Remote S: Tesla app for Apple Watch, iPhone, iPad, and iPod Touch

[araxara]

Let's say somebody hacked a website like VisibleTesla, TeslaLog etc and stole a bunch of Tesla passwords.

VisibleTesla does not store passwords on their website. The website is only there to facilitate downloading of the program. Each computer that runs VisibleTesla keeps track of its own username and password, similarly to how the Tesla or Remote S apps do.

 

[AllenWong]

I recommend watching what Elon said in this video from 16:32 to 17:09
GTC 2015: NVIDIA CEO Jen-Hsun Huang Interviews Tesla Motors CEO Elon Musk (part 9) - YouTube

He talks about mass hacking without having direct access to a car. To me it looks like Tesla's implementation of summon without key fob was carefully considered. With Tesla's app you can summon the car without the key fob but only if the phone and the car are in the same GPS location. This way somebody can't do a mass hacking from another country. Allen said he removed this requirement. Therefore Remote S seems a high risk app. Let's say somebody hacked a website like VisibleTesla, TeslaLog etc and stole a bunch of Tesla passwords. The first thing they would do is summon the cars using Remote S. I have a feeling that we will hear more about this issue in the future but not in a good way.

They don't need Remote S to Summon the car without being near the car. It doesn't take a hacker to figure out how to issue a simple API call. VisibleTesla is not a website that stores passwords. It's stored in your local computer. Nor does Remote S store any passwords remotely. And finally if TeslaLog or Evmote or any other website is doing things correctly, they would not be storing passwords. They would be storing only access tokens. And without the password, a hacker cannot use Summon without the keyfob near the car nor start the car. Having said that, it's probably not a safe idea to hand over your password to some third party website anyway, because you don't know how secure they are nor if they hold onto your password or not. But that risk lies on the website and not my app. My app doesn't facilitate a hacker stealing your tesla password.

 

[MarkS22]

1 in 10,000 is very low risk but if you have thousands of users it isn't so low anymore. I think Allen's app has a few thousand users. It only takes once instance for this to end up badly. I think people worry because nobody wants to read a news story about a Tesla causing an accident while nobody was in the car.


◘ A 13 your old kid playing with the phone, while he assumes summon doesn't work anyway (the car is out of sight)
◘ A family member playing a prank and making an incorrect assumption about the cars exact location (the car is out of sight)
◘ At work parking the car somewhere slightly different than where you normally park and then forgetting about it (the car is out of sight)
◘ Entering your Tesla password on a website, that website getting hacked and some weirdo using summon just for fun

The worst case would be the car moving from a parking space to a road and getting hit on the side at high speed. Another bad scenario is the car falling off a cliff.

The fear of a news story is valid. I'm not discounting your concerns, but trying to understand them.

For example, in your example, how did the 13 year old know your Tesla password, your iPhone PIN, and in most Remote S implementations, get your fingerprint? Verses just grabbing your Ford/Toyota/GM/Honda keyfob?

The cliff example is reasonable but you're talking about someone parking within 30 of a cliff that has no guardrails. I'm not sure how GPS specifically prevents it. I guess if they forgot they were next to a cliff? And what direction they were facing?

And have you used Summon and seen how slowly it goes? I have young children with Little Tikes cars that can jet into a street faster. Those battery powered two seaters for children go faster. Yes, a horribly misused Summon might make the Tesla sloooowly block a road, but it's not going to be T-boned at high speed.

I've played with the Tesla REST API. As Allen noted, Summoning the car requires the password and/keyfob. The API itself doesn't check for GPS location.

Maybe the solution isn't removing the feature but, if you Summon with a Keyless Start, it adds an additional dialog box: "Note: You have initiated Summon with Keyless Start. Always ensure you have a clear view of your vehicle. Are you in visible range of your car?"

Hah. Or, have the lights flash a random number of times and then ask: "To confirm you can see the car, how many times did the headlight flash?"

 

[drsaab]

Can someone explain how to use camper mode via app ? Is it simply doing the remote start or turning on climate control? Also how to do summon, I do not see any icon or button for that? Thanks

 

[hans]

Everyone goes straight to imagining the worst hypothetical situation. How about we image a thief tries to steal your car and you use a remote app to lock him inside and summon the car to the local police department.

 

[msnow]

Can someone explain how to use camper mode via app ? Is it simply doing the remote start or turning on climate control? Also how to do summon, I do not see any icon or button for that? Thanks

Press that circle with a car in it (inside of my red circle). It brings up a menu which include Summon commands.

 

[Andyw2100]

Everyone goes straight to imagining the worst hypothetical situation. How about we image a thief tries to steal your car and you use a remote app to lock him inside and summon the car to the local police department.

