PSA: Don't use third-party apps and services, period.

[C141medic]

Very informative post. The advice given is helpful and useful, however it’s not a “one size fits all.” For some, who are not very tech and security savvy it may be very useful. However, for others who are in the practice of using strong passwords, changing them often, using password managers like RoboForm, LastPass, etc., the information is not as useful.

I’ve used Stats for the past year and have never had any issues with anyone “hacking” into my car. Is it possible that hackers can hack a third party app and steal info? Or a third party app selling your login credentials? Anything is possible. If I’m not mistaken some hackers hacked into a Tesla recently through the browser. Choose your third party apps carefully and use the ones you feel are more reputable. In my opinion, Stats and TeslaFi are reputable (I’m sure there are others in a similar category).
In the meantime, I’m going to continue to use Stats because it has some great features as well as logging of vehicle info. I’ll also continue to change my passwords frequently and use strong passwords. And also never use the same password for different websites.

 

[tvad]

For some, who are not very tech and security savvy it may be very useful. However, for others who are in the practice of using strong passwords, changing them often, using password managers like RoboForm, LastPass, etc., the information is not as useful.

I'm not certain I agree. Here's why. The Stats for Tesla app utilizes the username and password from one's Tesla account. Therefore, using a strong Tesla account password or frequently changing the password will do nothing to protect one's Tesla account information from being accidentally or intentionally shared to third parties via Stats.

I am a heavy user of LastPass.

 

[CarterStC]

Nice, bring on the shameless plugs!

Lol... Well, I'm not sure how I would have replied to your post using the context of my app to support your arguments without mentioning it.

 

[camalaio]

Very informative post. The advice given is helpful and useful, however it’s not a “one size fits all.” For some, who are not very tech and security savvy it may be very useful. However, for others who are in the practice of using strong passwords, changing them often, using password managers like RoboForm, LastPass, etc., the information is not as useful.

I’ve used Stats for the past year and have never had any issues with anyone “hacking” into my car. Is it possible that hackers can hack a third party app and steal info? Or a third party app selling your login credentials? Anything is possible. If I’m not mistaken some hackers hacked into a Tesla recently through the browser. Choose your third party apps carefully and use the ones you feel are more reputable. In my opinion, Stats and TeslaFi are reputable (I’m sure there are others in a similar category).
In the meantime, I’m going to continue to use Stats because it has some great features as well as logging of vehicle info. I’ll also continue to change my passwords frequently and use strong passwords. And also never use the same password for different websites.

On the contrary, I think you've missed my caution. "Strength" of your password is irrelevant if you are sharing that password with a third party. Password strength only helps for "cracking" passwords -- if the malicious individual already has your password, well... no cracking needed. It is however entirely your choice if you want to hand the universal keys to your car to a stranger and hope they never expose them or use them maliciously. Given all the data leaks that occur on a weekly basis from much larger companies... not a risk I personally recommend.

With your password, someone can permanently lock you out of your account. They can change both the email and password and you'd have to contact Tesla directly to somehow get your account back. Meanwhile, someone else has full access to your car. Neither Tesla nor your insurance provider will be on your side for giving a stranger the keys to your car.

If you're referring to the Tesla browser hack as the one shown in the Teslanomics video about 6 months ago, that was a huge red herring IMO. It also requires the user to enter their credentials into a third party website, but happens in that video just to be in their car instead. This requires the user to navigate to an unsecure website in 2019 (not exactly common), be redirected by the malicious WiFi, and get the user to enter their credentials in their car's screen which they have never done before. Possible, yes. Possible with any account from any service, actually, since it's user error and not a Tesla issue at all. The main takeaway from that video should be that if you give someone your Tesla credentials, they have full access to your car, regardless of how strong your password is.

Lol... Well, I'm not sure how I would have replied to your post using the context of my app to support your arguments without mentioning it.

It was well-warranted and a good discussion point

 

[C141medic]

Given all the data leaks that occur on a weekly basis from much larger companies... not a risk I personally recommend.

