TMC is an independent, primarily volunteer organization that relies on ad revenue to cover its operating costs. Please consider whitelisting TMC on your ad blocker or making a Paypal contribution here: paypal.me/SupportTMC

Video: Summon Now Works Without Keyfob OR Keyless Start (2.12.126)

Discussion in 'Model S: User Interface' started by MarkS22, Feb 25, 2016.

  1. MarkS22

    MarkS22 Member

    Joined:
    Apr 6, 2015
    Messages:
    309
    Location:
    Morris County, NJ
    #1 MarkS22, Feb 25, 2016
    Last edited: Feb 25, 2016
    [Temporarily Deleted Details Until I Hear Back From Tesla To Ensure This Isn't An Unwanted Security Change]
     
  2. AllenWong

    AllenWong Member

    Joined:
    Dec 9, 2014
    Messages:
    654
    Location:
    Orlando, FL
    What about the official Tesla app? Can it do the same?
     
  3. jlewisthe3rd

    jlewisthe3rd Member

    Joined:
    Oct 15, 2015
    Messages:
    27
    Location:
    Philadelphia, PA
    Mark-

    IMO This is by design for the advance summon capability for your car to drive to you or away from you using more maneuverability. It was really pointless to have the fob in proximity as your watch or follow your car to the garage. As a part of the new Autopark/Summon the key is not needed to have the car initiate a summon/unsummon. The release notes say something to the effect that summon/autopark is not intended to work with the driver in the seat, so maybe thats the vulnerability. However, from a security standpoint I dont see this as an issue because if you initiate summon outside the car the doors are locked and no way for anyone to get in when summoning or completed summon.
     
  4. MarkS22

    MarkS22 Member

    Joined:
    Apr 6, 2015
    Messages:
    309
    Location:
    Morris County, NJ
    #4 MarkS22, Feb 25, 2016
    Last edited: Feb 25, 2016
    [Temporarily Deleted Details Until I Hear Back From Tesla To Ensure This Isn't An Unwanted Security Change]

    - - - Updated - - -

    Yes. Not just Remote S.
     
  5. AllenWong

    AllenWong Member

    Joined:
    Dec 9, 2014
    Messages:
    654
    Location:
    Orlando, FL
    I see it as a security issue. This is a security flaw and can be exploited. Think of all the 3rd party websites that don't have your password but only have your access token. Before, it would have been impossible to drive off with your car if they only had your access token, because you needed a password to do a keyless start. Unlocking the car doesn't require a password, so you can hop in, do the Summon, and then drive off without entering the password even once. And all it takes is for one person to hack a 3rd party website and get that access token. They'll even know where your car is located with the access token. And now can even open your garage door remotely. So because of this, now there's no difference between giving someone only your access token and giving someone your car's password. When before this exploit, it would be pointless for a car thief to have your access token, because they still can't drive off with your car without the password.
     
  6. MarkS22

    MarkS22 Member

    Joined:
    Apr 6, 2015
    Messages:
    309
    Location:
    Morris County, NJ
    #6 MarkS22, Feb 25, 2016
    Last edited: Feb 26, 2016
    Interesting. I've deleted posts and unlisted the YouTube video until I hear back.
     
  7. AllenWong

    AllenWong Member

    Joined:
    Dec 9, 2014
    Messages:
    654
    Location:
    Orlando, FL
    I don't think you need to delete your comment, since the security flaw is in the thread title already, so it's kind of too late. And to exploit this, you'd need to have the access tokens, which should be hard to get if the 3rd party websites that have your access token don't have some SQL/database injection flaws on their website or easy to brute force website/database password. And it could also be avoided if those websites encrypted the access tokens so that even if the hacker got to them, it wouldn't matter.

    And if the car thief is the 3rd party website owners themselves, then, it would be much easier if they just used your password, since you give them the password to access the website. Anyway, I don't see this as a critical threat, unless those 3rd party websites have bad security.
     
