Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Model S "Hacked" (again)?

This site may earn commission on affiliate links.
#2
All of the mentioned commands are accessible through the app, and nothing really noteworthy to access. I would be surprised if someone(not an owner who has a ton of time and access to the CAN bus) actually hacked the car.
 
#3
qwk said:
All of the mentioned commands are accessible through the app, and nothing really noteworthy to access. I would be surprised if someone(not an owner who has a ton of time and access to the CAN bus) actually hacked the car.
Click to expand...
I figured the same, which is why I used "hacked" in the title. There's some kind of vulnerability in Tesla's website/app, again, and probably not the car itself.
 
#4
This whole hack contest and winner is absolutely ridiculous. It sounds like someone came on these forums, found the REST API and library on github, and simply ran the program that was already coded to do exactly that. This is a public facing API. That should *NOT* qualify has a hack and most certainly should *NOT* have won the contest. Now, if somebody was able to unlock their S40 to an S60, or enable supercharging on their S40/S60 via software hack - THAT's a real hack worthy of the prize.
 
#8
#12
mkjayakumar said:
If someone steals my Tesla webapp password, or steals my iPhone with a stored password, and then executes these functions - is that considered a vulnerability in the Model S software ? - just asking
Click to expand...

To wannabe security researchers desperate to make names for themselves, yes.

- - - Updated - - -

skn said:
Well if they don't implement any lockout period after x unsuccessful attempts, don't insist on strong password etc., the system is weak and vulnerable in a strict security sense.
Click to expand...

Arguably, such measures are not necessary, because what the password is protecting isn't that important. Of course, with the password, you can unlock the car or exercise controls that could potentially distract the driver, so you may deem security more important because of that.
 
#13
From my understanding, and please correct me if I am wrong, but when using third party apps, such as Visible Tesla, I think you are giving your password to a third party not associated with Tesla, as well as to anyone who has access to that app's database.
 
#14
Canuck said:
From my understanding, and please correct me if I am wrong, but when using third party apps, such as Visible Tesla, I think you are giving your password to a third party not associated with Tesla, as well as to anyone who has access to that app's database.
Click to expand...

Yes, don't do that.

- - - Updated - - -

Actually, I think Visible Tesla is an app that you run on your own computer, so you don't need to give your password to anybody. I haven't used it. Though you do have to trust the code to handle your password properly, of course, and not secretly send it to some server.
 
#15
skn said:
I thought they insisted on at least 8 with upper lower and number in it...
Click to expand...

I think it used to be 6 until the last time the website/API was hacked, after which they increased the password requirements and implemented an incorrect password lockout mechanism.

Canuck said:
From my understanding, and please correct me if I am wrong, but when using third party apps, such as Visible Tesla, I think you are giving your password to a third party not associated with Tesla, as well as to anyone who has access to that app's database.
Click to expand...

Depends on implementation. From my basic understanding, communication via the API actually occurs via something akin to cookies. In Visible Tesla, for example, you enter your password, but Visible Tesla keeps the cookie. It doesn't need to know the password other than as a means for it to get the cookie. Indeed, VT doesn't require you let it save your password. If you do let it, it's stored encrypted, but that's obviously up to the developer, whom you have to trust not to steal your password in either case. Maybe Joe will pop in and clarify.
 
#16
markb1 said:
Though you do have to trust the code to handle your password properly, of course, and not secretly send it to some server.
Click to expand...
VT is open source, so you can check the code yourself if you know how. With the exposure it has received, if there was something malicious going on or a blatant security vulnerability, I'm sure someone in the community would have found it and made everyone else aware if the developer didn't fix it or accept someone else's fix in a timely manner.
 
#17
Pilot_51 said:
VT is open source, so you can check the code yourself if you know how. With the exposure it has received, if there was something malicious going on or a blatant security vulnerability, I'm sure someone in the community would have found it and made everyone else aware if the developer didn't fix it or accept someone else's fix in a timely manner.
Click to expand...

The API doesn't allow that stuff while the car is moving. I know because (at the request of a friend) I wrote some code to run in the background and honk the horn every time you approach the Tesla statue in Palo Alto. It doesn't work :)
 
#18
Pilot_51 said:
VT is open source, so you can check the code yourself if you know how. With the exposure it has received, if there was something malicious going on or a blatant security vulnerability, I'm sure someone in the community would have found it and made everyone else aware if the developer didn't fix it or accept someone else's fix in a timely manner.
Click to expand...

I don't mean suggest that VT is doing anything malicious, just that in general, it's something to think about.
 
#19
Gizmotoy said:
Depends on implementation. From my basic understanding, communication via the API actually occurs via something akin to cookies. In Visible Tesla, for example, you enter your password, but Visible Tesla keeps the cookie. It doesn't need to know the password other than as a means for it to get the cookie. Indeed, VT doesn't require you let it save your password. If you do let it, it's stored encrypted, but that's obviously up to the developer, whom you have to trust not to steal your password in either case. Maybe Joe will pop in and clarify.
Click to expand...

I find it surprising that in this day and age Tesla had to resort to a homegrown insecure way for 3rd party apps to use their APIs. Anyone who has used a Twitter client knows there is a better way to handle such scenarios - OAuth

Only 2 reasons I can think of for Tesla not implementing OAuth:
  1. They think the APIs are not worth such protection: Strange given that it does expose personal location data, could potentially cause nuisance, power of APIs could themselves be beefed up at some point
  2. They never foresaw 3rd party hacks like VT: tsk, tsk....
 
#20
skn said:
I find it surprising that in this day and age Tesla had to resort to a homegrown insecure way for 3rd party apps to use their APIs. Anyone who has used a Twitter client knows there is a better way to handle such scenarios - OAuth

Only 2 reasons I can think of for Tesla not implementing OAuth:
  1. They think the APIs are not worth such protection: Strange given that it does expose personal location data, could potentially cause nuisance, power of APIs could themselves be beefed up at some point
  2. They never foresaw 3rd party hacks like VT: tsk, tsk....
Click to expand...

I don't find it surprising, because it's completely unnecessary to add any more security than they already have.
 
You must log in or register to reply here.

Similar threads

Z
2023 Model S is a disappointment.
Replies
82
Views
3K
Model S
sorka
S
C
are you holding back model S long range purchase due to new model 3 highland performance release next year?
Replies
27
Views
4K
Model S
Yelobird
Yelobird
I
Used Model S (after refresh)
Replies
21
Views
1K
Model S
Excaliber
Excaliber
WARP 10
Considering trading our 2016 Model S75 for 2024 Model S (standard)
Replies
18
Views
317
Model S
Country Roads
Country Roads
Skotty
Model S Highway Range
Replies
49
Views
3K
Model S
Iluvpcs
I
Top
Back
Blog
New
Forum list
Marketplace
Menu