Very true. In the same token what if Tesla were hacked and user information was compromised? Has there ever been an instance where user data was compromised from a third party app? If so, please let me know. Perhaps then I may change my mind about using third party apps. I’m just presently not in the “sky is falling camp.”

 

[C141medic]

f you're referring to the Tesla browser hack as the one shown in the Teslanomics video about 6 months ago, that was a huge red herring IMO.

Was referring to this:
These 20-something hackers won $375,000 and a Model 3 for finding a Tesla bug

 

[tvad]

In the same token what if Tesla were hacked and user information was compromised?

Valid point.

For me, it’s about risk mitigation, and how much risk one is willing to take.

The hacks of Experian and Equifax opened my eyes.

I have also had my identity stolen. That experience will change ones perspective on this topic.

 

[camalaio]

Very true. In the same token what if Tesla were hacked and user information was compromised? Has there ever been an instance where user data was compromised from a third party app? If so, please let me know. Perhaps then I may change my mind about using third party apps. I’m just presently not in the “sky is falling camp.”

Your point is valid, but cannot be used to argue handing your password to others.

Tesla is expected to be a good steward of your credentials. They're a company with a lot to lose, and are also the ones providing the account and the products the account has access to. They're first-party. They could experience a leak, but it should be less likely.

A third party service has much less to lose. They don't have millions or billions of dollars and liability on the line. It is expected they will take your credentials and info somewhat less seriously.

It's also a matter of attack surface area. Tesla is mandatory, and is one place of attack/leaks. Each third party service you use exposes yet another attack vector with different holes. Not even necessarily worse, but different, therefore more chances to gain access.

As for instances were data was compromised by a third party? You don't even have to go as far as third-parties, first-parties mess this up all the time. It was linked earlier, but check this out: Have I Been Pwned: Pwned websites

Those are only the ones that have been noticed and reported. It happens All. The. Time.

 

[qdeathstar]

Is there an app i can download to disable all these other apps?

 

[LM-5]

The logical solution to all of this is for Tesla to enhance the functionality of the official app so that no one needs to use these 3rd party apps. It’s overdue for a major revision as it is.

 

[e-FTW]

The logical solution to all of this is for Tesla to enhance the functionality of the official app so that no one needs to use these 3rd party apps. It’s overdue for a major revision as it is.

Agreed! And we should ask Tesla to add the features we want:

 

[e-FTW]

Was referring to this:
These 20-something hackers won $375,000 and a Model 3 for finding a Tesla bug

From that article:

“In the coming days, we will release a software update that addresses this research. We understand that this demonstration took an extraordinary amount of effort and skill, and we thank these researchers for their work to help us continue to ensure our cars are the most secure on the road today.”

This was a really good thing! Our cars are patched and safer for it.

 

[e-FTW]

I’ve used Stats for the past year and have never had any issues with anyone “hacking” into my car.

That is the least likely scenario, but the consequences would be very high. Which means the risk factor must be increased.

Is it possible that hackers can hack a third party app and steal info?

Of course it is possible. How likely it is depends on how strong the security measures in place are that protect your information and how valuable access to your account information is.
I currently trust Tesla quite a bit, as they would be out of business if someone got in and stole all of the owner credentials.
TeslaFi and others? Have they let us know what security measures are in place? How talented is their security team? Do they have one? I have not researched this, so I do not know.

At some point, there will be enough accounts stored in those third-party services to make them an attractive target. Then their databases may be compromised, and I would like for my account credentials to not be in there.
An attacker (more likely an organized group, and not the guy in the hoodie tv ads portray) would have the ability to then lock out a large number of owners out of their accounts (and show control by triggering the horn, sentry mode, etc). This would probably be a classic ransomware attack where you would be asked to pay a ransom to get your account back. Tesla would likely be able to help resolve this, but it would be quite time-intensive and a major disruption for owners.

Or a third party app selling your login credentials?

