Sharing this video because I’d hate to have mine stolen. I was surprised to learn tesla doesn’t let you use 2 factor authentication at the minimum when I got mine. Heck Gmail, my bank, all use this. Anyway watch the vid. I know my password is randomly generated and but I’ll need to change this every month at least. My guess is to ease service maybe? Like how apple makes you remove your login when doing warranty work.
-
Want to remove ads? Register an account and login to see fewer ads, and become a Supporting Member to remove almost all ads.
Whoa! Come on tesla!
- Thread starter Rottenapplr
- Start date
Sharing this video because I’d hate to have mine stolen. I was surprised to learn tesla doesn’t let you use 2 factor authentication at the minimum when I got mine. Heck Gmail, my bank, all use this. Anyway watch the vid. I know my password is randomly generated and but I’ll need to change this every month at least. My guess is to ease service maybe? Like how apple makes you remove your login when doing warranty work.
Thomas Edison
Active Member
Kilotango74
Active Member
Watch the video, it explains how this can be worked around
TL;DW : If your account info is stolen, your car can be stolen. Don't get tricked by fake wifi, or any other scams to steal your info.
Yes, Tesla should have 2FA to mitigate this... but if your info isn't known, it's irrelevant.
Yes, Tesla should have 2FA to mitigate this... but if your info isn't known, it's irrelevant.
Kilotango74
Active Member
Absolutely, the main message here is a good password is the best offense. Good internet practices will help keep you and your Tesla safe.
Fernand
Active Member
Wrong. You WILL be fooled into entering your "good password"
into spoofed login screens, he just showed you how. All it takes is
a laptop and some know-how. The more dependent we are on
wireless technologies, the more insanely insecure we are. If we
went back to hardwired ethernet, in this case say with ports at
the supercharger, it would be much more secure. But then
people would up the ante by tapping the wiring and we're
almost back to square 1. The inescapable flaw is the use of
public or shared networking. The very thing that makes the
digital world go around.
Many years ago, banks and critical infrastructure would only
use dedicated point to point communications. Private networks
and little synchronized devices that generated random passwords
every few seconds. I worked in that environment, it was secure,
and it was very inconvenient. Then the greater convenience of
the public won out, and we let our guard down, way too much.
Insurance covers a lot of losses every day, that's how we deal
with it at the moment. Unauthorized credit card charges, lost
cars, hacked burglar alarms, you name it. Every day.
In Russia, and countries near Russia, they know the danger.
You cannot make a banking transaction without sending back
a one time code that the bank texts to your phone. Password
entry screens never request a full password, only a few characters
picked at random from your long password, so if the line is
monitored, they only get a portion of your password. That's for
openers. The security steps are a nuisance, but it helps in
a world where a lot of people are smart and hungry.
Tesla will introduce some additional security, it will be less
convenient, and it will reduce the chances of losing your car,
to some degree, for a while.
We are trusting people. We have never weighed the complete
vulnerability of a society that puts valuable or important things
under control of shared networks. The convenience is great,
the potential damages are beyond our imagination. Some day
the Big Lesson will be stunning.
But people seem more invested in denial, look at the preview in the 2016 election.
into spoofed login screens, he just showed you how. All it takes is
a laptop and some know-how. The more dependent we are on
wireless technologies, the more insanely insecure we are. If we
went back to hardwired ethernet, in this case say with ports at
the supercharger, it would be much more secure. But then
people would up the ante by tapping the wiring and we're
almost back to square 1. The inescapable flaw is the use of
public or shared networking. The very thing that makes the
digital world go around.
Many years ago, banks and critical infrastructure would only
use dedicated point to point communications. Private networks
and little synchronized devices that generated random passwords
every few seconds. I worked in that environment, it was secure,
and it was very inconvenient. Then the greater convenience of
the public won out, and we let our guard down, way too much.
Insurance covers a lot of losses every day, that's how we deal
with it at the moment. Unauthorized credit card charges, lost
cars, hacked burglar alarms, you name it. Every day.
In Russia, and countries near Russia, they know the danger.
You cannot make a banking transaction without sending back
a one time code that the bank texts to your phone. Password
entry screens never request a full password, only a few characters
picked at random from your long password, so if the line is
monitored, they only get a portion of your password. That's for
openers. The security steps are a nuisance, but it helps in
a world where a lot of people are smart and hungry.
Tesla will introduce some additional security, it will be less
convenient, and it will reduce the chances of losing your car,
to some degree, for a while.
We are trusting people. We have never weighed the complete
vulnerability of a society that puts valuable or important things
under control of shared networks. The convenience is great,
the potential damages are beyond our imagination. Some day
the Big Lesson will be stunning.
But people seem more invested in denial, look at the preview in the 2016 election.
Last edited:
Wait, I'm confused.
Why would you ever type in your tesla.com credentials anywhere other than the app or tesla.com?
Is there something special about supercharger locations that requires you to enter your credentials?
EDIT:
Note I'm not saying that 2FA is a bad thing. Tesla should definitely add it to your tesla.com account.
Why would you ever type in your tesla.com credentials anywhere other than the app or tesla.com?
Is there something special about supercharger locations that requires you to enter your credentials?
EDIT:
Note I'm not saying that 2FA is a bad thing. Tesla should definitely add it to your tesla.com account.
