Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Tesla Model S REST API Authentication Flaws

Soulskill posted about a year ago | from the honk-if-i-control-your-car-remotely dept.

Transportation 161

An anonymous reader writes "New Tesla owner and Executive DIrector of Cloud Computing at Dell, George Reese, brings the Tesla Model S REST API authentication into question. 'The authentication protocol in the Tesla REST API is flawed. Worse, it's flawed in a way that makes no sense. Tesla ignored most conventions around API authentication and wrote their own. As much as I talk about the downsides to OAuth (a standard for authenticating consumers of REST APIs—Twitter uses it), this scenario is one that screams for its use.' While not likely to compromise the safety of the vehicle, he does go on to say, 'I can target a site that provides value-added services to Tesla owners and force them to use a lot more electricity than is necessary and shorten their battery lives dramatically. I can also honk their horns, flash their lights, and open and close the sunroof. While none of this is catastrophic, it can certainly be surprising and distracting while someone is driving.'"

cancel ×

161 comments

Sorry! There are no comments related to the filter you selected.

I don't get it. (4, Funny)

Anonymous Coward | about a year ago | (#44689281)

Can someone give me a car analog?

Re:I don't get it. (4, Funny)

Rosco P. Coltrane (209368) | about a year ago | (#44689311)

Sorry, cars are digital these days.

Re:I don't get it. (1)

proxy318 (944196) | about a year ago | (#44689587)

well, how long before I can download one?

Re:I don't get it. (4, Funny)

Anonymous Coward | about a year ago | (#44689673)

You wouldn't copy a car, would you?

Re:I don't get it. (0)

Anonymous Coward | about a year ago | (#44689779)

Quite a few of us have already copied our cars, 3D printed them, and run them down a ski jump for flight time and distance just this last weekend [idsaconference.org]

Re:I don't get it. (0)

Anonymous Coward | about a year ago | (#44690513)

No one 3D printed a car. A blob that vaguely resembles the outside shape of a generic car, OK.

Re:I don't get it. (4, Funny)

theskipper (461997) | about a year ago | (#44691313)

Don't copy that jalopy!

Re:I don't get it. (1)

istartedi (132515) | about a year ago | (#44690169)

Maybe he really wants an analogue car. You know the kids that are hipsters now, their kids will be totally into ICE cars with carburetors and everything.(sound of dust blowing off paper) I just know these Studebaker share certificates will be worth something some day.

Re:I don't get it. (-1)

Anonymous Coward | about a year ago | (#44689453)

mod up as funny please

Can someone give me a car analog? (2)

bcong (1125705) | about a year ago | (#44689633)

Sure. It is like using web based certificates in PKI but in this case there is no revocation system and mandatory 3 month validity for all certs. I have to give this key to a third-party in order to be able to do anything user related like view my emails. That third-party or someone who gains access maliciously to the cert database can use this cert to make a connection to my computer that I can't turn off, to make my cpu spike or use up all the ink in my printer, until the 3 months is over.

...wait a minute, I think I did this wrong

Re:Can someone give me a car analog? (2)

az1324 (458137) | about a year ago | (#44689877)

I'm sure you could get a token revoked with an e-mail to Tesla. The API is not intended for use by third parties so really the only valid criticism here is "Tesla does not have a 3rd party API".

not quite correct (1)

Anonymous Coward | about a year ago | (#44689293)

The Tesla Model S will not allow you to run any controls remotely while you are driving even when logged into the iOS as a validated user. One can't honk the horn, flash light, vent the sunroof or unlock/lock the car while it is moving.

Re:not quite correct (2)

smack.addict (116174) | about a year ago | (#44689341)

I've done it before.

Re:not quite correct (1)

Anonymous Coward | about a year ago | (#44689485)

iOS doesn't "allow" you to jailbreak. Android doesn't "allow" you to root. To say you aren't "allowed" to do something, when all that's needed is a 3-month-useful token? Who knows what can happened that isn't allowed to happen during that time frame?

Re:not quite correct (0)

Anonymous Coward | about a year ago | (#44691041)

I own several RocKchip based android devices and the chip manufacturer publish the sudo and su executable and enable it's installation via debugging. It look's like it is quite allowed.

