You can install our site as a web app on your iOS device by utilizing the Add to Home Screen feature in Safari. Please see this thread for more details on this.
Note: This feature may not be available in some browsers.
While waiting for my MY arrived, I went through this article. Trying to give a head up to anybody using third party apps. Be aware.
Here is the link: Hacker, 19, takes control of more than 20 Teslas through software flaw
...head up...
My wife sent this to me, I have no idea if or how much of it a valid. Bigger brains would know.
He hacked third party apps. You need to understand the technology at play and ppl giving out their account/pw to third party apps. The 3rd party app has access to the car cuz the owners gave them it.well says the kid hacked into 15 or so Tesla cars.....lock and unlock doors, view the cameras......these things happen I guess
The article said:...third party apps only...
They are not saying because the software isn't patched yet. Knowing which could lead plenty of bad-intended hackers to abuse the hole before it's patched. Software security very often works that way, a fix is posted before the vulnerability it put out publicly. The public announcement is so people upgrade their software.
I haven't seen mention of teslamate in the article but it would be reassuring if it was that since there are not too many users.
As far as I can see based on the information on the Internet, Tesla's API tokens do not have differentiation between read-only and full-control permissions. A token can allow someone to do everything the API offers with the car. If a user's intention of using 3rd party apps is to collect statistics (like the vast majority of Teslamate users), there is absolutely no need to allow those apps to control the car.
Tesla can be partly responsible in this case for not having finer grained access control on API tokens.
The default docker installation of Teslamate is hopelessly insecure, even after they disable anonymous login to Grafana. The Postgres DB password is written in clear text in the docker-composer.yml file. The default login to Grafana is well known and I suspect that users seeking for the convenience of the docker installation method would not bother to change the default password. So your only defence to hacking is the assumption that your local network will never have malicious users.^^
WTF, why is there even an anonymous login option??