Last edited:
This vector relies entirely on social engineering; basic Internet security lessons will stop it.
Don't use unfamiliar Wi-Fi. Don't use unencrypted Wi-Fi. Don't ever enter your password if you aren't sure what site it is or in a site different from the one you created it for.
There was no reason to enter Tesla information into the pineapple excerpt the user thought it world give them free Wi-Fi - something Tesla has never offered.
Fernand
Active Member
No, if you go to use any app, a fake site that
perfectly mimics the normal login will fool most
people, there's no way to know it's not legit
unless you're checking the IP address and deep
protocol of the source and you know what's
a legitimate protocol and source.
This is way beyond the know-how of 99.99%
of the population. If you think you're immune,
you're either a networking expert or you're naive.
The fact that banks and insurance cover most
losses and don't want a panic that would cripple
e-commerce, is why we think all is well or
manageable with simple precautions (that most
people don't bother with anyway).
I've been asked to log in to my Tesla account
and guess what, I logged in, it was apparently
legit, but what are you gonna do?
perfectly mimics the normal login will fool most
people, there's no way to know it's not legit
unless you're checking the IP address and deep
protocol of the source and you know what's
a legitimate protocol and source.
This is way beyond the know-how of 99.99%
of the population. If you think you're immune,
you're either a networking expert or you're naive.
The fact that banks and insurance cover most
losses and don't want a panic that would cripple
e-commerce, is why we think all is well or
manageable with simple precautions (that most
people don't bother with anyway).
I've been asked to log in to my Tesla account
and guess what, I logged in, it was apparently
legit, but what are you gonna do?
Last edited:
The worst part of the video is that 2FA doesn't actually solve the problem.
If I can convince you to log into my wifi pineapple with your tesla credentials I can just man-in-the-middle you, and prompt you to type in the 2FA PIN, and then log straight into tesla.com when you type it into my fake login page.
1. You connect to my wifi pineapple.
2. I present faketesla.com asking for your usename and password.
3. As soon as you type them into my faketesla.com, my script turns around and uses your credentials to log into real tesla.com
4. Real tesla.com sends the 2FA PIN challenge to me, and sends a 2FA PIN to your phone (if using SMS 2FA).
5. I present a fake 2FA PIN challenge on faketesla.com, and wait for you to type in the 2FA PIN you received on your phone (if using SMS) or from your 2FA app.
6. I immediately send the 2FA PIN you gave me to the 2FA challenge from real tesla.com.
Presto I just logged in as you, despite 2FA. Now I can take over your car.
The only solution is being aware enough not to enter your tesla.com credentials into places where you should not do that.
If I can convince you to log into my wifi pineapple with your tesla credentials I can just man-in-the-middle you, and prompt you to type in the 2FA PIN, and then log straight into tesla.com when you type it into my fake login page.
1. You connect to my wifi pineapple.
2. I present faketesla.com asking for your usename and password.
3. As soon as you type them into my faketesla.com, my script turns around and uses your credentials to log into real tesla.com
4. Real tesla.com sends the 2FA PIN challenge to me, and sends a 2FA PIN to your phone (if using SMS 2FA).
5. I present a fake 2FA PIN challenge on faketesla.com, and wait for you to type in the 2FA PIN you received on your phone (if using SMS) or from your 2FA app.
6. I immediately send the 2FA PIN you gave me to the 2FA challenge from real tesla.com.
Presto I just logged in as you, despite 2FA. Now I can take over your car.
The only solution is being aware enough not to enter your tesla.com credentials into places where you should not do that.
Last edited:
In that case, you'd better trust teslafi.com with your car keys, because that's essentially what you're giving them.
I thought teslafi.com had the option for you to generate the token yourself, which at least means you don't give them your tesla.com credentials... ?
Last edited:
Fernand
Active Member
Car, schmar. It's all around us. Stop denying, people.
The only reason you don't know it, is because nobody
wanted you to know. Nor wanted what you had.
The only reason you don't know it, is because nobody
wanted you to know. Nor wanted what you had.
Teslafi does allow you to generate your own token, but it requires some programming which is way above my pay scale.
API Tokens - TeslaFi.com
Fernand
Active Member
I mis-entered a friend's phone number once
and heard the conversation he was having
with people in his room. I entered a code that
made the phone connect the mic without
ringing or alerting him. We're like happy go
lucky people in a rowboat, and beneath us
is an ocean of eavesdroppers, predators,
monsters. It's better to be aware, even if
there's only little defenses for us.
and heard the conversation he was having
with people in his room. I entered a code that
made the phone connect the mic without
ringing or alerting him. We're like happy go
lucky people in a rowboat, and beneath us
is an ocean of eavesdroppers, predators,
monsters. It's better to be aware, even if
there's only little defenses for us.
Any app? The only app you should be entering your Tesla ID into is the Tesla app, which Tesla codesigns and Google/Apple verify, or the Tesla webpage over a secure connection.
Those should be perfectly safe. Anything else, and you're taking a chance based on how much you think the 3rd party app or site is trustworthy, and your trust might be betrayed.
Is 2FA a bad idea? No, of course not.
Is the lack a cause for panic and likely to result in hundreds of stolen cars? I don't think so, and if it is it'll because people aren't taking basic precautions or are trusting 3rd party apps too much.
Similar threads