They may not sell your actual credentials, but the data associated with your car. Think about all the data you get through those services, all of the road trip and charging sessions data. This is all stored so you can access it at a later time. That stored data is the most interesting thing one might want to sell.

Think about a connected a smart home smoke detector: what if the data about number of alarm events was to become available for purchase to insurance compagnies? They would love that, and all those times you make your famous blackened salmon recipe might end up hiking your insurance rates. Theoretical for sure, but the likeliest scenario for your data, more so than hacking.

So once TeslaFi (I use them as they appear to be the most popular but this could be any one of those apps or services) becomes big enough, they will become a very appealing acquisition target. Whoever buys them will not issue a press release that your car’s usage data is getting monetized for advertising or sold to third-parties.
Keeping with the insurance angle: an insurer would probably see value in this data, and knowing how long you drive, what times of day you drive, where you go (work, home, unsafe neighborhoods, bar, liquor store). But they could get much more than that: the Tesla API will return speed, odometer reading, what temperature your passenger likes, which seat warmers are in use regularly (so one could figure out how may people ride in the car), etc.
Is TeslaFi/Stats/<whoever> guaranteeing they only store the data you ask for? And how long do they store it? I would want to know.

Choose your third party apps carefully and use the ones you feel are more reputable. In my opinion, Stats and TeslaFi are reputable (I’m sure there are others in a similar category).

I agree that choosing carefully is crucial, you are absolutely right. We rarely do it. Who here has actually read end-user agreements, and privacy disclosures (I have not, which is why I am extra careful)? I trust Tesla more than TeslaFi/Stats/<whoever> at this point.

 

[DopeGhoti]

Doesn't a thread like this start roughly once a year? I'm fairly certain I've seen at least 3 of them. So maybe once every 3 years...

That's the thing about public service announcements: they recur as long as they are relevant.

 

[focher]

The logical solution to all of this is for Tesla to enhance the functionality of the official app so that no one needs to use these 3rd party apps. It’s overdue for a major revision as it is.

Actually, Tesla just needs to improve their authentication and authorization implementation. An app ecosystem with a platform API is a great thing. It allows for a lot of innovation. It just needs to be done in a more responsible way. There are standards out there to allow any platform to implement granular controls, and mechanisms to authenticate 3rd party apps in a much more secure way than the current one Tesla has implemented. Google, for example, allows you to connect 3rd party apps to its services and restrict the level of access (although most just take a "give me access everything" approach).

It's no different than apps on mobile devices. Over time, the platforms have gotten much better to provide visibility to end users about what they are allowing those apps to do and take away access when abused. Personally, I've turned off notifications on almost every app because they inevitably spam. And location access is almost always a no go.

 

[joebruin77]

I am a big fan of the Stats for Tesla app. After reading this post, I emailed the developer of the Stats for Tesla app, as he has always been very responsive to any questions I have submitted to him. Here is his reply:

"This is addressed in the privacy policy of the app in the AppStore (also here: https://www.maadotaa.com/privacy)
I have no visibility to user email address or password. They are stored (encrypted) only on user's device KeyChain (not even on a server)."

And for your ease of reference, here is a copy and paste of the privacy policy listed above:

Terms & Policy
Collection of User Credentials
User credentials are stored in the app only and is presented only to Tesla in order to obtain an authentication token. Your Tesla credentials are not visible to us or anyone else. Your credentials are stored securely in iOS KeyChain which uses Apple highly secure encryption algorithm.

Collection of Information Related to the Car
The app collects metrics related to your car (e.g., efficiency, miles driven, outside temperature, charging data, etc). The collected data is used for the sole purpose of being used in this app. Your data is not shared or sold to any third-party. Certain graphs in the app compare your stats with other users of the app. For example, the app compares your efficiency with that of others using a histogram. In these cases, your stats are just used to form a histogram and the identity of your car is not used in the graph that is shown to other users. You can choose not to share your data for the purpose of constructing aggregate statistics using a switch in the settings tab of the app.