  8. jlewisthe3rd

    jlewisthe3rd Member

    Joined:
    Oct 15, 2015
    Messages:
    27
    Location:
    Philadelphia, PA
    What 3rd party website are you referring to that have these access tokens?
     
  9. AllenWong

    AllenWong Member

    Joined:
    Dec 9, 2014
    Messages:
    654
    Location:
    Orlando, FL
    Every 3rd party website that you ever logged into using your MyTesla account info has your access token. To explain how it works, basically, the website is supposed to store only your access token and not your username/password. An access token is supposed to be able to do anything to your car and grab any information on your car except for starting your car. Starting your car requires your MyTesla password. Mark is claiming that you can now bypass that requirement by just sitting in the car during a Summon, and then you can drive the car without ever entering any password.

    Remote S users are still safe, because the access tokens are only stored on your Apple Keychain (which is encrypted as well). As long as your device is PIN code protected, you're pretty safe (as you can see in recent news, even the FBI have trouble breaking into an iPhone). But if you use a third party website, that access token is stored remotely, most likely on a database on some server. It may be possible for a hacker to access that database if the website is not secure enough. Or if the website owner had malicious intent, he could auction your access tokens to the highest bidder/car thief. It's also why I don't use any 3rd party websites, because you're trusting them with your car keys and car's location at all times. And if HomeLink is enabled, it might also mean access to your garage. And if your garage is connected to your house, it might mean access to your house as well.
     
  10. Korben

    Korben Member

    Joined:
    May 13, 2015
    Messages:
    111
    #10 Korben, Feb 26, 2016
    Last edited: Feb 26, 2016
    Have not looked recently but I vaguely recall that changing your password will force an access token change. Simple thing you can do, for now, is change your password. If I get some time I will test to be sure that it actually forces a token change. Oh, and obviously you should stop using third party sites that worry you.
     
  11. jeffro01

    jeffro01 Active Member

    Joined:
    Jan 30, 2013
    Messages:
    1,164
    Location:
    SF Bay Area
    I can confirm that I was able to unlock my car from my app, get in, initiate summon and drive the car away. While the car warns me that I won't be able to restart it since it didn't detect the fob, that's not good enough.

    While I won't sit here and completely freak out and make a huge deal about this, I do think this is something Tesla needs to fix. Summon should NOT "start" your car, the fob should still be required to make any changes to the shifter. So while summon would still start your car so it could move it, any adjustment of the stock manually should immediately shutoff the car when the fob isn't present. Much like remote start systems shut off the engine if you hit the break without the fob.

    Jeff
     
  12. MarkS22

    MarkS22 Member

    Joined:
    Apr 6, 2015
    Messages:
    309
    Location:
    Morris County, NJ
    #12 MarkS22, Feb 26, 2016
    Last edited: Feb 26, 2016
    I've let Tesla know about the behavior, so it's up to them. However, there is no security concern if you do NOT share your token with any 3rd party sites. Let this be a heads up that giving out your token is equivalent to giving someone your location AND the keys to your car. Until the latest update, Keyless Start required your login and password in addition to your token to actually drive the car. If you're concerned, this latest update makes it more important to keep your token safe and private.
     
  13. msnow

    msnow Active Member

    Joined:
    Jul 14, 2015
    Messages:
    4,253
    Location:
    SoCal
    Allen, so if you don't store the token then the only things I can think of that use it are Tesla and maybe VT (although) that might be a passthrough (not really sure). What other apps can you think of that store it?
     
  14. AllenWong

    AllenWong Member

    Joined:
    Dec 9, 2014
    Messages:
    654
    Location:
    Orlando, FL
    There are a few other 3rd party Tesla apps and websites that I've seen. All apps and websites store your token somewhere. Otherwise, you'd have to login every time. I can't speak for how other apps and websites store your token, because I don't have their source code.
     

Share This Page