Hopefully A Light Will Come On Over At Tesla (2, Interesting)

Anonymous Coward | about a year ago | (#44689325)

Hopefully a light will come on over at Tesla about API security. Let's just hope it's not a Phillips Hue (http://www.engadget.com/2013/08/14/philips-hue-smart-light-security-issues/)

so besides all that (0)

Anonymous Coward | about a year ago | (#44689329)

how fast is the car

how fast (4, Funny)

fyngyrz (762201) | about a year ago | (#44689401)

Well, terminal velocity will depend on two factors: The ultimate wind resistance of its tumbling chassis, and how high it is above the ground when you drop it.

Re:how fast (0)

Anonymous Coward | about a year ago | (#44690403)

you fail physics funny guy, terminal velocity is a function of altitude, but not starting altitude.

Re:how fast (0)

Anonymous Coward | about a year ago | (#44691385)

you fail logic. if the height is only 1 inch, the terminal velocity is very low.

Re:so besides all that (4, Interesting)

Ralph Wiggam (22354) | about a year ago | (#44689559)

It's fast as hell. It can do 0 - 60 in 4 seconds despite weighing 4600 pounds. Electric motors operate at max torque at all RPMs.

Re:so besides all that (0)

Anonymous Coward | about a year ago | (#44689655)

4 seconds isn't very fast anymore. Curb weight doesn't make it more impressive, it makes it handle terribly. I don't plan on selling my Tesla Roadster any time soon. The Model S is a pig.

Re:so besides all that (0)

TomGreenhaw (929233) | about a year ago | (#44690495)

Huh, I think my Models P85 handles extremely well. The NTSB certainly couldn't get it to roll over. My other car is a Corvette Z06 so I do know how to appreciate how a car handles.

Re:so besides all that (1, Interesting)

Anonymous Coward | about a year ago | (#44690519)

The Z06 isn't the pinnacle of good car handling. Heck, a $50k base Boxster is superior. American tastes I guess.

Re:so besides all that (0)

Anonymous Coward | about a year ago | (#44690791)

Don't recall him saying it's the pinnacle. Non-American comprehension I guess.

Re:so besides all that (2)

Ralph Wiggam (22354) | about a year ago | (#44690509)

The only other 4 door car that can do 0-60 in 4 seconds is the M5. Comparing a 5 passenger sedan to a 2 seater roadster isn't fair. It's also $30k less than your Roadster and almost every other car with sub 4 second 0-60 times.

Re:so besides all that (0)

Anonymous Coward | about a year ago | (#44689899)

It's fast as hell. It can do 0 - 60 in 4 seconds despite weighing 4600 pounds. Electric motors operate at max torque at all RPMs.

RPMs - is that Revolutions Per Minutes?

Re:so besides all that (1)

CanHasDIY (1672858) | about a year ago | (#44690173)

"RPMs" has been a standard abbreviation for "Revolutions Per Minute" since... well, probably since the advent of reciprocating assemblies.

Where the hell have you been?

Re:so besides all that (0)

Anonymous Coward | about a year ago | (#44691255)

or is it Revolution per Minutes ?

Re:so besides all that (0)

Anonymous Coward | about a year ago | (#44690237)

It's fast as hell. It can do 0 - 60 in 4 seconds despite weighing 4600 pounds. Electric motors operate at max torque at all RPMs.

RPMs - is that Revolutions Per Minutes?

No, it's RedHats Package Manager.

They should have used .debs.

Re:so besides all that (1)

Ralph Wiggam (22354) | about a year ago | (#44690603)

In a normal gas powered car with multiple gears, when you shift gears and drop the RPMs down, you lose torque and acceleration. In an electric car, which typically only have one gear, the car accelerates smoothly and evenly.

Re:so besides all that (1)

jshazen (233469) | about a year ago | (#44690619)

Electric motors operate at max torque at all RPMs.

RPMs - is that Revolutions Per Minutes?

Actually, yes. (Revolutions Per Minute)s.

If you're talking about a single angular velocity, use RPM. (The tach reads 'RPM', not 'RPMs'.)

But the GP used the phrase "at *all* RPMs", so he was clearly talking about multiple angular velocities.

Re:so besides all that (2)

elistan (578864) | about a year ago | (#44690765)

It's fast as hell. It can do 0 - 60 in 4 seconds despite weighing 4600 pounds. Electric motors operate at max torque at all RPMs.

Nitpick - max power at all RPMs. If a power source supplies a constant 10kw, the electric motor will of course operate at a constant power of 10kw. It should be obvious that 10kw equates to very different torque values a 1 rpm and 10,000 rpm.

