Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Authentication flaws in the REST API (if you give 3rd party your private login info)

This site may earn commission on affiliate links.
#4
nspollution said:
I did a write-up on the Tesla REST API authentication model: http://broadcast.oreilly.com/2013/08/authentication-flaws-in-the-tesla-model-s-rest-api.html

Note: moved this to my O'Reilly blog (no idea why I put it on G+)
Click to expand...

Nice write-up, and I agree that OAuth makes good sense for this.

However, given the current situation that the API is not public and all third party uses are non-authorised, presumably from Tesla's point of view, the third-party flaws don't affect them.

* It cannot safely operate over any channel but a trusted SSL connection (minor)

Both existing official Apps do.

* It requires the sharing of the user's password with third-parties (major)

There are no authorised third parties.

* No mechanism exists for cataloging applications with active tokens (significant)

I am sure it exists on the server side. It is interesting that they don't invalidate the tokens when the user changes their password.

* No mechanism exists for revoking the access of a compromised application (major)

Not really sure what internal mechanisms they have.

* The automated expiration of tokens in 3 months encourages applications to improperly store your email and password (significant)

Again, not sure how the Tesla Apps do it. Do they ask you to re-authenticate after 3 months, or store credentials?

I really hope that Tesla make a public version of this API, and they address the third-party Apps concerns when they do it. My concern is that the longer they delay, the more unauthorized apps and services appear. Those websites that ask you to enter your credentials are truly terrifying.
 
#5
Brett said:
Nice write up. My concern if Tesla realizes this is that they suddenly decide to lock it down first and make the security tighter later, and during that time they cut off 3rd party access. And later ends up being never. The right thing to do would be per your recommendation, quickly implement OAuth, and push out a new version of their iOS app.
Click to expand...

They would break the iOS app if they did that. The threat is not serious enough to take this approach.

However, a lot of companies that don't understand the value of APIs often will take the approach you mention.

- - - Updated - - -

There are no authorised third parties.

This authorized third parties thing drives me nuts.

There are no such thing as authorized third-parties in an API economy.

There are no such thing as unauthorized third-parties either.

If the Tesla attitude is that third-parties should not be using the API, that's an even bigger failure than the security issues I present.
 
#6
Authentication flaws in the REST API

just read this... and thought the members involved in the API could give their thoughts on below

Article states the following flaws -
This model suffers from the following flaws:

  • It cannot safely operate over any channel but a trusted SSL connection (minor)
  • It requires the sharing of the user's password with third-parties (major)
  • No mechanism exists for cataloging applications with active tokens (significant)
  • No mechanism exists for revoking the access of a compromised application (major)
  • The automated expiration of tokens in 3 months encourages applications to improperly store your email and password (significant)
http://broadcast.oreilly.com/2013/08/authentication-flaws-in-the-tesla-model-s-rest-api.html
 
#7
Sigh. This makes the same very basic mistake as the other post. Let me put it bluntly: This API is not an official API and is not to be used by third-parties.
It was reverse-engineered from the iOS/Android apps. It does not facilitate any access for third-parties, so using the user credentials is not a major security issue, and the lack of "applications with active tokens" is entirely by design.

If you hand your user credentials to any third-parties for accessing the API, you're likely in violation of whatever user policy Tesla has, and you're being plain reckless.
 
#8
zeron said:
Sigh. This makes the same very basic mistake as the other post. Let me put it bluntly: This API is not an official API and is not to be used by third-parties.
It was reverse-engineered from the iOS/Android apps. It does not facilitate any access for third-parties, so using the user credentials is not a major security issue, and the lack of "applications with active tokens" is entirely by design.

If you hand your user credentials to any third-parties for accessing the API, you're likely in violation of whatever user policy Tesla has, and you're being plain reckless.
Click to expand...
Yet lots of people are doing just that (there are at least three 'services' that have solicited users here and that require you to hand over your credentials).

In all honesty, this is why I got involved in working on the teslams javascript project that allows people to do their own data collection and visualization - without handing credentials over to third parties.

(oh, and technically speaking, the Windows phone app is also a third party app that requires you to enter your credentials... I guess we can give the IOS and Android app a 'pass' as they are provided by Tesla...)
 
#10
The article was written by user nspollution on this forum. Nice commentary in the REST API thread. Great work you guys are doing! Hope Tesla will seek towards more cooperation with its user base rather than going protective.
 
#13
Yes, as others have said, there is no public Tesla API. What would be useful to evaluate is any exposures on the server-side, as used by the mobile apps (and assumingly by Tesla engineering). We have some ability to do that *because of* our investigation into using the internal API without permission.

