TeslaFi Security Concerns

[RichieC]

I did use TelsaFi for a while when i first got my car (with a Teslafi referal), and i do like the functionality it provides.
However I do have some concerns about giving my login details to a third party website which gives full access to my car - Seems to me this is just the same as giving someone you don't know the keys to your car!

I realise that it uses a token rather then the actual password, but it still gives access to the car from the website.
If the Telsafi site was hacked, it would be very useful for anyone looking to steal Teslas, as they would have details of where lots of cars were kept overnight and during the day, including times that they are at these locations!

What does everyone think?

 

[dc121gw]

This has been discussed a number times before. Tesla could choose to implement limited access tokens, but doesn't, because there's no financial benefit for them to allocate resources to do it.

It wouldn't surprise me if there was a breach at TeslaFi. Fortunately, tokens can be invalidated if need be, and they are self-expiring regardless.

 

[paralax]

Can you not block the address/location data sharing?

 

[RichieC]

Can you not block the address/location data sharing?

TeslaFi logs the location of your car and all of the journeys that you make, so all of that information is available on the Telsafi website for you to view - Until the website is breached/hacked which means this information is also potentially available to a hacker.

 

[NorfolkMustard]

The api access token can’t be used to start the car or disable pin-to-drive

 

[RichieC]

The api access token can’t be used to start the car or disable pin-to-drive

Maybe not, but it can be used to unlock the car and to TeslaFi data can be used to locate the car.

Don't get me wrong, I do really like TeslaFI but i'm just a little concerned about the security aspect.

 

[dakaix]

This is exactly why I've deployed a self-hosted data logger (Teslamate) for when I collect my vehicle. It does require a bit of technical know how but means you can run it from a Raspberry Pi in your own home, on your connection, so you maintain full control

 

[RichieC]

This is exactly why I've deployed a self-hosted data logger (Teslamate) for when I collect my vehicle. It does require a bit of technical know how but means you can run it from a Raspberry Pi in your own home, on your connection, so you maintain full control

That sounds good.. will have to look into this - do you have any links etc?

 

[dakaix]

That sounds good.. will have to look into this - do you have any links etc?

Sure, it's on Github at the link below. You'll need to have somewhere you can run this from, but a Raspberry Pi is a small investment (£25-35, or £50 as a kit) and is perfect for this task - you can use their Raspbian operating system, and just install Docker before you deploy Teslamate.

adriankumpf/teslamate

Documentation: https://teslamate.readthedocs.io/en/latest/

 

[Jason71]

This is exactly why I've deployed a self-hosted data logger (Teslamate) for when I collect my vehicle. It does require a bit of technical know how but means you can run it from a Raspberry Pi in your own home, on your connection, so you maintain full control

I wrote my own for the same reason. I run it in the cloud on AWS. it doesn't do all that Teslafi does but it stores all the data which is the main thing so I can add to it later. And as a bonus it only costs me about $0.20 per month. We don't talk about the time spent writing it that came out of "family time" (so win win )

 

[Roy W.]

That sounds good.. will have to look into this - do you have any links etc?

I use TeslaMate too for the same reason.

TeslaMate

TeslaMate – Tesla logger (step-by-step Docker installation guide – DigitalOcean) | satheesh.net

 

[MrBadger]

This is exactly why I've deployed a self-hosted data logger (Teslamate) for when I collect my vehicle. It does require a bit of technical know how but means you can run it from a Raspberry Pi in your own home, on your connection, so you maintain full control

Don't people nick cars by breaking into houses and nicking the keys?

And before someone says, but how do they know I have a raspberry pi/sd card with it on, well a number of people have posted on here so anyone wanting to target Tesla will have a pretty good starting point. Even worse is application host not being very secure.

Personally, I prefer a strongly encrypted Api key, that will expire within 45 days, held on a secure server somewhere stored as part an account where the password/salt is again strongly encrypted and cannot be associated with another account using the same password (the salt will differ). So even if account was hacked server side, the api key would still be secure encrypted unless they also got access to the decryption key which is very likely to be stored in a much more secure place than a SD card on a raspberry pi in someone's house.

And of course, even with that api key, they are still limited with what they can do with the car - would be better if it was even more granular. Probably easier to nick someones phone and be faced with pin to drive - easily obtainable to anyone who has been given a ride in the car, or peered through the window when its being entered.

There will always be a way to compromise something, its a matter of making it harder than another target.

Car parked in public space, phone in easy reach probably makes taking a chance on no pin to drive a bit of an appeal for a chancer. Second up, car outside, phone inside house, occupants under duress.

imho.