Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Accounts affected by Heartbleed bug?

This site may earn commission on affiliate links.
anticitizen13.7

anticitizen13.7

Not posting at TMC after 9/17/2018
Dec 22, 2012
3,638
5,870
United States
#1
I'm sure most people here are aware of the OpenSSL bug called "Heartbleed" that made headlines last week (http://arstechnica.com/information-...xplains-openssl-mistake-that-put-web-at-risk/ for a recap).

Did Tesla have any response to this? They might not have been affected, but given that some Model S functions can be activated via mobile phone app, it might be prudent to check.

Hopefully the Hacker Princess is keeping things safe at Tesla.
 
#2
Unclear if Tesla uses OpenSSL and if so, what version:
LastPass - LastPass Heartbleed checker

Tesla should really post something in their blog about it. There's a decent chance they'll recommend everyone to change their password but we need to be sure they're not running a vulnerable server first. If they're not vulnerable, I'd also love to know why (but we might not get that info).

On a related note, anyone who shared their password with other sites that bridged over to the Tesla REST APIs should probably be discussed here too. I don't know what the sites are but a comment from the site maintainers would be good.
 
#3
Over the past week, there has been lots of online news regarding a security vulnerability within versions of OpenSSL, known as the Heartbleed Bug. After a comprehensive review of our services by our dedicated team of information security professionals, we would like to report that we have not found any evidence of compromised exposure to the OpenSSL vulnerability and that our systems, including our website and vehicle related resources, are not using a version vulnerable to the Heartbleed Bug. Your account details remain secure. Regardless, we recommend that our customers change their passwords as an added precaution.

Whether it’s developing the car that has the highest safety rating or doing everything in our power to protect our customers against online incursions, security is Tesla’s top priority. Our dedicated team of best-in-class information security professionals protect our products and systems from vulnerabilities on an ongoing basis, and we continue to work with security researchers around the world who are incentivized to report any potential issues. To offer customers an extra level of confidence, two weeks ago, we updated our minimum password requirements from six to eight characters, and we encourage the use of passwords that are considerably stronger. We have also implemented a password lockout feature that requires MyTesla account holders to reset their passwords via our website after five failed login attempts.
We have taken these steps because we consider the security of the website and mobile application of paramount importance. Just as we encourage customers to protect their MyTesla credentials with the same care they would dedicate to any of their other accounts (online or otherwise) with sensitive information, we are committed to doing what we can to ensure the maximum level of protection. It’s also important to note that, in case customers remain concerned about general online or mobile app security, we have given Model S owners the option of disabling mobile access through the Controls menu on the car’s touchscreen.

We strongly encourage anyone to report security issues on any of Tesla’s products via the Responsible Reporting process on our website:https://www.teslamotors.com/about/legal#security-vulnerability-reporting....
Through that process, we offer a range of rewards to security researchers who report valid issues to help us bolster online security and further protect our products.
 
Last edited by a moderator:
#7
please also add SMS OTP option for the website, a pincode lock in the car for changing settings (to protect when valet, detailer etc), add GPS ringfencing function to the car. meaning I get an alarm if the car moves more than x meter/km in the phoneapp.
 
#8
TM Ownership said:
Over the past week, there has been lots of online news regarding a security vulnerability within versions of OpenSSL, known as the Heartbleed Bug. After a comprehensive review of our services by our dedicated team of information security professionals, we would like to report that we have not found any evidence of compromised exposure to the OpenSSL vulnerability and that our systems, including our website and vehicle related resources, are not using a version vulnerable to the Heartbleed Bug. Your account details remain secure. Regardless, we recommend that our customers change their passwords as an added precaution.
Click to expand...

First of all, credit to TM Ownership (and presumably internal security staff) for responding to this. The password requirement improvements and communicating a vulnerability reporting process is progress.

However, this post really feels like an earnest communication effort from a security department overly edited by a marketing department, removing the ability to know the precise security situation. By 4/15, it is clear that most web sites that were vulnerable to Heartbleed were no longer running the vulnerable versions of OpenSSL, nor had they any evidence of exposure. (There would typically not be any evidence left in a successful exploit of Heartbleed.)

What would be a better statement to make is whether Tesla was running a vulnerable version of OpenSSL during this period and that it was patched since. In that scenario, there was clear possibility of a leak and we should definitely rotate passwords - indeed many sites are requiring it. Given that you recommend that we all rotate passwords, I assume that is the case but it's a pity you are not clearer on the subject, as many web sites have been.

These two statements seem in conflict in the context of Heartbleed:
> Your account details remain secure.
> we recommend that our customers change their passwords as an added precaution.

How do you know our account details remain secure if there was ever Heartbleed exposure? If there was never exposure, please say so.

Thank you!
 
#10
alset said:
First of all, credit to TM Ownership (and presumably internal security staff) for responding to this. The password requirement improvements and communicating a vulnerability reporting process is progress.

However, this post really feels like an earnest communication effort from a security department overly edited by a marketing department, removing the ability to know the precise security situation. By 4/15, it is clear that most web sites that were vulnerable to Heartbleed were no longer running the vulnerable versions of OpenSSL, nor had they any evidence of exposure. (There would typically not be any evidence left in a successful exploit of Heartbleed.)

What would be a better statement to make is whether Tesla was running a vulnerable version of OpenSSL during this period and that it was patched since. In that scenario, there was clear possibility of a leak and we should definitely rotate passwords - indeed many sites are requiring it. Given that you recommend that we all rotate passwords, I assume that is the case but it's a pity you are not clearer on the subject, as many web sites have been.

These two statements seem in conflict in the context of Heartbleed:
> Your account details remain secure.
> we recommend that our customers change their passwords as an added precaution.

How do you know our account details remain secure if there was ever Heartbleed exposure? If there was never exposure, please say so.

Thank you!
Click to expand...

This is a good point. Extra clarification would be welcome.

I believe that the recommendation that customers change passwords exists because there are many people who use the same password for multiple sites, despite the practice being generally discouraged. If someone has used the password they use for Tesla on another website that was affected by Heartbleed, a hacker could conceivably have stolen the password and might try it on the Tesla website. EDIT - Kraken beat me to it. Should have read through the whole thread, LOL.
 
You must log in or register to reply here.

Similar threads

Tesery
Vendor A Must-Have Guide for Tesla Model 3 Highland Owners: Tips for Efficiently Selecting Accessories
Replies
1
Views
577
Model 3
Tesery
Tesery
Tesery
Aftermarket Instrument Cluster Fix Tesla Model 3 & Y
Replies
0
Views
1K
Model 3: Interior & Exterior
Tesery
Tesery
D
Hot Cars Article - Let's Break It Down
Replies
4
Views
3K
Tesla, Inc.
Alan_F
A
jammi
TPMS disable / delete on Model S 2012 to late 2014 "Baolong"
Replies
15
Views
4K
Model S
Wim_V
Wim_V
B
Tesla Model Y - Things You Should Know!
Replies
165
Views
25K
Model Y
Dennisis
Dennisis
Top
Back
Blog
New
Forum list
Marketplace
Menu