The advantage of electric motors, which you allude to, is that the max power (150 kw, 200 hp, whatever) is available immediately, rather than only once engine revs climb high enough like in a petrol engine. (Although due to real-world esoteric reasons I don't fully understand, the efficiency with which that power is turned into motive force isn't constant throughout the rev range - max torque of many electric motors is actually not right at 0 rpm, but the concept is close enough to reality to illustrate the differences between electric motors and internal-combustion engines.)

So a Tesla Model S will essentially operate at 310 kw regardless of engine speed, while an ICE with the same peak power output will generate 310 kw only at one specific RPM, and will be less, sometimes a lot less, at all other speeds.

ps - why is one a "motor" and another an "engine?" What's the difference?

Re:so besides all that (1)

keytoe (91531) | about a year ago | (#44691231)

ps - why is one a "motor" and another an "engine?" What's the difference?

According to MIT [mit.edu] , not really anything these days.

They both came to describe the same thing from two different linguistic directions. It seems the only distinction between the terms these days is more rooted in nomenclature within a specific discipline and less on overall semantic accuracy.

Re:so besides all that (0)

Anonymous Coward | about a year ago | (#44691407)

Electric motors operate at max torque at all RPMs.

Nope. Electric motors have max torque at zero RPMs.

First World Priorites (1)

Anonymous Coward | about a year ago | (#44689331)

It seems pretty obvious that while an attacker couldn't directly cause an accident, say by taking over steering/acceleration/braking, there are many ways that the driver could be distracted, and distracted driving is extremely hazardous.

Of course, the real problem the author identifies is that someone could track your location(!). Obviously, inconspicuousness is a high priority for someone navigating public roads in a cutting edge automobile.

Re:First World Priorites (1)

Anonymous Coward | about a year ago | (#44689415)

Actually, it opens the car to theft...

Open sun roof, enter car, drive away...

Re:First World Priorites (5, Funny)

0123456 (636235) | about a year ago | (#44689451)

Yeah, but the battery will run out two miles down the road, so it's not really a big deal.

Re:First World Priorites (0)

Anonymous Coward | about a year ago | (#44690897)

Haters gonna hate, I guess.

Posted anonymously, because you know how to bring the crazy, and I don't want it focused on me.

Re:First World Priorites (1)

mlts (1038732) | about a year ago | (#44689521)

I think a would-be thief still has to fight the battle with the engine anti-theft system to get the vehicle on and moving.

Tesla has some teething pains, as they are in completely new territory, and are not in the usual good ol' boy club with the other automakers, so they have to fight tooth and nail for everything.

For this to be their biggest issue, and in the scheme of things, it isn't that big a deal, it shows that their vehicles are pretty well engineered.

What I'd love to have as an option not just on a Tesla, but on all cars is a master key switch, or a menu option if the car's key is a fob and not a mechanical device. Flip the switch on, the vehicle disables all antennas except the close range one needed to detect if the key is in range (if it is fob), or the passive RFID antenna, if the key is mechanical. That way, when the vehicle is parked in a fairly nasty location, tricks via websites, scanners, et. al. would not work.

Re:First World Priorites (1)

fuzzyfuzzyfungus (1223518) | about a year ago | (#44689869)

"Tesla has some teething pains, as they are in completely new territory, and are not in the usual good ol' boy club with the other automakers"

All of that should be an advantage when building the web-related software features... A nice clean slate, no horrible-legacy-spaghetti-of-grafting-more-and-more-shit-onto-the-onboard-bus; but plenty of lessons conveniently learned by other people about how not to fuck up authentication on the internet.

That's the sort of baffling thing about this class of problem. A bad web API isn't a 'Oh, yeah, I can see how that would be a really subtle one if you haven't been building cars for 50 years' type of issue.

Re:First World Priorites (1)

Luckyo (1726890) | about a year ago | (#44689999)

No, not at all. It means that you can bypass the old cruft, but you have to pay for it with teething problems from new tech you replace it with. Both methods have their good and bad points.

Re:First World Priorites (3, Informative)

AaronW (33736) | about a year ago | (#44689879)

There is a setting in the car where you can disable remote access. It's trivial to set.

Not quite getting it (3, Insightful)

fyngyrz (762201) | about a year ago | (#44689433)

There's something of a difference between "hey, look, some guy in a neat car" and "John Q. Private is currently at mile marker 23 on highway 2, proceeding at 65 mph in an easterly direction, with 100 miles of range remaining."