Protection of Certain Personally-Identifying Information
MaaDoTaa discloses information related to your car only to those of its employees in order to process it and on the Stats app. Our employees are located in the U.S.A.. By using Stats app, you consent to the transfer of such information to us. We may examine the data only for debugging purposes. We will not rent or sell potentially personally-identifying and personally-identifying information to any third-party and your information is used only to present data to you (the user) inside the app. Other than to its employees, as described above, MaaDoTaa discloses potentially personally-identifying and personally-identifying information only in response to a subpoena, court order or other governmental request. MaaDoTaa takes all measures reasonably necessary to protect against the unauthorized access, use, alteration or destruction of potentially personally-identifying and personally-identifying information.

Disclaimer

The materials on Teslastics' website are provided on an 'as is' basis. Stats app makes no warranties, expressed or implied, and hereby disclaims and negates all other warranties including, without limitation, implied warranties or conditions of merchantability, fitness for a particular purpose, or non-infringement of intellectual property or other violation of rights.

Further, Stats app does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials presented in the Stats app or otherwise relating to such materials

Limitations

In no event shall Stats app be liable for any damages (including, without limitation, damages for loss of data or profit, or due to business interruption) arising out of the use or inability to use the materials is Stats app, even if Stats app developer has been notified orally or in writing of the possibility of such damage.

Accuracy of materials

The materials appearing on Stats app could include technical, typographical, or photographic errors. Stats app does not warrant that any of the materials on its app are accurate, complete or current. Stats app may make changes to the materials contained on the app at any time without notice. However Stats app does not make any commitment to update the materials.

Modifications

Stats app may revise these terms of service for its website at any time without notice. By using Stats app you are agreeing to be bound by the then current version of these terms of service.

 

[tvad]

I am a big fan of the Stats for Tesla app. After reading this post, I emailed the developer of the Stats for Tesla app, as he has always been very responsive to any questions I have submitted to him. Here is his reply:

"This is addressed in the privacy policy of the app in the AppStore (also here: https://www.maadotaa.com/privacy)
I have no visibility to user email address or password. They are stored (encrypted) only on user's device KeyChain (not even on a server)."

Good info.
Here's a clause all Stats for Tesla app users should read:

"Limitations
In no event shall Stats app be liable for any damages (including, without limitation, damages for loss of data or profit, or due to business interruption) arising out of the use or inability to use the materials is Stats app, even if Stats app developer has been notified orally or in writing of the possibility of such damage."

 

[camalaio]

Good info.
Here's a clause all Stats for Tesla app users should read:

"Limitations
In no event shall Stats app be liable for any damages (including, without limitation, damages for loss of data or profit, or due to business interruption) arising out of the use or inability to use the materials is Stats app, even if Stats app developer has been notified orally or in writing of the possibility of such damage."

My two cents on that clause is that it's fairly standard. Had I made a similar service, I would have a very similar clause. Among other things, it's saying it's not a critical service and should not be treated as such. If it were a critical business service, it would have service level agreements instead of this exact clause.

It also prevents you from doing something like unlocking and starting the car via Stats (no idea if this is actually possible, I don't have the app) and then blaming Stats for the car being stolen.

Again, I have nothing against any particular service and the ones I named are purely for familiarity, and I do not intend to imply they have any privacy or security concerns.

 

[Marius A]

Kinda related to this. When I last had my car in for service, they needed to verify that I couldn't wake it with my app.
The guy at the service center said I had to send them my username and password by SMS, to a customer support number that stores that information in clear text, available to all Tesla employees (at least all Tesla employees that can see my service history).

Needless to say I changed my password after the service appointment.

 

[tvad]

Kinda related to this. When I last had my car in for service, they needed to verify that I couldn't wake it with my app.
The guy at the service center said I had to send them my username and password by SMS, to a customer support number that stores that information in clear text, available to all Tesla employees (at least all Tesla employees that can see my service history).

Needless to say I changed my password after the service appointment.

That’s shocking.

When we took our car in for service last
month we were not asked for that information. I wonder what explains the disparate practices?