Is this real? If so, I'm nervous about my purchase. Obviously, there are a series of events that need to occur. I don't think I would ever download an unkown app for a free burger, but I might unknowingly download something as hackers continue to get more savvy at getting us click on stuff. Anyone know if this issue has been addressed by TM? Sorry if this has already been addressed, I can't search this site to find any previous threads about it
https://youtube/5jQAX4540hA
It's real, and out of Tesla's control. Notice that they needed four things, though:
First, they needed a compromised app installed in the phone. I'm pretty sure that the reviews Apple and Google do would keep such an App out of the app stores.
Second, they needed to find and exploit a hole in the phone's operating system so the compromised app can read data from other apps.
Third, they needed the phone to be operating on a compromised Wi-Fi network, so the compromised app could send the data.
Fourth, they needed the user to actually enter the username and password to Tesla, instead of using the token the user got in some prior session like most of us do most days.
There's not much you can do about gaps in the OS except install updates promptly when offered, but the rest are entirely avoidable - don't install random apps outside the secure structure, don't send any data from unknown Wi-Fi, and if you're on unfamiliar Wi-Fi, don't log in to anywhere secure, including the phone app.
Even though the exploit shown doesn't involve any bugs on Tesla's side, there are a few things Tesla could do to make it more secure - the granular permissions someone mentioned above, two factor identification of the device making the request, or even requiring biometric verification for some of the actions since I think nearly all current generation phones have a fingerprint reader. (Any or all of these could be made into options selected by an authenticated user or hard requirements.)