Hey folks! Long time reader, first time poster. My company, Raxis, just put together a video that showcases an attack against the Tesla API and tells you what you can do to protect yourself. It's features my 2018 Model 3, Aurora. Thought some of you might be interested in checking this out!
-
Want to remove ads? Register an account and login to see fewer ads, and become a Supporting Member to remove almost all ads.
Tesla API Security
- Thread starter xarmin
- Start date
I watched this video (and I dont normally watch videos online from people who post here that say "look at my video".)
To summarize what I saw:
1. the "compromised" state was brought about by phishing the users credentials, to generate a token.
2. Once credentials are stolen from the user, the person stealing the credentials can do everything that the user could do with those credentials, including unlocking the car, etcc.
3. How to prevent: Use strong passwords / dont share passwords
Bonus: An advertisement for penetration testing from your company in the middle of the video.
Did I miss anything?
EDIT: One thing that is important to consider, is that all the people who use tesla credentials "somewhere else" like teslafi, stats, etc all increase their risk of something like this, because those services could be compromised as well.
This was covered very well by one of our posters ( @camalaio )in the following thread, which also goes into some detail around this topic (but in text form instead of watching a video).
PSA: Don't use third-party apps and services, period.
To summarize what I saw:
1. the "compromised" state was brought about by phishing the users credentials, to generate a token.
2. Once credentials are stolen from the user, the person stealing the credentials can do everything that the user could do with those credentials, including unlocking the car, etcc.
3. How to prevent: Use strong passwords / dont share passwords
Bonus: An advertisement for penetration testing from your company in the middle of the video.
Did I miss anything?
EDIT: One thing that is important to consider, is that all the people who use tesla credentials "somewhere else" like teslafi, stats, etc all increase their risk of something like this, because those services could be compromised as well.
This was covered very well by one of our posters ( @camalaio )in the following thread, which also goes into some detail around this topic (but in text form instead of watching a video).
PSA: Don't use third-party apps and services, period.
Last edited:
The video (and the forum post itself) is nothing more than a thinly veiled attempt to hide the fact that its primary reason for existence is to pimp the promotion in the video for the author’s penetration testing company.
There is zero new information provided in the video, and pretty much every owner is already aware of everything stated in the video.
The lengths that people will go to to skirt forum rules about advertising products and services is really amazing.
Good thing I’m not a mod here. OP would be permanently banned.
There is zero new information provided in the video, and pretty much every owner is already aware of everything stated in the video.
The lengths that people will go to to skirt forum rules about advertising products and services is really amazing.
Good thing I’m not a mod here. OP would be permanently banned.
As you mention, they did a good job of skirting the rules. The video isnt straight advertising, even if the information is pretty much "once you have a token you can do what the owner can do". It doesnt fall in the realm of breaking the forum rules for advertising, even though, at least in my opinion, its fairly clear that is what was actually happening.
So, we left it here, but I summarized the video for anyone who might have been confused with the clickbaity type thread title.
Happy medium there, I guess.
So, we left it here, but I summarized the video for anyone who might have been confused with the clickbaity type thread title.
Happy medium there, I guess.
KArnold
Active Member
If I use the Tesla app to unlock/start my car, the pin-to-drive is disabled?? I thought that was the entire reason for that feature.
What, so you mean if I give away my credentials, someone can use them do something nefarious, as if they were me?
Shocking detail, indeed.
I was actually happier when Avid was expensive and YouTube wasn’t a thing.
Shocking detail, indeed.
I was actually happier when Avid was expensive and YouTube wasn’t a thing.
diamond.g
Active Member
KArnold
Active Member
diamond.g
Active Member
The reason for pin-to-drive is that if they would get access to your car that they cannot drive away. For example, via a relay attach.
Remote start always needs to have either a fingerprint or password as authentication. When your phone gets stolen and you do not have a password on thieves still cannot "start" the car unless they would know the Tesla account password or chop of your finger for its biometrics