It cannot operate safely over any channel but a trusted SSL connection
Click to expand...
This is not a flaw. It is a good thing. This prevents the stealing of credentials by 3rd parties (other than the NSA)

It requires the sharing of the user's password with third-parties
Click to expand...
It requires no such thing. The mobile apps store the credentials on the local store of the phone/tablet.

No mechanism exists for cataloging applications with active tokens
Click to expand...
As stated above, this is by design and is in no way a significant flaw.

No mechanism exists for revoking the access of a compromised application
Click to expand...
This is not true. Certainly the cookie can be invalidated on the server side. It's even possible that changing the password might do that automatically, but I have not tested it. In any case, access can be revoked manually.

The automated expiration of tokens in 3 months encourages applications to improperly store your email and password.
Click to expand...
Well, you can't have it both ways.

Of particular interest to me in the blog (for obvious reasons), was:

You want to leverage a tool on a web site with some useful functionality. You enter your email/password. They willfully and incorrectly store that information and are subsequently compromised (or worse, they use it themselves)
Click to expand...

The only reason this is possible is because of the reverse engineering of the internal API. I believe there are two such publicized websites (mine being one of them). Every time I mention it, I make it clear that you would have to trust me in order to use it, and although I claim to be very trustworthy, I don't recommend that anyone use it. (Having said that, 50 distinct people have used it even though I've only mentioned it on this site).

I do not store the email/password of anyone who uses it. Some people who read that blog might incorrectly assume that there is some requirement to do so (the "incorrectly" statement notwithstanding). There is no reason to store the username and password. I assume that the other site doesn't either.

- - - Updated - - -

I think there is one REAL security flaw:

There is no artificial delay added in getting credential failures. It is susceptible to a brute force attack to get someone's password.
 
#15
Zas said:
It seems like I have ruffled some feathers, but the reason for my post was because I saw this on the Forbes website with a pretty bold title " Newly Discovered Flaw May Open The Tesla Model S To Potential Attack From Hackers "

http://www.forbes.com/sites/reuvenc...sla-model-s-to-potential-attack-from-hackers/
Click to expand...

And THIS is the problem with discussing concerns with the reverse engineered API (or SPI) in a public forum. "journalists" (and I use that term rather broadly here) are looking desperately to find "newsworthy" items they can blow out of proportion.
It's a sad statement about the crap that is Forbes these days, but it's something to keep in mind when posting here :-(
 
#16
dirkhh said:
And THIS is the problem with discussing concerns with the reverse engineered API (or SPI) in a public forum. "journalists" (and I use that term rather broadly here) are looking desperately to find "newsworthy" items they can blow out of proportion.
It's a sad statement about the crap that is Forbes these days, but it's something to keep in mind when posting here :-(
Click to expand...

Exactly, and is one of the many reasons folks have the "don't copy me" signatures.
 
#19
nspollution said:
If they wanted the network protocol to be truly private, they did it wrong.

This is simply an undocumented API. An ecosystem is growing around it (as it always does) around APIs. This is a good thing.

They should be smart about that and design for that reality.
Click to expand...

But the point is that what you point out as "security flaws" are really "unsuitability for alternate uses". They are not security flaws for the intended purpose, i.e. a trusted app accessing the car. You can suggest things that make the API more useful for other scenarios, but in my opinion classifying them as security flaws is misleading.
 
#20
I am the original author and the "it's not a public/published API" is an idiotic defense.

I am a Tesla owner and an expert in REST API design. These are flaws whether or not Tesla "intended" the API to be public or not. People identify and build ecosystems around APIs. It happens all the time. It's an important value of the Tesla that this can happen.

What if you want your home automation software integrated with your Tesla?

The world is becoming more API-driven, and we need to be smarter about the way we design and consume APIs.
 
You must log in or register to reply here.

Similar threads

Y
FUSC 3rd Party Dealer
Replies
8
Views
2K
Model S
ucmndd
ucmndd
S
Extended Warranty - Used Model S bought from 3rd party dealer or private party
Replies
9
Views
2K
Model S
ev-now
ev-now
RonMoralesCA
Will Free Supercharging Transfer in private party sale? 2013 Model S 60
Replies
30
Views
4K
Model S
RonMoralesCA
RonMoralesCA
AcidTest
Can't login to Slacker
Replies
46
Views
15K
Model S: User Interface
ahkahn
ahkahn
VerityZooms
Tesla login-token generator
Replies
11
Views
23K
Model S: User Interface
HankLloydRight
HankLloydRight
Top
Back
Blog
New
Forum list
Marketplace
Menu