You might be right. (0)

Anonymous Coward | about a year ago | (#44689607)

John Q. Private is currently at mile marker 23 on highway 2, proceeding at 65 mph in an easterly direction, with 100 miles of range remaining.

Say I am John Q. Private. Can you give me a scenario where I might care that someone has this information?

I really can't think of anything bad that could happen to me if that information fell into the wrong hands. Or at least, nothing worse or more likely than many things that could already be done to me by someone with far less information.

My car physically suddenly misbehaving, even if limited to peripheral systems -- that I can easily imagine causing a distraction and subsequently an accident.

Re:You might be right. (3, Interesting)

dgatwood (11270) | about a year ago | (#44689907)

John Q. Private is currently at mile marker 23 on highway 2, proceeding at 65 mph in an easterly direction, with 100 miles of range remaining.

Say I am John Q. Private. Can you give me a scenario where I might care that someone has this information?

When the speed limit is 55.

Alternatively, when someone correlates driving patterns with murders and determines that you were parked in the parking lots of restaurants that were within walking distance of three unsolved murders. Can you prove you were eating? The whole time?

Yes, I can think of a lot of scenarios where you might care.

Re:You might be right. (1)

YrWrstNtmr (564987) | about a year ago | (#44690277)

Say I am John Q. Private. Can you give me a scenario where I might care that someone has this information?

A stalker, your spouses lawyer, just to name a couple.
It's not a case of 'what can they do', or 'I have nothing to hide', but rather a case of 'it should not be that easy'.

Re:You might be right. (1)

Em Adespoton (792954) | about a year ago | (#44690975)

Say I am John Q. Private. Can you give me a scenario where I might care that someone has this information?

A stalker, your spouses lawyer, just to name a couple.
It's not a case of 'what can they do', or 'I have nothing to hide', but rather a case of 'it should not be that easy'.

I was thinking something more along the lines of "Hmm... let's see if there are any Teslas in the area right now. Oh, there's one that's parked over in the shopping district! I think I'll go over, open the sun roof and see if there's anything I like inside...."

Re:You might be right. (0)

Anonymous Coward | about a year ago | (#44690467)

Say I am John Q. Private. Can you give me a scenario where I might care that someone has this information?

I really can't think of anything bad that could happen to me if that information fell into the wrong hands. Or at least, nothing worse or more likely than many things that could already be done to me by someone with far less information.

Millions of restraining orders issued in the US every year. Not everyone has the luxury of not having to worry about who all might be out to get them. 1.5-2k women murdered per year in US by their SOs. You obviously have no idea what it is like to have to constantly watch over your shoulder. I hope you never do.

Re:You might be right. (1)

roc97007 (608802) | about a year ago | (#44690721)

Say I am John Q. Private. Can you give me a scenario where I might care that someone has this information?

I really can't think of anything bad that could happen to me if that information fell into the wrong hands. Or at least, nothing worse or more likely than many things that could already be done to me by someone with far less information.

Millions of restraining orders issued in the US every year. Not everyone has the luxury of not having to worry about who all might be out to get them. 1.5-2k women murdered per year in US by their SOs. You obviously have no idea what it is like to have to constantly watch over your shoulder. I hope you never do.

Maybe he should be, and just doesn't realize it yet.

Re:You might be right. (0)

Anonymous Coward | about a year ago | (#44690605)

You're driving around in a potentially $90k vehicle which contains theft deterrents that pretty much only work when the car is locked and hasn't been started yet. Please tell me you're not daft enough that you fail to see how the information you listed could be put to use in a way that would deprive you of your shiny new toy.

Re:You might be right. (1)

Em Adespoton (792954) | about a year ago | (#44690999)

You're driving around in a potentially $90k vehicle which contains theft deterrents that pretty much only work when the car is locked and hasn't been started yet. Please tell me you're not daft enough that you fail to see how the information you listed could be put to use in a way that would deprive you of your shiny new toy.

Note to self: never drive Tesla in Florida.

Re:You might be right. (1)

roc97007 (608802) | about a year ago | (#44690705)

John Q. Private is currently at mile marker 23 on highway 2, proceeding at 65 mph in an easterly direction, with 100 miles of range remaining.

Say I am John Q. Private. Can you give me a scenario where I might care that someone has this information?

