Tesla Telemetry Project

[avirtuos]

Hello All,

I'm relatively new to TMC though I've been following Tesla for several years and recently placed an order for a Model X 100D (eta Dec). Like many of the people who post (or lurk) here, I have to wait a couple months for delivery. To pass the time a bit more quickly I'm taken on a bit of a project and wanted to get some feedback before spend a non-trivial amount of time and finding that its not actually useful to anyone but me.

I've seen Teslafi, Tesla Log, and Teslab and while they offer some pretty sweet features, I'm hesitant to give my credentials or API token to these sites. With that kind of access they could cause some serious damage to your car if a disgruntled employee or bug trips at the wrong time. I hope this never happens but as a Software Engineer, I just can't bring myself to trust them and all their employees. So I started designing an alternative Telemetry logger for the Tesla API that will be open source (so can can see exactly what it is doing) and runs on equipment you own (your personal computer or a free-tier Amazon Web Service Account). I've only recently started adding information about the project to the github page GitHub - avirtuos/teslog: A self-contained telemetry tracker for Tesla vehicles that doesn't require handing over your credentials to a 3rd party! (github provides free source code hosting for opensource projects).

I'd love to hear from all you passionate owners (and soon to be owners or enthusiasts) what features you'd value most in such a tool...and if giving your credentials (and money!) to a third party is also blocking you from harvesting all the cool data your car has to offer.

 

[Xtek]

I applaud your efforts for doing this. I have my own version of Teslafi I now use for my personal use.

While this cool keep in mind these credentials are still being stored even if you have control over them. Setting things up in AWS can be complicated with Security Groups. It is very easy to mess up and you may wind up putting yourself at bigger risk. Keeping credentials encrypted while in flight as well as at rest will be critical.

My concern is that people who aren't familiar with security protocols for data handling standards may put themselves at bigger risk than using something like Teslafi.

You could reduce the risk by having the app that pulls data run locally on someone's computer or on an app and use OS-specific vaults (Keychain for example) for storing secrets to store the OAuth token. Then use HTTPS with Certificate key pairs to ensure traffic can't be man-in-the-middled. That way the token is properly handled and if your AWS resources aren't secure the worst case is they get access to the data stored there but not the token to control your car.

 

[avirtuos]

I applaud your efforts for doing this. I have my own version of Teslafi I now use for my personal use.

While this cool keep in mind these credentials are still being stored even if you have control over them. Setting things up in AWS can be complicated with Security Groups. It is very easy to mess up and you may wind up putting yourself at bigger risk. Keeping credentials encrypted while in flight as well as at rest will be critical.

My concern is that people who aren't familiar with security protocols for data handling standards may put themselves at bigger risk than using something like Teslafi.

You could reduce the risk by having the app that pulls data run locally on someone's computer or on an app and use OS-specific vaults (Keychain for example) for storing secrets to store the OAuth token. Then use HTTPS with Certificate key pairs to ensure traffic can't be man-in-the-middled. That way the token is properly handled and if your AWS resources aren't secure the worst case is they get access to the data stored there but not the token to control your car.

All great points, and things I am planning to handle. The setup needs to be turn key to avoid people compromising things. As for your points about security groups... That's what cloud formation templates are for .

 

[dailo]

Cool idea, I thought about creating a project to do something similar but just put together a quick script instead. One thing you could consider is using influxdb to store the data and using something like Grafana/Kibana to graph some of the data out.

 

[Xtek]

+1 for Influx/Kibana. Influx is a TSDB which would be prefect for this.

 

[Xtek]

All great points, and things I am planning to handle. The setup needs to be turn key to avoid people compromising things. As for your points about security groups... That's what cloud formation templates are for .

Glad to hear it! I think a big "don't do this if you don't know what a security group of CIDR is" disclaimer would be appropraite.

 

[verygreen]

Given how limited external API is and how rich internal API is, I'd wish some of the usual suspects would publish their logging network implementation or somebody would create a new one (complete with tesla mothership impersonation for those times when you need it, sorry, I don't wantto plug into other people's networks because who knows what security practices do they have or who else is on those networks).

Then all the root users could save a bunch of time reinventing the wheel and concentrate on something more fruitful.

 

[Bet TSLA]

...as a Software Engineer, I just can't bring myself to trust them and all their employees.

...and if giving your credentials (and money!) to a third party is also blocking you from harvesting all the cool data your car has to offer.

