[Temporarily Deleted Details Until I Hear Back From Tesla To Ensure This Isn't An Unwanted Security Change]
Last edited:
-
Want to remove ads? Register an account and login to see fewer ads, and become a Supporting Member to remove almost all ads.
Video: Summon Now Works Without Keyfob OR Keyless Start (2.12.126)
- Thread starter MarkS22
- Start date
AllenWong
Member
Mark-
IMO This is by design for the advance summon capability for your car to drive to you or away from you using more maneuverability. It was really pointless to have the fob in proximity as your watch or follow your car to the garage. As a part of the new Autopark/Summon the key is not needed to have the car initiate a summon/unsummon. The release notes say something to the effect that summon/autopark is not intended to work with the driver in the seat, so maybe thats the vulnerability. However, from a security standpoint I dont see this as an issue because if you initiate summon outside the car the doors are locked and no way for anyone to get in when summoning or completed summon.
IMO This is by design for the advance summon capability for your car to drive to you or away from you using more maneuverability. It was really pointless to have the fob in proximity as your watch or follow your car to the garage. As a part of the new Autopark/Summon the key is not needed to have the car initiate a summon/unsummon. The release notes say something to the effect that summon/autopark is not intended to work with the driver in the seat, so maybe thats the vulnerability. However, from a security standpoint I dont see this as an issue because if you initiate summon outside the car the doors are locked and no way for anyone to get in when summoning or completed summon.
[Temporarily Deleted Details Until I Hear Back From Tesla To Ensure This Isn't An Unwanted Security Change]
- - - Updated - - -
Yes. Not just Remote S.
Last edited:
AllenWong
Member
I see it as a security issue. This is a security flaw and can be exploited. Think of all the 3rd party websites that don't have your password but only have your access token. Before, it would have been impossible to drive off with your car if they only had your access token, because you needed a password to do a keyless start. Unlocking the car doesn't require a password, so you can hop in, do the Summon, and then drive off without entering the password even once. And all it takes is for one person to hack a 3rd party website and get that access token. They'll even know where your car is located with the access token. And now can even open your garage door remotely. So because of this, now there's no difference between giving someone only your access token and giving someone your car's password. When before this exploit, it would be pointless for a car thief to have your access token, because they still can't drive off with your car without the password.
Interesting. I've deleted posts and unlisted the YouTube video until I hear back.
Last edited:
AllenWong
Member
I don't think you need to delete your comment, since the security flaw is in the thread title already, so it's kind of too late. And to exploit this, you'd need to have the access tokens, which should be hard to get if the 3rd party websites that have your access token don't have some SQL/database injection flaws on their website or easy to brute force website/database password. And it could also be avoided if those websites encrypted the access tokens so that even if the hacker got to them, it wouldn't matter.
And if the car thief is the 3rd party website owners themselves, then, it would be much easier if they just used your password, since you give them the password to access the website. Anyway, I don't see this as a critical threat, unless those 3rd party websites have bad security.
And if the car thief is the 3rd party website owners themselves, then, it would be much easier if they just used your password, since you give them the password to access the website. Anyway, I don't see this as a critical threat, unless those 3rd party websites have bad security.
AllenWong
Member
Every 3rd party website that you ever logged into using your MyTesla account info has your access token. To explain how it works, basically, the website is supposed to store only your access token and not your username/password. An access token is supposed to be able to do anything to your car and grab any information on your car except for starting your car. Starting your car requires your MyTesla password. Mark is claiming that you can now bypass that requirement by just sitting in the car during a Summon, and then you can drive the car without ever entering any password.
Remote S users are still safe, because the access tokens are only stored on your Apple Keychain (which is encrypted as well). As long as your device is PIN code protected, you're pretty safe (as you can see in recent news, even the FBI have trouble breaking into an iPhone). But if you use a third party website, that access token is stored remotely, most likely on a database on some server. It may be possible for a hacker to access that database if the website is not secure enough. Or if the website owner had malicious intent, he could auction your access tokens to the highest bidder/car thief. It's also why I don't use any 3rd party websites, because you're trusting them with your car keys and car's location at all times. And if HomeLink is enabled, it might also mean access to your garage. And if your garage is connected to your house, it might mean access to your house as well.
Have not looked recently but I vaguely recall that changing your password will force an access token change. Simple thing you can do, for now, is change your password. If I get some time I will test to be sure that it actually forces a token change. Oh, and obviously you should stop using third party sites that worry you.
Last edited:
jeffro01
Active Member
I can confirm that I was able to unlock my car from my app, get in, initiate summon and drive the car away. While the car warns me that I won't be able to restart it since it didn't detect the fob, that's not good enough.
While I won't sit here and completely freak out and make a huge deal about this, I do think this is something Tesla needs to fix. Summon should NOT "start" your car, the fob should still be required to make any changes to the shifter. So while summon would still start your car so it could move it, any adjustment of the stock manually should immediately shutoff the car when the fob isn't present. Much like remote start systems shut off the engine if you hit the break without the fob.
Jeff
While I won't sit here and completely freak out and make a huge deal about this, I do think this is something Tesla needs to fix. Summon should NOT "start" your car, the fob should still be required to make any changes to the shifter. So while summon would still start your car so it could move it, any adjustment of the stock manually should immediately shutoff the car when the fob isn't present. Much like remote start systems shut off the engine if you hit the break without the fob.
Jeff
I've let Tesla know about the behavior, so it's up to them. However, there is no security concern if you do NOT share your token with any 3rd party sites. Let this be a heads up that giving out your token is equivalent to giving someone your location AND the keys to your car. Until the latest update, Keyless Start required your login and password in addition to your token to actually drive the car. If you're concerned, this latest update makes it more important to keep your token safe and private.
Last edited:
Allen, so if you don't store the token then the only things I can think of that use it are Tesla and maybe VT (although) that might be a passthrough (not really sure). What other apps can you think of that store it?
AllenWong
Member
There are a few other 3rd party Tesla apps and websites that I've seen. All apps and websites store your token somewhere. Otherwise, you'd have to login every time. I can't speak for how other apps and websites store your token, because I don't have their source code.
Similar threads