I really can't think of anything bad that could happen to me if that information fell into the wrong hands. Or at least, nothing worse or more likely than many things that could already be done to me by someone with far less information.

My car physically suddenly misbehaving, even if limited to peripheral systems -- that I can easily imagine causing a distraction and subsequently an accident.

Twenty miles due east of John Q. Public's current location, cellular services cease. Police response time to that location is estimated at 2.5 hours minimum. John Q. Public is driving a really expensive car, may be wearing expensive bling, and almost certainly has credit cards in his possession.

You can't think of anything bad that could happen?

Re:You might be right. (0)

Anonymous Coward | about a year ago | (#44691047)

Twenty miles due east of John Q. Public's current location, cellular services cease. Police response time to that location is estimated at 2.5 hours minimum. John Q. Public is driving a really expensive car, may be wearing expensive bling, and almost certainly has credit cards in his possession.

You can't think of anything bad that could happen?

Nothing that could not be done by someone who simply laid in wait in the same area, waiting for an expensive car to drive by.

All I have heard so far is loopy paranoia that assumes evil-doers who like to do things the hard way.

Re:You might be right. (1)

ArcadeNut (85398) | about a year ago | (#44691301)

Maybe I'm waiting to break into your house, and I want to know where you are currently at so I don't get caught....

Major fail for Tesla (4, Interesting)

RobinH (124750) | about a year ago | (#44689447)

With all the news about medical devices with deadly security flaws, and people even hacking into cars (even if only from the backseat), I can't believe Tesla really didn't even *try* to add proper security to their API. The only right way to do it (from a corporate perspective) is to hire an outside security company to audit your design and implementation, and to continue to monitor the security whenever changes are made (so continuously in this case). It's well known that you can't trust the programmers to implement security properly, especially if you had Elon Musk screaming over your shoulder like Steve Jobs all the time.

Re:Major fail for Tesla (5, Insightful)

Stainless_Steel_Mous (1130169) | about a year ago | (#44689585)

Classic failure mode for companies that do not primarily write software, bur use software in their products. We are seeing more and more of the continued use of security through obscurity followed by goggle-eyed amazement that haxors would figure out a way to penetrate the systems of the device/vehicle/airplane/whatever, finally ending in lawsuits to attempt to hide the existence of grotesque security failures. I cannot wait for the first corporation to be sued for insecure product design.

Re:Major fail for Tesla (4, Interesting)

DuckDodgers (541817) | about a year ago | (#44689881)

Even for companies that primarily write software, it's easy to design something that looks secure to you but in fact is trivial to defeat. WEP wireless security is inherently flawed. PPTP VPNs from Microsoft are inherently flawed, though not as badly as WEP, and Microsoft has deprecated the entire protocol. WPS wireless easy setup is flawed. The AES encryption used by Megaupload in their re-launch earlier this year was not implemented properly, and thus is useless.

The history of computing is littered with flawed attempts at designing new security protocols. As far as I can tell, the best practice is to adopt an existing open source technology that is well proven. If you're trying to do something new, you probably need to spend an unholy fortune on multiple independent audits of the system, as well as inviting people on security mailing lists to examine it, and possibly offering a bounty for discovered flaws.

Re:Major fail for Tesla (1)

DarkOx (621550) | about a year ago | (#44691383)

WEP was never designed to be "secure" it was designed to be inexpensive so low (compute) power devices could use it. It stands for "Wired Equivalent Privacy" which is not very private. Passively tapping your UTP Ethernet segment isn't exactly hard. All WEP was ever expected to do was discourage the causal snoop; a lock of honest people if you will.

Ain't no new thing ... (0)

Anonymous Coward | about a year ago | (#44691271)

199409 Scientific American - Software's Chronic Crisis, W. Wayt Gibbs [software is being written but not by programmers]

Re:Major fail for Tesla (2)

synapse7 (1075571) | about a year ago | (#44690119)

I would assume Tesla's API to be better than industry standard before I took George's opinion.

Re:Major fail for Tesla (1)

Em Adespoton (792954) | about a year ago | (#44691057)

I would assume Tesla's API to be better than industry standard before I took George's opinion.

First rule of code security: if you implemented it yourself, it's not secure. Security requires many eyes, as the halting problem has not been solved yet.