My purpose for looking at the worst hypothetical situation was to minimize the risk for Allen. With those worst situations come possible costs. If one of Allen's users were to somehow do what you suggest above (though of course it isn't really possible yet) they wouldn't be giving Allen a reward. So for Allen there is only downside from the bad hypothetical situations, and no upside from the good ones. The upside comes from increased sales and customers who are happier with the product.

 

[JimmyAZ]

Allen, I had a VERY scary experience with your app just now. My car was parked halfway out of my garage and I needed it further out in the driveway. I activated your Summon reverse and it drove FORWARD. Please check this. I was standing in front of the car and it was pushing against me. I couldn't stop it. The sensors were detecting me enough to stop the car, but when I moved away from the bumper it kept creeping forward. Why wouldn't it stop and put itself in Park? I also tried Summon Stop but that ALSO made the car go forward.

I later put the car in the street and did the Summon Reverse command and can confirm that it does go forward, not reverse. This scared the sh*t out of me and my husband. Please look into this immediately. This was enough to keep me from using your Summon feature until you find out what's going on.

 

[BertL]

Allen, I had a VERY scary experience with your app just now. My car was parked halfway out of my garage and I needed it further out in the driveway. I activated your Summon reverse and it drove FORWARD. Please check this. I was standing in front of the car and it was pushing against me. I couldn't stop it. The sensors were detecting me enough to stop the car, but when I moved away from the bumper it kept creeping forward. Why wouldn't it stop and put itself in Park? I also tried Summon Stop but that ALSO made the car go forward.

I later put the car in the street and did the Summon Reverse command and can confirm that it does go forward, not reverse. This scared the sh*t out of me and my husband. Please look into this immediately. This was enough to keep me from using your Summon feature until you find out what's going on.

Does the same thing happen going the wrong way if you use Summon with your FOB?

 

[AllenWong]

Can someone explain how to use camper mode via app ? Is it simply doing the remote start or turning on climate control? Also how to do summon, I do not see any icon or button for that? Thanks

Camp Mode is accessed by pressing the Remote S logo on the top-middle. And then scrolling down to the Camp Mode button and pressing it. You have to keep the app open and screen on to keep Camp Mode working or else the app shuts off and cannot restart Climate Control every 30 minutes. I don't recommend using Summon via the iPhone app until you get the app update tomorrow. There's a bug where Summon only wants to go forward and not backwards.

My purpose for looking at the worst hypothetical situation was to minimize the risk for Allen. With those worst situations come possible costs. If one of Allen's users were to somehow do what you suggest above (though of course it isn't really possible yet) they wouldn't be giving Allen a reward. So for Allen there is only downside from the bad hypothetical situations, and no upside from the good ones. The upside comes from increased sales and customers who are happier with the product.

I'll consider removing Summon from my app if I notice that it causes damage or harm to anything or anyone. I'll keep monitoring the news for such cases.

I later put the car in the street and did the Summon Reverse command and can confirm that it does go forward, not reverse.

This should be fixed in the next update, which should be out tomorrow. I'm trying to get Apple to approve the update as quickly as possible.

 

[JimmyAZ]

Does the same thing happen going the wrong way if you use Summon with your FOB?

No. Summon with the fob or Tesla app works perfectly and stops at the sign of obstruction, shutting down and locking. Not sure what the deal is here. Maybe others can try to see what I'm seeing - in a safe situation. In my case, if I moved out of the way it would have inched forward until it hit my workbench. I couldn't believe it was pushing against my legs. And my legs were right in front of one of the sensors. As soon as I moved it started pushing more.

 

[BertL]

No. Summon with the fob or Tesla app works perfectly and stops at the sign of obstruction, shutting down and locking. Not sure what the deal is here. Maybe others can try to see what I'm seeing - in a safe situation. In my case, if I moved out of the way it would have inched forward until it hit my workbench. I couldn't believe it was pushing against my legs. And my legs were right in front of one of the sensors. As soon as I moved it started pushing more.

Look at Allens post just before this one of yours. He says there is a bug with Summon only going forward as you found. Fix coming tomorrow.

 

[hans]

My purpose for looking at the worst hypothetical situation was to minimize the risk for Allen. With those worst situations come possible costs. If one of Allen's users were to somehow do what you suggest above (though of course it isn't really possible yet) they wouldn't be giving Allen a reward. So for Allen there is only downside from the bad hypothetical situations, and no upside from the good ones. The upside comes from increased sales and customers who are happier with the product.

Fair enough. Seems like your heart is in the right place. So many people just go straight to freaking out about hackers for no good reason other than it gets a big reaction from people. The press is horrible for this.

