Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tesla Model S REST API Authentication Flaws

Posted by Soulskill on from the honk-if-i-control-your-car-remotely dept.

An anonymous reader writes "New Tesla owner and Executive DIrector of Cloud Computing at Dell, George Reese, brings the Tesla Model S REST API authentication into question. 'The authentication protocol in the Tesla REST API is flawed. Worse, it's flawed in a way that makes no sense. Tesla ignored most conventions around API authentication and wrote their own. As much as I talk about the downsides to OAuth (a standard for authenticating consumers of REST APIs—Twitter uses it), this scenario is one that screams for its use.' While not likely to compromise the safety of the vehicle, he does go on to say, 'I can target a site that provides value-added services to Tesla owners and force them to use a lot more electricity than is necessary and shorten their battery lives dramatically. I can also honk their horns, flash their lights, and open and close the sunroof. While none of this is catastrophic, it can certainly be surprising and distracting while someone is driving.'"

7 of 161 comments (clear)

  1. Hopefully A Light Will Come On Over At Tesla by Anonymous Coward · · Score: 2, Interesting

    Hopefully a light will come on over at Tesla about API security. Let's just hope it's not a Phillips Hue (http://www.engadget.com/2013/08/14/philips-hue-smart-light-security-issues/)

  2. Major fail for Tesla by RobinH · · Score: 4, Interesting

    With all the news about medical devices with deadly security flaws, and people even hacking into cars (even if only from the backseat), I can't believe Tesla really didn't even *try* to add proper security to their API. The only right way to do it (from a corporate perspective) is to hire an outside security company to audit your design and implementation, and to continue to monitor the security whenever changes are made (so continuously in this case). It's well known that you can't trust the programmers to implement security properly, especially if you had Elon Musk screaming over your shoulder like Steve Jobs all the time.

    --
    "I have never let my schooling interfere with my education." - Mark Twain
    1. Re:Major fail for Tesla by DuckDodgers · · Score: 4, Interesting

      Even for companies that primarily write software, it's easy to design something that looks secure to you but in fact is trivial to defeat. WEP wireless security is inherently flawed. PPTP VPNs from Microsoft are inherently flawed, though not as badly as WEP, and Microsoft has deprecated the entire protocol. WPS wireless easy setup is flawed. The AES encryption used by Megaupload in their re-launch earlier this year was not implemented properly, and thus is useless.

      The history of computing is littered with flawed attempts at designing new security protocols. As far as I can tell, the best practice is to adopt an existing open source technology that is well proven. If you're trying to do something new, you probably need to spend an unholy fortune on multiple independent audits of the system, as well as inviting people on security mailing lists to examine it, and possibly offering a bounty for discovered flaws.

  3. Re:so besides all that by Ralph+Wiggam · · Score: 4, Interesting

    It's fast as hell. It can do 0 - 60 in 4 seconds despite weighing 4600 pounds. Electric motors operate at max torque at all RPMs.

  4. Re:You might be right. by dgatwood · · Score: 3, Interesting

    John Q. Private is currently at mile marker 23 on highway 2, proceeding at 65 mph in an easterly direction, with 100 miles of range remaining.

    Say I am John Q. Private. Can you give me a scenario where I might care that someone has this information?

    When the speed limit is 55.

    Alternatively, when someone correlates driving patterns with murders and determines that you were parked in the parking lots of restaurants that were within walking distance of three unsolved murders. Can you prove you were eating? The whole time?

    Yes, I can think of a lot of scenarios where you might care.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  5. OAuth for Apps? Seriously? by Luthair · · Score: 4, Interesting

    The article is mostly FUD. To start, OAuth is not a User->System authentication system, its a three party authentication system. For OAuth to work as intended the three parties involved need secure communication channels between the pairs (e.g. user to api, 3rd party to api, and user to 3rd party). This leads to the fact that his first two complaints about the Tesla service, are also inherently present in OAuth when implemented in a non-web app:
    * Entering login information into any application inherently provides it to the application's author
    * SSL is required between the 3rd party and the API service, otherwise eavesdroppers are able to obtain the API token, secret and user token

    The final two flaws are really the same issue and are not part of authentication; however it is important that users are able to revoke access that they've provided to third parties. Missing that ability is certainly a problem but it is not a flaw with authentication.

    While there are better methods for authentication that ought to be used by Tesla for their API (e.g. a long one time token the user enters, a QR code scanned, etc.), OAuth is not a better form of authentication for desktop or mobile application.

  6. Re:so besides all that by Anonymous Coward · · Score: 1, Interesting

    The Z06 isn't the pinnacle of good car handling. Heck, a $50k base Boxster is superior. American tastes I guess.