Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Tesla Telemetry Project

This site may earn commission on affiliate links.
#21
avirtuos said:
That's not entirely true. SSL only protects you if someone can't inject their own trusted root CA. A common way people 'man in the middle' cell phone apps is to get you to install an app that installs a malicious root CA (certificate authority). This then fools all apps on your phone into trusting an attackers cert because they can sign a cert that says they are Tesla and your app will gladly send it your credentials because the cert is signed by one of the CAs that your phone trusts.

This is why you should only install trustworthy apps.

As for progress on the project... I'm inching forward. Holidays and some home renovations have proven more distracting than I planned.
Click to expand...

It is entirely true. SSL pinning prevents someone from injecting a CA even if you install the CA yourself. The only way around this is if you have an older OS version that doesn't have SSL pinning.

Certificate and Public Key Pinning - OWASP

EDIT: As proof try using Charles Proxy or Fiddler on a modern iOS/Android device. You can't MITM yourself. I wrote a C-level patch for iOS to disable SSL pinning, to get around it.
 
#22
Xtek said:
It is entirely true. SSL pinning prevents someone from injecting a CA even if you install the CA yourself. The only way around this is if you have an older OS version that doesn't have SSL pinning.

Certificate and Public Key Pinning - OWASP
Click to expand...

See my updated post, pinning doesn't save you when the malicious app replaces the bundled cert. It's a good step but not a magic bullet since neither iOS note Android offer secure storage.
 
#23
avirtuos said:
See my updated post, pinning doesn't save you when the malicious app replaces the bundled cert. It's a good step but not a magic bullet since neither iOS note Android offer secure storage.
Click to expand...
Also, from your link..

"You should pin anytime you want to be relatively certain of the remote host's identity or when operating in a hostile environment"

Relatively certain... Not the same as true authentication or chain of trust.
 
#24
avirtuos said:
See my updated post, pinning doesn't save you when the malicious app replaces the bundled cert. It's a good step but not a magic bullet since neither iOS note Android offer secure storage.
Click to expand...

Well, if we're going as far as to say if you installed the unofficial Tesla app why not say use a rooted device? :)

My point was, if you're using a modern OS/phone it's incredibly unlikely someone can snoop your traffic. No security is 100% secure. Even with asymmetric key pairs they are counting on the processing required to guess the private key.

EDIT: Spelling r hard
 
You must log in or register to reply here.

Similar threads

Carspotter Daily
AI fine-tuned models: Roadster, Cybertruck, Refresh 3, Semi
Replies
3
Views
381
Tesla, Inc.
HankLloydRight
HankLloydRight
Proppilot
RGB Ambient Lighting project for Palladium Model S - lets do it
Replies
203
Views
8K
Model S: User Interface
Proppilot
Proppilot
E
New to EV, just bought 3 Tesla's, a model S, a model X and a model Y. Charging, Upgrade's and Accessories Questions
Replies
4
Views
206
Model S
Excaliber
Excaliber
mySmartRemote
Vendor My Tesla Remote - A 3rd party remote that doesn't ask for your credentials
Replies
103
Views
10K
Software: Firmware Updates, Features, Tesla App
swedge
S
E
Salvage Tesla General Thread
Replies
4
Views
560
Model X
TOBASH
TOBASH
Top
Back
Blog
New
Forum list
Marketplace
Menu