Yeah, me too. I can't trust these sites not to get hacked either -- they're obvious repositories of access to their client's vehicles. I'm not sure I would trust my own server either, as keeping up with security patches to all the relevant components is a ridiculously complex task. I'm left with trusting Tesla, because their interests are so obviously aligned with my own.

 

[verygreen]

I'm left with trusting Tesla, because their interests are so obviously aligned with my own.

Who are you kidding?
You are left with trusting Tesla because there's just no other choice.

 

[Bet TSLA]

Who are you kidding?
You are left with trusting Tesla because there's just no other choice.

I don't know how you make decisions, but I didn't buy the car until I decided I could trust Tesla because if they screw up the security they are basically out of business. We're not dealing with Equifax here. So no, I meant what I said, not what you said.

 

[verygreen]

I don't know how you make decisions, but I didn't buy the car until I decided I could trust Tesla because if they screw up the security they are basically out of business. We're not dealing with Equifax here. So no, I meant what I said, not what you said.

While obviously you do trust Tesla, it's not like there's any choice magically, though, is there?

And while Tesla probably does not have music major as their head security guy, don't idealize them either. They screwed up security multiple times in the past and while they got better to some degree, I don't see any signs of good security culture (yet? who knows).

So far all their mistakes (not just in security) seem to be faling by wayside, though, as in, they did not go out of business.

 

[Bet TSLA]

While obviously you do trust Tesla, it's not like there's any choice magically, though, is there?

Obviously, everybody who drives a Tesla must implicitly trust Tesla. More than any other manufacturer of vehicles, Tesla can screw up the lives of its owners. The choice, clearly, is whether to own a Tesla or not. I made that choice consciously, but I doubt most people do.

Do you have a point here? If you want to describe how and why you make decisions I might believe you. If you want to tell me how I make decisions, you are way out of line.

 

[verygreen]

Obviously, everybody who drives a Tesla must implicitly trust Tesla. More than any other manufacturer of vehicles, Tesla can screw up the lives of its owners. The choice, clearly, is whether to own a Tesla or not. I made that choice consciously, but I doubt most people do.

Do you have a point here? If you want to describe how and why you make decisions I might believe you. If you want to tell me how I make decisions, you are way out of line.

I guess I was just nitpicking.

Personally I don't trust too much in Tesla, but I was interested in the car so I did not have much choice (I did actually ask them about data collected and stored and even spoke to their lawyer about it. Sadly was not told too much and nothing too comforting). And if I were to severe all car communications with mothership, I'd have lost some services I desire.

Now that I actually have the car I realize that at least my interests don't seem to be aligning all that well with Tesla interests which is a pity.

 

[Xtek]

FWIW they have a "God" mode and can see all the same data we can see in realtime. Fun.

 

[BigD0g]

Now that I actually have the car I realize that at least my interests don't seem to be aligning all that well with Tesla interests which is a pity.

There loss is our gain

 

[lunitiks]

FWIW they have a "God" mode and can see all the same data we can see in realtime. Fun.

 

[hobapolis]

Looking forward to progress on this project.

 

[ChicagolandMX]

On this note, does anyone know if data through the Tesla app is encrypted or is trafficked through a VPN? I know I saw a YouTube video where someone grabbed some app info off an open Wi-Fi network.

 

[Xtek]

What you're describing sounds like a man in the middle attack.

The Tesla app uses HTTPS (encryption) and SSL pinning. Meaning you can't use a self-signed cert to watch traffic even if you wanted to.

I can see no feasible way someone could MITM the app.

 

[avirtuos]

What you're describing sounds like a man in the middle attack.

The Tesla app uses HTTPS (encryption) and SSL pinning. Meaning you can't use a self-signed cert to watch traffic even if you wanted to.

I can see no feasible way someone could MITM the app.

That's not entirely true. SSL only protects you if someone can't inject their own trusted root CA. A common way people 'man in the middle' cell phone apps is to get you to install an app that installs a malicious root CA (certificate authority). This then fools all apps on your phone into trusting an attackers cert because they can sign a cert that says they are Tesla and your app will gladly send it your credentials because the cert is signed by one of the CAs that your phone trusts.

This is why you should only install trustworthy apps.

Pinning requires that you bundle your cert with the app, this has similar issues because neither iOS or Android offer a good way to protect that cert. A malicious app can simply overwrite that cert and circumvent that added protect. Life would be so much easier if people could be trusted....so much lost performance simply for security (not in this case but in general... Like with Intel's specter and meltdown issue)

As for progress on the project... I'm inching forward. Holidays and some home renovations have proven more distracting than I planned.