 

[JimmyAZ]

Glad to see you're working on it, Allen. I wish I had known before activating it today. It shook my confidence a little. If you see something like this in the future please send out a bulletin. This could have damaged the car, or me. I'm glad neither happened. Looking forward to the update! All is good!

 

[Andyw2100]

Fair enough. Seems like your heart is in the right place. So many people just go straight to freaking out of hackers for no good reason other than it gets a big reaction from people. The press is horrible for this.

Thanks for acknowledging this!

I am all for most of the hacking you and others have done to help us all get more out of our cars. I use VT, TeslaLog, etc, and am very appreciative of the work done by those capable of doing it.

As an example with respect to this release of Remote S, I think the functionality to allow people to use Homelink when the car is plugged in is an excellent "hack" that provides functionality over and above what the Tesla app provides. I'm a huge fan of stuff like that!

 

[AllenWong]

Thanks for acknowledging this!

I am all for most of the hacking you and others have done to help us all get more out of our cars. I use VT, TeslaLog, etc, and am very appreciative of the work done by those capable of doing it.

As an example with respect to this release of Remote S, I think the functionality to allow people to use Homelink when the car is plugged in is an excellent "hack" that provides functionality over and above what the Tesla app provides. I'm a huge fan of stuff like that!

Like I said before, I appreciate you looking out for me. You've been supportive since the beginning, so I know where you're coming. You're giving me too much credit for the functionality, though. It's less of a hack, and more like Tesla dropped the ball on that one lol. I don't see why they had to hide the HomeLink button under Summon when HomeLink is a such a useful feature without needing to meet all the strict conditions of Summon. The fact that the API still allows HomeLink to work even if the car is plugged in means that Tesla intended for the HomeLink button to still work. Another case is if you stay in the Summon screen on the official app and then plug your car in, the Summon forward and reverse buttons disappear, but the HomeLink button is still available. And you can still use the HomeLink button if the car is plugged in. But if you back out of that screen, there's no way to get back to that HomeLink button, because the Summon button to get to that Summon screen disappeared. So I think Tesla intended for you to be able to use HomeLink without meeting all of the Summon conditions, but they screwed up.

 

[SteveW25561]

While legal risk is a real thing and something that Allen is already facing and suffering from with the patent trolls, and many have chimed in about their concerns or reassurances, I think we can now assume that Allen is fully aware of the potential risk. He's a very intelligent, successful developer, who is very engaged with his users. No one wants to see him suffer or have any person or property damaged from any problem from summon or other features, whether they are due to Tesla's products, network issues, Remote S or any other factor.

I trust Allen has taken all of this into account and has made his own informed decision as to how to proceed (including removing/adding/modifying features in the future as experience evolves).

I propose we move beyond the legal concerns at this point and focus on the app functionality and bugs.

On that note I'm still noticing an intermittent but immediate crash out of the app on launch even with the current version.

Thanks again Allen for your work! We all wish you the best.

 

[AllenWong]

On that note I'm still noticing an immediate crash out of the app on launch even with the current version.

It's on my TODO list. It was a bug introduced by iOS 9, because I don't remember it doing that prior to iOS 9. I have a general idea of what's causing it, so I should be able to come up with a solution. When I find a fix, I'll update the app again.

 

[Andyw2100]

While legal risk is a real thing and something that Allen is already facing and suffering from with the patent trolls, and many have chimed in about their concerns or reassurances, I think we can now assume that Allen is fully aware of the potential risk. He's a very intelligent, successful developer, who is very engaged with his users. No one wants to see him suffer or have any person or property damaged from any problem from summon or other features, whether they are due to Tesla's products, network issues, Remote S or any other factor.

I trust Allen has taken all of this into account and has made his own informed decision as to how to proceed (including removing/adding/modifying features in the future as experience evolves).

I propose we move beyond the legal concerns at this point and focus on the app functionality and bugs.

Agreed.

Once Allen had thanked me and acknowledged he'd be considering my suggestion, I stopped addressing anything towards Allen. The posts I made related to the topic today (and even some yesterday) were directed towards others, and were merely explaining where I was coming from. I knew by that point that I had made my point with Allen, and reached the same conclusion that you have--that he will make the decision that is best for him.

 

[slevit1md]

It's on my TODO list. It was a bug introduced by iOS 9, because I don't remember it doing that prior to iOS 9. I have a general idea of what's causing it, so I should be able to come up with a solution. When I find a fix, I'll update the app again.

Out of curiosity - where does 3D touch support fall on your TODO list? Can we expect that in the next couple of weeks? There's another pretty basic app out there now with that functionality, so I can't imagine it would be too difficult to support. I've been holding off buying that app hoping that it comes to yours soon. Thanks!