-
Want to remove ads? Register an account and login to see fewer ads, and become a Supporting Member to remove almost all ads.
Whoa! Come on tesla!
- Thread starter Rottenapplr
- Start date
Thomas Edison
Active Member
I’m not watching a Ben sullens video.
I VPN all WiFi connections.
I don’t let my kids connect to random (or friends) WiFi to “save data”.
People would be annoyed if 2FA was required all the time. Google/apple, etc allow 30 days. The man in the middle can always do that and get a 30day auth.
Heck, people are trying (some successful) by calling cell numbers and asking for the code that appears on the screen. Then they login to the phone company page and order a new sim or transfer the service.
Once the crook has the phone, all other accounts that use out of band 2FA (calls or text) are easily compromised.
Not the unlock, start buttons, trunk, temp, etc within the app.
The model 3 paired Bluetooth thingy - that works by proximity requires pairing.
And hope the app isn't designed to send the app developer or anyone else all the tokens that people generate.
Never enter your login to an insecure (no HTTPS) site, and make sure the site is what it says it is / what you think it should be.
You can make a fake tesla.com webpage with perfect fidelity, but you can't fake the HTTPS certificates as easily. You'll have to compromise a root certificate and use it to issue your own certificate, or you would have to steal Tesla's private key.
If you just pay attention to the site name and ensure it's https then you should avoid these man in the middle attacks.
You can make a fake tesla.com webpage with perfect fidelity, but you can't fake the HTTPS certificates as easily. You'll have to compromise a root certificate and use it to issue your own certificate, or you would have to steal Tesla's private key.
If you just pay attention to the site name and ensure it's https then you should avoid these man in the middle attacks.
Now that's an interesting, sneaky thought. Of course, if you have a working man in the middle, it'll kick back the same error it gets fed, but that should positively identify fake websites. Clever.
Oh wow, I assumed actual access to the car would require the initial pairing with one of the car cards. If the only real security are owners being savvy with password management, there are going to be a lot of easy targets.
davedavedave
Member
Multifactor authentication is your friend; it should be deployed across all login elements, including web site, App and vehicle console. Passwords are a risk regardless of complexity and should be avoided when used alone. Bluetooth and RF relay attacks are real; which is also why it is a good idea to enable PIN to Drive.
Statistically, Teslas are a rather poor choice to steal, at least here in the States - and this is reflected in the stats that I've seen - a low theft rate, and a high recovery rate. I believe this is the article I read last year: https://electrek.co/2018/08/10/tesla-stolen-vehicles-us-recovered-thieves/
There is a careful balance between convenience and security; take it too far, and you may lower the driving experience. By way of example, until Apple added TouchID, most users (90%) didn't even pin-enable their phones. Without a pin, many of the cryptographic functions on the phone did not come into play further reducing the user's data security. TouchID (and now FaceID) was a brilliant addition because it added multifactor authentication, and is very easy to use - nearly all users leverage this technology today once it was made available to users.
Adding a biometric or face recognition to the inside passenger facing camera would be a cool feature to have. The car could theoretically recognize who is sitting in the seats, and adjust accordingly, whereby a foreign or unrecognized face could trigger an alert or lock-down.
I sense that Tesla won't be inclined to add this based on theft statistics alone, but may do so if it adds convenience or cool factor that sets them even further ahead of their competitors.
Statistically, Teslas are a rather poor choice to steal, at least here in the States - and this is reflected in the stats that I've seen - a low theft rate, and a high recovery rate. I believe this is the article I read last year: https://electrek.co/2018/08/10/tesla-stolen-vehicles-us-recovered-thieves/
There is a careful balance between convenience and security; take it too far, and you may lower the driving experience. By way of example, until Apple added TouchID, most users (90%) didn't even pin-enable their phones. Without a pin, many of the cryptographic functions on the phone did not come into play further reducing the user's data security. TouchID (and now FaceID) was a brilliant addition because it added multifactor authentication, and is very easy to use - nearly all users leverage this technology today once it was made available to users.
Adding a biometric or face recognition to the inside passenger facing camera would be a cool feature to have. The car could theoretically recognize who is sitting in the seats, and adjust accordingly, whereby a foreign or unrecognized face could trigger an alert or lock-down.
I sense that Tesla won't be inclined to add this based on theft statistics alone, but may do so if it adds convenience or cool factor that sets them even further ahead of their competitors.
timk225
Active Member
All else aside, I have PIN to Drive enabled in my car. Case closed. It is completely unrelated to any of my personal information. Some hacker has a 1 in 10,000 chance of guessing it. And it isn't in any email or on my computer or written down anywhere.
Knightshade
Well-Known Member
Uh, you realize they can disable PIN to drive if they have your tesla.com login info, right?
PIN to drive is 0 protection at all against that. That's kind of a major point of the video.
Similar threads
- Article