Let me get this straight (4, Funny)

Doug Otto (2821601) | about a year ago | (#44689477)

"I can also honk their horns, flash their lights, and open and close the sunroof."

So he discovered a 10 year old?

Re:Let me get this straight (1)

smack.addict (116174) | about a year ago | (#44689489)

I have one of those as well as a 7-year old. They are much more interested in the Slacker access from the 17" screen.

Re:Let me get this straight (2)

Z_A_Commando (991404) | about a year ago | (#44689511)

With this flaw, you could (feasibly) automate Rick Rolls of Model S owners, no small child necessary.

Re:Let me get this straight (0)

Anonymous Coward | about a year ago | (#44689601)

I would like to see a video of a Model S being used to perform that song by the sound effects of its horn, windows, door locks, and sunroof.

Re:Let me get this straight (4, Funny)

plover (150551) | about a year ago | (#44689665)

"Never gonna roll your windows up,
Never gonna put your top down,
Never gonna run your battery down, or desert you."

Re:Let me get this straight (1)

roc97007 (608802) | about a year ago | (#44690745)

With this flaw, you could (feasibly) automate Rick Rolls of Model S owners, no small child necessary.

I want to see this as an Android application. Cross-reference with the license plate.

"Look, a model S"

Oooh, what's the license plate?"

(Hilarity ensues.)

no exploits, though. (0)

Anonymous Coward | about a year ago | (#44689525)

From the summary :

I can target a site that provides value-added services to Tesla owners

This all seems scary, but it seems like all he is saying that he can hypothetically exploit some hypothetical site. Can someone explain how this is different than me saying "I can install a key-logger on your computer and get your email password and read your email!" ??

Re:no exploits, though. (1)

smack.addict (116174) | about a year ago | (#44689613)

In a world of interconnected devices (the Internet of Things), it's not about hypothetical sites. It's about real, interconnected sites. There are real sites out there that talk to Teslas and provide value beyond what Tesla provides. If you are building a connected device in 2013, you should take this reality into account.

Re:no exploits, though. (1)

geekoid (135745) | about a year ago | (#44689967)

And the stupidest phrase ever award goes to:
  Internet of Things!

The Tesla-plane Blues (1)

TimHunter (174406) | about a year ago | (#44689695)

I can also honk their horns, flash their lights, and open and close the sunroof.

I'd said I flashed your lights mama
your horn won't even blow
I even flash my lights mama
this horn won't even blow
Got a short in this connection
hoo-well, babe, its way down below

Musk == Edison. (0)

Anonymous Coward | about a year ago | (#44689761)

'Nuff said.

Not catastrophic? (1)

RandomUsername99 (574692) | about a year ago | (#44689935)

I'd say being able to flash someone's headlights if they're driving on a winding, unlit road, at night, could most certainly be catastrophic.

Re:Not catastrophic? (1)

flimflammer (956759) | about a year ago | (#44691355)

That was exactly what I was thinking. That certainly sounds pretty catastrophic to me.

Seems Trollish (4, Insightful)

sl4shd0rk (755837) | about a year ago | (#44689955)

Tesla is a big target in the crosshairs of the automotive industry right now so I'm very skeptical. Tesla is doing what no other company has been able to do in the US and that seems to be a problem with everyone from dealers [huffingtonpost.com] to falsified reviews in The New York Times [time.com] . Let's do without the TFA drama have a look at the the egregious attack vectors listed:

1) You want to leverage a tool on a website with some useful functionality. You enter your email/password. They willfully and incorrectly store that information and are subsequently compromised (or worse, they use it themselves).

This is a really broad claim. What's more, if you haven't logged in over an SSL connection then... well, you're kind of a dumbass.

2) An attacker gains access to a website's database of authenticated tokens. It has free access to all of that siteâ(TM)s cars up to 3 months with no ability for the owners to do anything about it.

This is no less dubious that so many online services that I couldn't begin to count. The risk of compromise is an accepted one and hopefully mitigated. No fair faulting them without seeing how they would handle said compromise.

In a nutshell, TFA is going to need to find more substantial basis for panic than this. Sheesh.

Re:Seems Trollish (1)

smack.addict (116174) | about a year ago | (#44690129)

Re: #1
What has logging in over SSL got to do with anything?

