[Temporarily Deleted Details Until I Hear Back From Tesla To Ensure This Isn't An Unwanted Security Change]
Last edited:
You can install our site as a web app on your iOS device by utilizing the Add to Home Screen feature in Safari. Please see this thread for more details on this.
Note: This feature may not be available in some browsers.
Mark-
IMO This is by design for the advance summon capability for your car to drive to you or away from you using more maneuverability. It was really pointless to have the fob in proximity as your watch or follow your car to the garage. As a part of the new Autopark/Summon the key is not needed to have the car initiate a summon/unsummon. The release notes say something to the effect that summon/autopark is not intended to work with the driver in the seat, so maybe thats the vulnerability. However, from a security standpoint I dont see this as an issue because if you initiate summon outside the car the doors are locked and no way for anyone to get in when summoning or completed summon.
What about the official Tesla app? Can it do the same?
However, from a security standpoint I dont see this as an issue because if you initiate summon outside the car the doors are locked and no way for anyone to get in when summoning or completed summon.
I see it as a security issue. This is a security flaw and can be exploited.
I don't think you need to delete your comment, since the security flaw is in the thread title already, so it's kind of too late. And to exploit this, you'd need to have the access tokens, which should be hard to get if the 3rd party websites that have your access token don't have some SQL/database injection flaws on their website or easy to brute force website/database password. And it could also be avoided if those websites encrypted the access tokens so that even if the hacker got to them, it wouldn't matter.
And if the car thief is the 3rd party website owners themselves, then, it would be much easier if they just used your password, since you give them the password to access the website. Anyway, I don't see this as a critical threat, unless those 3rd party websites have bad security.
What 3rd party website are you referring to that have these access tokens?
Every 3rd party website that you ever logged into using your MyTesla account info has your access token. To explain how it works, basically, the website is supposed to store only your access token and not your username/password. An access token is supposed to be able to do anything to your car and grab any information on your car except for starting your car. Starting your car requires your MyTesla password. Mark is claiming that you can now bypass that requirement by just sitting in the car during a Summon, and then you can drive the car without ever entering any password.
.
Every 3rd party website that you ever logged into using your MyTesla account info has your access token. To explain how it works, basically, the website is supposed to store only your access token and not your username/password. An access token is supposed to be able to do anything to your car and grab any information on your car except for starting your car. Starting your car requires your MyTesla password. Mark is claiming that you can now bypass that requirement by just sitting in the car during a Summon, and then you can drive the car without ever entering any password.
Remote S users are still safe, because the access tokens are only stored on your Apple Keychain (which is encrypted as well). As long as your device is PIN code protected, you're pretty safe (as you can see in recent news, even the FBI have trouble breaking into an iPhone). But if you use a third party website, that access token is stored remotely, most likely on a database on some server. It may be possible for a hacker to access that database if the website is not secure enough. Or if the website owner had malicious intent, he could auction your access tokens to the highest bidder/car thief. It's also why I don't use any 3rd party websites, because you're trusting them with your car keys and car's location at all times. And if HomeLink is enabled, it might also mean access to your garage. And if your garage is connected to your house, it might mean access to your house as well.
Allen, so if you don't store the token then the only things I can think of that use it are Tesla and maybe VT (although) that might be a passthrough (not really sure). What other apps can you think of that store it?