Introduction
Hello. I'm a software developer and tester. In past occupations, I've used, tested, and partially developed authentication and accounts services for various web-based applications. I am by no means a security expert and you should take my words with a hefty grain of organic fair trade Pacific ocean sea salt.
There are many third-party apps/services that can interact with your Tesla. These offer control and logging for your vehicle that the official Tesla app does not, and can indeed be extremely useful. To name the most popular purely for familiarity, you have "TeslaFi" and "Stats For Tesla" for example.
Read the bolded points if you just want to skim, I know I'm a wordy person and I apologise.
Some Terminology
Third party apps currently have two methods for you to provide access to your vehicle:
In the case of Option 1, the service will use your credentials to ask the API for a token, and use that to get info from your car and control it with the API.
The problem with this is that the vast majority of people will go with Option #1 even if presented with both options. This is problematic because your password (which you probably use elsewhere, be honest) is being given to a stranger. As a Tesla owner, you're more likely to be a well-off individual with perhaps some smart home functionality, generally technically integrated with many online accounts, have a decent amount of money somewhere, etc. If I'm looking for an easy way to get highly valuable usernames and passwords, this is a fantastic source. You should never give passwords to strangers.
Whether it is the current providers or an eventual acquirer of the company behind the service, it is likely that there are third party Tesla services out there that exist mostly to obtain credentials for nefarious purposes.
Given this, token authentication is much better, if a bit complicated. However, either option gives far too much power to the third-party service.
Tesla's Poor Approach to Authorisation
The tokens used with the API give you full access. Period.
You can read info from the car, and you can fully control the car. Anything you can do via the official app or through these third-party services, you can do with that token. If this token is ever misused or leaked, all this info and control of your car is exposed.
Keep in mind this isn't just control of your car. If you have HomeLink set up, simply by having a token someone can know your car's location (at home) with the API, open the garage with the API, "start" the car with the API, load some items from your now-open home into your car, and drive off with possessions and vehicle.
Additionally, you cannot necessarily revoke tokens unless you are technically inclined to do so and know the token. Resetting your password does not necessarily invalidate previous tokens. Today, it does*. A couple months ago, it did not. I had tokens that worked for weeks. An interesting side effect of this (or what I believe to be) is that the app also stayed signed in for just as long, even though I had changed my password.
Tokens being invalidated on password reset is not a documented guarantee of the API from Tesla, and not something we should be relying on occurring in a timely manner for an API they do not explicitly publicly support in the manner we use it.
* Actually, it booted me from the app and invalidated the tokens, but the old password still worked and the new one wouldn't even after waiting some minutes. Had to reset it again, and it finally worked immediately. Tesla's auth seems inconsistent and flaky from where I sit.
Your Data is Valuable
Finally, it's 2019. Every company with a sufficiently large user-base — especially a unique one — will be approached at some point to sell the data about their users in some way.
This could be your charging habits, driving habits, location habits, how much you drive, where you appear to live, where you tend to shop, etc. A lot of information can be gleaned from seemingly limited data. Be careful what you intentionally share, that is all.
But camalaio, I've had no issue with <app/service>!
Sure, of course. They may have all the right intentions.
Or they may not. Perhaps they're selling your data. Perhaps they're just waiting for the day they preheat everyone's cars to MAX HEAT on April 1st as a widespread energy-wasting joke. Perhaps they get acquired by another company with ulterior motives.
Perhaps you just don't know what they're doing with your credentials and info.
And perhaps, despite their best intentions, they leak your login info and anyone can then access your vehicle's info and control it.
What can Tesla do?
Lots.
Tesla can easily take the stance that you should never share your account credentials. They are absolutely correct and probably do mention this in terms of service somewhere (it's common). The API that enables these services to work was not exactly meant to be a public product, though by necessity and simplicity it is indeed publicly accessible.
Tesla could add an app permissioning system in the future that ensures tokens are...
All of the above requires Tesla providing the API as a public product that is actively developed and documented for that purpose. It's not insurmountable, but I do understand that it's distracting and comes with a few annoyances in terms of ability to change things rapidly when desired.
What can I do?
Just don't use the services. They're a very large risk at the moment given the currently way permissions work (always all) and the level of control over distributed tokens (none).
Giving out your password is also just not great. If you must use one of these services or you think it's worth the high risk, use a password that you don't use anywhere else. Any single leak of your password could expose more than just that account. This doesn't prevent others from being able to control your car if a token is leaked, but the token should eventually expire.
Additionally, if you are technically inclined, you may write your own scripts. It's very easy to interact with, especially if you model the API with a Python package like e2e.api (oof, shameless plug). Heck, maybe I'll go make this model tomorrow, I need something to do.
Keep in mind you're in charge of keeping your credentials safe still, but at least they're only in your hands.
Additionally, if you're using a service just for data logging, try good ol' pen and paper. It's low tech and data sampling is relatively coarse, but who doesn't like charting some data in Excel... right? Other people like doing that right?
End of PSA.
Hello. I'm a software developer and tester. In past occupations, I've used, tested, and partially developed authentication and accounts services for various web-based applications. I am by no means a security expert and you should take my words with a hefty grain of organic fair trade Pacific ocean sea salt.
