have no way to tie any information back to you. If you connected the anyone@ domain to a forward domain they wouldn't even know where the email is actually being sent.

My point is if you want to get crazy with security you can and it's relatively easy with the tools available today.