If a third-party is storing credentials that control everything, then you are screwed if that third-party is compromised. Twitter suffered greatly from these kinds of problems prior to adopting OAuth. The trick with OAuth is that the third-party never sees the primary credentials, just an application-specific set of credentials with very specific access rights. Because of the design of OAuth, it's also easy to revoke credentials on an app-by-app basis and thus not impact the other apps interacting with the OAuth system.

Re: #2

Tesla is blameworthy because they opted for a less secure approach than is commonly accepted practice. If a third-party is compromised in an OAuth environment, only that one token with the application's specific access rights are at risk. You can revoke them and re-issue without impacting anything else using those credentials.

Finally, there's no need for any panic at all. TFA is not pushing panic. It's pushing the facts of an architectural flaw that does not arise to the level of being an active vulnerability. A flaw that exists for no good reason at all.

Re:Seems Trollish (0)

Anonymous Coward | about a year ago | (#44690903)

re falsefied reviews
if the api is insecure, how do you know that the claims by Tesla about that test drive are true ?

Not a security flaw (1)

Pup05 (1521195) | about a year ago | (#44690037)

Read the article. This 'flaw' requires a Tesla owner's email address AND password to 'exploit'.

Re:Not a security flaw (1)

CanHasDIY (1672858) | about a year ago | (#44690209)

Read the article. This 'flaw' requires a Tesla owner's email address AND password to 'exploit'.

Well, then, thank $deity that email addresses are impossible to find out, and that passwords are uncrackable.

Re: Not a security flaw (1)

mr100percent (57156) | about a year ago | (#44690213)

OR someone to log into a dodgy third party site, OR someone to crack a third party site and get all the tokens

Re: Not a security flaw (1)

Pup05 (1521195) | about a year ago | (#44690285)

Right, but then how is this a flaw on Tesla's part?

Re: Not a security flaw (1)

mr100percent (57156) | about a year ago | (#44691075)

That's something OAuth already addresses (which is why twitter and Facebook use it). When you log in via the portal page, it gives the third party app a token rather than letting them see your password. The token can be revoked at any time from your permissions page or the company can blacklist that app. Tesla's implementation shares the password with the third party apps AND the token can't be revoked early.

Those who attempt to re-create Oauth... (1)

SuperKendall (25149) | about a year ago | (#44690045)

...are doomed to so so in a way that is somewhat less secure but infinitely more usable.

Re:Those who attempt to re-create Oauth... (1)

smack.addict (116174) | about a year ago | (#44690079)

When done right, OAuth is more secure and equally usable.

Usability issues crop up when OAuth is applied to contexts in which it makes no sense (systemsystem authentication).

As usual, some things got left out... (1)

Anonymous Psychopath (18031) | about a year ago | (#44690089)

Like the fact that Tesla's API is closed and 3rd-party applications are unauthorized and using it without any documentation other than what's been figured out through reverse-engineering. No doubt they need to do some work before publishing an API, but there's no warranty when you use homebrew.

Re:As usual, some things got left out... (2)

Nemyst (1383049) | about a year ago | (#44690329)

It can be closed and the documentation sealed in a titanium safe stored inside a reinforced container dropped at the bottom of the Mariana Trench for all I care; if the API is active in production models, it's going to get discovered and exploited. Nefarious usage, especially, won't be stopped by "Hey, you're not supposed to use this!"

There really is no excuse for this. It's just sloppy security practices.

Re:As usual, some things got left out... (1)

Anonymous Psychopath (18031) | about a year ago | (#44690537)

It can be closed and the documentation sealed in a titanium safe stored inside a reinforced container dropped at the bottom of the Mariana Trench for all I care; if the API is active in production models, it's going to get discovered and exploited. Nefarious usage, especially, won't be stopped by "Hey, you're not supposed to use this!"

There really is no excuse for this. It's just sloppy security practices.

I'm not trying to excuse anything, simply pointing out that this exploit can only be executed with the end-user as a willing, active participant. Please, show me a security model that works in that scenario.

Don't you guys get it (0)

Anonymous Coward | about a year ago | (#44690131)

This was intentional because the Tesla S is an electric car. The security issues were released on purpose.

Now the media will say things like "but anyone can potentially honk your car, avoid this electric car!".

Typical yanks (0)

Anonymous Coward | about a year ago | (#44690153)

NIH syndrome. Like most of the world's software security flaws, they stem from shitty Dumerican programmers and bean counter mega-corps.

Heater & A/C (1)

CanHasDIY (1672858) | about a year ago | (#44690273)

This brings 2 questions to mind:

1) Can an attacker use this exploit to remotely alter the heat and A/C settings?

