TMC is an independent, primarily volunteer organization that relies on ad revenue to cover its operating costs. Please consider whitelisting TMC on your ad blocker or making a Paypal contribution here: paypal.me/SupportTMC

Security flaw in Summon implementation?

Discussion in 'Model S' started by gordo, Jan 22, 2016.

  1. gordo

    gordo Member

    Joined:
    Jan 16, 2015
    Messages:
    213
    Location:
    CA
    I noticed tonight that as my wife took the car out of the garage and I had the Tesla app open on my phone several rooms away, that the "Summon" button appeared, even though I was clearly well out of visible range of the car. That led me to start thinking about what it is exactly that allows Summon to become available as an option in the mobile app. I quickly came to the hypothesis that perhaps the Summon option becomes available if *either of an owner's FOBs is near the car and your phone app happens to be active (i.e. perhaps there's no GPS check on the phone side). That got me to thinking that if someone was able to access just my Tesla credentials, it's conceivable that they could initiate Summon by remotely polling for it from the REST API and then moving the car remotely as I get in range with my FOB.

    Admittedly, to make this exploit work, it would still require someone to obtain my login credentials, and theoretically, the car should still do a fairly good job of not crashing into anything while summoning, but if true, this simple trick is possibly the first instance where an attacker could remotely move a Tesla without previously having had physical access (unlike those BlackHat exploits from a while back).

    Also, I got to thinking that if I'm wrong about the lack of a GPS phone location requirement, it really shouldn't hinder the exploit as there are numerous apps that will spoof GPS location for Android as well as jailbroken iOS.

    It seems the only way to close this theoretical hole for now (if anyone happens to care) is to turn off Summon. Inevitably, if Tesla felt it was significant enough to close themselves, I suspect that Summon functionality would simply have to be removed from the mobile apps (i.e. the REST API) and relegated strictly to FOBs. :frown:
     
  2. LetsGoFast

    LetsGoFast Active Member

    Joined:
    Oct 13, 2014
    Messages:
    1,342
    Location:
    Virginia
    If they have your login credentials, they can unlock the car, get in, start it and drive it away.
     
  3. AMPd

    AMPd Active Member

    Joined:
    Nov 27, 2012
    Messages:
    1,542
    Location:
    Northern California
    I did exactly this when I could not find my fob, spent the whole day running errands using the phone to unlock and start the car

    Edit: Little tip, if you don't need the door closed, don't close it! it'll automatically lock and you'll have to use the app again.
     
  4. Soolim

    Soolim Member

    Joined:
    Jun 11, 2015
    Messages:
    849
    Location:
    Vancouver, BC, Canada
    So if I lost my phone, and if the thief get pass the phone log-in, using the app he/she could locate my car, get to the car, and drive away. :scared:

    Should Tesla not implement some simple limitation, such as allowing driving with phone app only for a limited km or limited hours, and thereafter the fob needs to be used to reset the limit?
     
  5. cytranic

    cytranic Member

    Joined:
    Aug 14, 2015
    Messages:
    74
    Location:
    FL
    When you try to start the car, the phone asks for the password again even though its saved on the original opening.

    If the theif has your password, well then...
     
  6. wk057

    wk057 Senior Tinkerer

    Joined:
    Feb 23, 2014
    Messages:
    4,714
    Location:
    Hickory, NC, USA
    Basically anyone with your Tesla app login info, no matter how they get it, can locate your car, open it, and drive away, if you have mobile access enabled. They can even disable valet mode, disable mobile access, etc once they're in the car.

    So never give your login and password to anyone. No third party websites or software/apps. Don't keep it written down. Make sure it's at least a moderately strong password, too. Keep an eye out for phishing attempts, since no one legitimate will ever ask for this password. Etc etc etc.

    Most people don't realize that those credentials are literally like a copy of the keys to your car.
     
  7. AMPd

    AMPd Active Member

    Joined:
    Nov 27, 2012
    Messages:
    1,542
    Location:
    Northern California
    Correct, but it's no different than online banking, if someone has your log in, they can empty your account.
    I'm not worried about anyone stealing my car
     
  8. LetsGoFast

    LetsGoFast Active Member

    Joined:
    Oct 13, 2014
    Messages:
    1,342
    Location:
    Virginia
    Also, just because the summon button appeared on your phone doesn't mean you could have activated summon. Lots of other conditions must be met too.
     
  9. luvnMyTS

    luvnMyTS Member

    Joined:
    Jan 6, 2015
    Messages:
    237
    Location:
    Los Angeles, CA
    Phone app requires a PIN be entered that is not the same as your password. Similar to an ATM pin. So, if you lose your phone and have your password saved in your app, yes, someone could unlock the doors and use all the controls the app allows, however if they want to drive it, they would have to know your PIN, which cannot be saved into the phone.
     
  10. bridaus

    bridaus Member

    Joined:
    Jan 4, 2016
    Messages:
    37
    Location:
    United States
    PIN, password, fob, what's the difference? All of them can be stolen. Live life, let actuaries worry about theft.
     
  11. Caligula

    Caligula Member

    Joined:
    Oct 14, 2015
    Messages:
    600
    Location:
    San Diego
    My father in law lost his keys once a local sports event. Someone apparently found them and walked around the parking lot until they found the car that flashed its lights and beeped when they spammed the "lock" button on the key fob (were aasuming). They later found his car (sans stereo) a few miles away the next day. Keys still in the ignition.

    Just saying.
     
  12. LetsGoFast

    LetsGoFast Active Member

    Joined:
    Oct 13, 2014
    Messages:
    1,342
    Location:
    Virginia
    There is at least one phone app that can start your car without a PIN.
     
  13. bonnie

    bonnie Oil is for sissies.

    Joined:
    Feb 6, 2011
    Messages:
    14,241
    Location:
    Columbia River Gorge
    Yep. But tons of people on this forum alone have handed off their credentials just to access third-party apps. I don't get it.

    Don't give out your password. Period. Best security tip ever.
     
  14. green1

    green1 Active Member

    Joined:
    Mar 25, 2014
    Messages:
    4,105
    Location:
    Calgary, Alberta, Canada
    So what you're saying is that if someone manages to steal both your fob, AND your login credentials, they can steal your car.
    Never mind the fact that for a very long time now they've been able to steal your car with either over of those and not need both.

    Summon via the app is MORE secure than keyless driving,
     

Share This Page