-
Want to remove ads? Register an account and login to see fewer ads, and become a Supporting Member to remove almost all ads.
Whoa! Come on tesla!
- Thread starter Rottenapplr
- Start date
The vector the video is talking about is spoofing a login screen to get you to enter your credentials. They don't need to interact with the app at all except on their end when they use your stolen credentials in a valid version of the app to unlock your car.
The best solution to prevent this from happening is to not allow the use of your Tesla credentials to validate pint to drive. Of course you'll still have people that will call Tesla in order to try to get them to reset your pin, but a couple of security questions on that end will prevent that.
Knightshade
Well-Known Member
When does anyone actually need to do this though?
I've had my car since September last year and I think I've logged into the website basically never except to:
1) Check my MVPA once on my desktop, wired-connection, PC for accounting reasons
2) Submit an issue for exec review (an option they don't even offer any more, and which again I did on my desktop as I was needing to writing a professional sounding letter, rather than communicate via emojiis)
Unlike the app, which we've established if pretty secure on its own- The tesla.com account via the website doesn't have much use on a phone at some random public location unless you suddenly decide to order yourself another car while at the 7-11 or something.
Knightshade
Well-Known Member
I'm really just waiting for Teslafi, Stats, Commands, whatever stupid BS app people are using to 'monitor' their cars to get hacked. Lots of Tesla's will go missing and then Tesla will add MFA.
True. It would be a good idea to use an email without and
lol looks weird.
On the screen, instead of entering a pin, you can enter your app password.
In the app, you can start the car using your password (and bypass the PIN).
Good thing I was on my couch because I probably would fallen off my chair laughing.
Today Elon said that 2FA is coming:
Tesla Mother Frunker @MFrunker 9h9 hours ago
Replying to @elonmusk@Tesla
Can we get two step verification for our @Tesla accounts? It would improve security greatly.
Elon MuskVerified account @elonmusk1h1 hour ago
Yes
Oldschool496
Member
Others on this site are way more tech savvy then I, thats my first admission here. Some have said that knocking you off the site so you reinitiate is not how its done? I do know for sure:
Use your provider of cell service(its faster these days anyways in many situations), but everyone knows the reason family/everyone members sign on to wifi,
Conditioning, we have been conditioned to believe:
1.We/they are trained it may be faster, most likely not, because everyone else is using it and most likely, definitely the bad guys are as well.
2.Useage plans were smaller at one time, so pressure to remove yourself from the LTE/ now going 5G because of $$$ was there and old habits die hard.
3.Also the file sizes(videos) we now send are larger also sometimes depending on the speed of network everyone likes to use it sometime its faster depending the upload speed.
4. ETC
I known thing for sure, joining any network is like opening your life, everything in your life you have on your device to the masses. IF your an open book then join the network. Even being safe all the time, most likely your everything is already floating around the internet anyway.
I have also been told by some really tech savvy folks that unfortunately (and I am going to get some heat here) Apple OS phones are the safest phones(thats why the FBI hates apple), all other platforms are wide open books walking around unencrypted perhaps waiting for someone to grab your data off the device.
Whatever, you must initiate and sign on again.
Oldschool496
Member
Oldschool496
Member
You are correct its a dramatization. You better believe the next Library or Chipotle your in some person has one in his backpack and is working the room for his college assignment. Probably not for college.
But, nobody else has gone to the trouble to do the dramatization either.
So here we all are looking at the elephant in the room we knew existed and getting smarter about how we interact daily with our devices and our car. I think it helps and really the whole referral thing is over for now so his motives are pretty darn clean. Please tell me if I am off base here?
Pineapples have been in existence for quite some time. Amazon has one for US$59. Thats the problem here, "internet regulation".
Facebook on and on. Laws need to be enacted to "protect the innocent". Remember Dragnet.?
Now its the Internet.
Last edited:
Knightshade
Well-Known Member
Still waiting for someone to explain why anyone ever needs to use their phone to log into the tesla.com website at a Chipolte. Ever.
Anybody?
The app isn't spoofable like the website is.
(neither is the website if you pay enough attention to look for https, but again why do you ever "need" to log into a website on your phone at chipolte?)
SammichLover
Banned
As an example, I don't think you can read your charging history via the app? I've wanted to look at that occasionally when I'm on the road, value in that (I have no interest in going down the "need" pedantry rabbit hole), so I've logged into my Tesla account via my phone. It isn't the best experience, the page isn't really sized for it, but it did work when I used it.
Of course I don't use wifi anywhere but home. But that's really only partially effective. While using cell phone data connection (particularly on an iPhone) is the most secure Internet connected computer I've ever had, it isn't even close to impenetrable to man-in-the-middle attack vectors like this from modestly motivated people. Unfortunately, for reasons that are a lengthy discussion, cell phone data is a compromised channel.
What I'm not clear on is how this sort of attack is the low hanging fruit compared to jacking other vehicles. The Model 3 in particular isn't that expensive.
Knightshade
Well-Known Member
No, that's a perfectly fair answer- and while not one I'd ever see value in myself but I can see how someone else might- thanks.
I use it lots of places. Just never to connect to anything requiring an unencrypted password/connection. It's perfectly safe for that unless Digital Danny Ocean wants your data in which case nothing you do is safe anyway.
Agreed
That's not how tokens work. Best practice is:
1. The third party leverages the primary login processes to request a token. That means the third party never sees your login credentials, because you're really putting them into the form hosted by the primary service. In this case, Tesla, but I'd bet a significant majority of Gmail users have some type of OAUTH integration with their email or calendar. It's Google that provides the login form, not the third party.
2. The token is almost always tied to additional identification criteria. That's how you get the "We've noticed you've logged in from a new device" type emails from many services.
Man-in-the-Middle (MITM) attacks that do things like spoof DNS to trick the application into thinking it's talking to the real service, but is really talking to a fake one, are absolutely always possible but really hard to do.
If your login credentials are compromised, none of it matters, with the exception that if you have 2FA/MFA/OTP enabled for that account then you've added a layer of protection.
Similar threads
