Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

iPhone app login credentials and a big security hole?

This site may earn commission on affiliate links.
HankLloydRight

HankLloydRight

No Roads
Jan 18, 2014
14,003
12,611
Connecticut
#1
I recently posted about my charge port door opening overnight here: Phantom charge port door opening?

Now also my rear hatch has opened up by itself once over night, and I'm sure I'm not hitting the remote.

So I think someone might have my Mytesla login credentials and is hacking their way around my car.

So I just went to the my.teslamotors.com website and changed my password.

But my iPhone and iPad apps are still connected to my car!

I'm stunned that these apps do not re-authenticate themselves at least every time the app is opened up. I even did a "force quit" on them and they still open up connected to, and controlling my car with no re-login authentication.

Now if someone does have my OLD credentials, they can still happily go along and control my car. This seems like a really strange oversight to me.
 
#3
Technically, when you authenticate with the App you are given a token and that token is used for future authentication until it expires (or is deleted on the server).

Tesla should be deleting all tokens if you change your password on My Tesla. I've heard this reported before (in the API threads somewhere), and your report sounds like they still aren't doing it.
 
#9
I remember now where I first read about this. Back in 2013, George Reese's 'the API is flawed' blog:

Authentication Flaws in the Tesla Model S REST API - O'Reilly Broadcast

I really hate to bring it back up here, given that George and I disagree philosophically on the possible existence of private APIs, but he has some insight into this.

In his original post he wrote:

No mechanism exists for revoking the access of a compromised application (major)
Click to expand...

In a later revision (based on community feedback), he retracted that and put:

-> attacker gains access to a web site's database of authenticated tokens. It has free access to all of that site's cars up to 3 months unless the user changes their TeslaMotors.com password, in which case access for all third-party applications is revoked give or take some unspecified caching interval.
Click to expand...

So, seems that at that time, changing the my tesla password resolved this, but that was subject to some unspecified caching interval.
 
#13
RAW84 said:
I agree this is a significant hole. I have confirmed that changing my password did not prevent my Android app from connecting.
Click to expand...

It looks like they fixed this. It promoted me for a password this morning, finally. I then changed my password again, and it promoted me for a password when I tried the app an hour later.

This is for the Android app, btw, tho I bet it is the same for iOS
 
#14
RAW84 said:
It looks like they fixed this. It promoted me for a password this morning, finally. I then changed my password again, and it promoted me for a password when I tried the app an hour later.

This is for the Android app, btw, tho I bet it is the same for iOS
Click to expand...

Yes, I've been meaning to post an update to this thread.

After I posted this thread, I was contacted by a Tesla engineer who was working to fix the issue, which he told me they did. It did require expiring a lot of tokens that day, so a lot of people may have had to re-login as a result, but they did tell me the issue that I had has been fixed. They also told me that they hope to offer more control over auth tokens and device access in the future.
 
#15
HankLloydRight said:
Yes, I've been meaning to post an update to this thread.

After I posted this thread, I was contacted by a Tesla engineer who was working to fix the issue, which he told me they did. It did require expiring a lot of tokens that day, so a lot of people may have had to re-login as a result, but they did tell me the issue that I had has been fixed. They also told me that they hope to offer more control over auth tokens and device access in the future.
Click to expand...
Interesting! I noticed a few days ago that I had to log in unexpectedly when I was checking my charging status. Guess this explains it.
 
#16
HankLloydRight said:
Yes, I've been meaning to post an update to this thread.

After I posted this thread, I was contacted by a Tesla engineer who was working to fix the issue, which he told me they did. It did require expiring a lot of tokens that day, so a lot of people may have had to re-login as a result, but they did tell me the issue that I had has been fixed. They also told me that they hope to offer more control over auth tokens and device access in the future.
Click to expand...

Good to know they're on it. Perhaps with the "hacker princess" gone, Tesla should get a new security team in place to do pen tests and such on a regular basis (if they don't already)
 
You must log in or register to reply here.

Similar threads

mySmartRemote
Vendor My Tesla Remote - A 3rd party remote that doesn't ask for your credentials
Replies
100
Views
10K
Software: Firmware Updates, Features, Tesla App
dc81
D
David29
Tesla App outage -- universal or local?
Replies
8
Views
983
Model S: User Interface
David29
David29
B
2017 Model S 540 Vehicle Error and door opening on park
Replies
3
Views
411
Model S
BGADA
B
bigvikefan
2013 Model S Charge Port Inlet clicks and won't unlock
Replies
3
Views
739
Model S
NewbyMaybe
NewbyMaybe
W
Important to remove totaled car (now in Ukraine) from Tesla account?
Replies
1
Views
302
Insurance
SucreTease
SucreTease
Top
Back
Blog
New
Forum list
Marketplace
Menu