There are many third-party apps/services that can interact with your Tesla. These offer control and logging for your vehicle that the official Tesla app does not, and can indeed be extremely useful. To name the most popular purely for familiarity, you have "TeslaFi" and "Stats For Tesla" for example.
Read the bolded points if you just want to skim, I know I'm a wordy person and I apologise.
Some Terminology
- App or Service: The thing that has access to or controls your Tesla in some way
- Token: A sort of generated password that isn't your actual password, but is used like it
- API: The thing that the App or Service "talks" to in order to get info or interact with your Tesla
Third party apps currently have two methods for you to provide access to your vehicle:
- Basic: You give your email and password to the app
- Advanced: You generate a token using the API, and give that token to the app
In the case of Option 1, the service will use your credentials to ask the API for a token, and use that to get info from your car and control it with the API.
The problem with this is that the vast majority of people will go with Option #1 even if presented with both options. This is problematic because your password (which you probably use elsewhere, be honest) is being given to a stranger. As a Tesla owner, you're more likely to be a well-off individual with perhaps some smart home functionality, generally technically integrated with many online accounts, have a decent amount of money somewhere, etc. If I'm looking for an easy way to get highly valuable usernames and passwords, this is a fantastic source. You should never give passwords to strangers.
Whether it is the current providers or an eventual acquirer of the company behind the service, it is likely that there are third party Tesla services out there that exist mostly to obtain credentials for nefarious purposes.
Given this, token authentication is much better, if a bit complicated. However, either option gives far too much power to the third-party service.
Tesla's Poor Approach to Authorisation
The tokens used with the API give you full access. Period.
You can read info from the car, and you can fully control the car. Anything you can do via the official app or through these third-party services, you can do with that token. If this token is ever misused or leaked, all this info and control of your car is exposed.
Keep in mind this isn't just control of your car. If you have HomeLink set up, simply by having a token someone can know your car's location (at home) with the API, open the garage with the API, "start" the car with the API, load some items from your now-open home into your car, and drive off with possessions and vehicle.
Additionally, you cannot necessarily revoke tokens unless you are technically inclined to do so and know the token. Resetting your password does not necessarily invalidate previous tokens. Today, it does*. A couple months ago, it did not. I had tokens that worked for weeks. An interesting side effect of this (or what I believe to be) is that the app also stayed signed in for just as long, even though I had changed my password.
Tokens being invalidated on password reset is not a documented guarantee of the API from Tesla, and not something we should be relying on occurring in a timely manner for an API they do not explicitly publicly support in the manner we use it.
* Actually, it booted me from the app and invalidated the tokens, but the old password still worked and the new one wouldn't even after waiting some minutes. Had to reset it again, and it finally worked immediately. Tesla's auth seems inconsistent and flaky from where I sit.
Your Data is Valuable
Finally, it's 2019. Every company with a sufficiently large user-base — especially a unique one — will be approached at some point to sell the data about their users in some way.
This could be your charging habits, driving habits, location habits, how much you drive, where you appear to live, where you tend to shop, etc. A lot of information can be gleaned from seemingly limited data. Be careful what you intentionally share, that is all.
But camalaio, I've had no issue with <app/service>!
Sure, of course. They may have all the right intentions.
Or they may not. Perhaps they're selling your data. Perhaps they're just waiting for the day they preheat everyone's cars to MAX HEAT on April 1st as a widespread energy-wasting joke. Perhaps they get acquired by another company with ulterior motives.
Perhaps you just don't know what they're doing with your credentials and info.
And perhaps, despite their best intentions, they leak your login info and anyone can then access your vehicle's info and control it.
What can Tesla do?
Lots.
Tesla can easily take the stance that you should never share your account credentials. They are absolutely correct and probably do mention this in terms of service somewhere (it's common). The API that enables these services to work was not exactly meant to be a public product, though by necessity and simplicity it is indeed publicly accessible.
Tesla could add an app permissioning system in the future that ensures tokens are...
- Restricted in permissions. If a logging-only service like TeslaFi only ever needs to read data from your car and never control it, it would be good to tick a box saying "this is an info token" vs. "this is a control token".
- Restricted in source/client usage. A token for Stats For Tesla should only be usable by Stats For Tesla, for example.
- Revocable. The account holder should be able to disable and remove a token at any time.
All of the above requires Tesla providing the API as a public product that is actively developed and documented for that purpose. It's not insurmountable, but I do understand that it's distracting and comes with a few annoyances in terms of ability to change things rapidly when desired.
What can I do?
Just don't use the services. They're a very large risk at the moment given the currently way permissions work (always all) and the level of control over distributed tokens (none).
Giving out your password is also just not great. If you must use one of these services or you think it's worth the high risk, use a password that you don't use anywhere else. Any single leak of your password could expose more than just that account. This doesn't prevent others from being able to control your car if a token is leaked, but the token should eventually expire.
Additionally, if you are technically inclined, you may write your own scripts. It's very easy to interact with, especially if you model the API with a Python package like e2e.api (oof, shameless plug). Heck, maybe I'll go make this model tomorrow, I need something to do.
Keep in mind you're in charge of keeping your credentials safe still, but at least they're only in your hands.
Additionally, if you're using a service just for data logging, try good ol' pen and paper. It's low tech and data sampling is relatively coarse, but who doesn't like charting some data in Excel... right? Other people like doing that right?
End of PSA.