2) Presuming the answer to 1 is yes, couldn't they use said exploit to overheat the element or over-cycle the compressor, causing a fire?

Third, kinda related question: Knowing that compressor motors and heating coils are the biggest amp draws in any circuit, how much does heater or A/C usage affect range? As in, running the A/C | heat at full blast would reduce the range from ~300 miles to what?

Re:Heater & A/C (1)

smack.addict (116174) | about a year ago | (#44690349)

1. Only if there is a vulnerable third-party site with whom the user has shared their credentials. Out of the box, no.

2. I would consider that a flaw in the car if you could do that. The API and the fact it resulted from a hack would be incidental to the whole thing.

No, Officer... (0)

Anonymous Coward | about a year ago | (#44690311)

...i didn't want to drive that fast, someone must have hacked my car...

OAuth for Apps? Seriously? (4, Interesting)

Luthair (847766) | about a year ago | (#44690375)

The article is mostly FUD. To start, OAuth is not a User->System authentication system, its a three party authentication system. For OAuth to work as intended the three parties involved need secure communication channels between the pairs (e.g. user to api, 3rd party to api, and user to 3rd party). This leads to the fact that his first two complaints about the Tesla service, are also inherently present in OAuth when implemented in a non-web app:
* Entering login information into any application inherently provides it to the application's author
* SSL is required between the 3rd party and the API service, otherwise eavesdroppers are able to obtain the API token, secret and user token

The final two flaws are really the same issue and are not part of authentication; however it is important that users are able to revoke access that they've provided to third parties. Missing that ability is certainly a problem but it is not a flaw with authentication.

While there are better methods for authentication that ought to be used by Tesla for their API (e.g. a long one time token the user enters, a QR code scanned, etc.), OAuth is not a better form of authentication for desktop or mobile application.

To say these are flaws is an opinion (1)

TomGreenhaw (929233) | about a year ago | (#44690723)

It is a button press away to turn off remote access on the Tesla S console so if an owner is concerned they can turn the interface off. TFA implies that if you give away your credentials and get hacked, you're screwed for 3 months which is not true. Tesla warns repeatedly to be very careful about who you give your user name and password to, not that doing so creates a danger, they are just trying to educate their owners. Tesla's use of a proprietary system as opposed to OAuth isn't necessarily wrong or less secure. It does however point to a more interesting policy; Tesla will have more of an Apple style walled garden than a wide open Android marketplace for anything that communicates with the car. Finally the whole business of economic loss and damage to the batteries is silly. I seriously doubt that less than a dollars worth of electricity if somebody turns the air or heater on are going to be an issue for the typical Tesla owner. And no, the interface does not allow you to turn on the heater and the air conditioning at the same time - you can set the target temperature for the interior. Nobody is going to put up with this happening all the time and suggesting battery damage by using the car in a way it was designed to do exposes the article for what it is.

Re:To say these are flaws is an opinion (1)

smack.addict (116174) | about a year ago | (#44690947)

If I were to try this attack, I would up the car to a range charge and turn air conditioning on full blast. Then I would go through cycles of charging the battery up full and discharging it.

The electricity will add up, but maybe not a lot for most who can afford an $80K+ car.

The bigger issue is that this will decrease the battery life.

Re:To say these are flaws is an opinion (1)

TomGreenhaw (929233) | about a year ago | (#44691199)

I really don't think something like that would go on without being noticed. The first thing a Tesla owner looks at when they get in the car is its range and if was set to range mode or if the charge status was unexpected they would immediately be suspicious. In any case the batteries are covered unconditionally by Tesla for 8 years so the I really wouldn't take a hit.

RE N Y Times road test (1)

cinnamon colbert (732724) | about a year ago | (#44690921)

Much of Tesla's criticism of the Times was based on , supposedly, data that Tesla downloaded from the test vehicle.
Does this security flaw make it more likely that tesla, or a tesla employee, could have altered the data ?

Rest assured... (1)

axis_omega (771398) | about a year ago | (#44691241)

Rest assured that the matter will be taken care of... And the trick will be to honk the car of Mr. Musk and it will be taken care of promptly.

bit behind (0)

Anonymous Coward | about a year ago | (#44691253)

Haven't people understood that the previous owner is all about hype and making money, not "make the future safe and fun" as he may like to claim...

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>