Tesla Model S REST API Authentication Flaws

An anonymous reader writes "New Tesla owner and Executive DIrector of Cloud Computing at Dell, George Reese, brings the Tesla Model S REST API authentication into question. 'The authentication protocol in the Tesla REST API is flawed. Worse, it's flawed in a way that makes no sense. Tesla ignored most conventions around API authentication and wrote their own. As much as I talk about the downsides to OAuth (a standard for authenticating consumers of REST APIs—Twitter uses it), this scenario is one that screams for its use.' While not likely to compromise the safety of the vehicle, he does go on to say, 'I can target a site that provides value-added services to Tesla owners and force them to use a lot more electricity than is necessary and shorten their battery lives dramatically. I can also honk their horns, flash their lights, and open and close the sunroof. While none of this is catastrophic, it can certainly be surprising and distracting while someone is driving.'"

I don't get it.

Can someone give me a car analog?

Re:I don't get it.

[Rosco+P.+Coltrane]

Sorry, cars are digital these days.

Re:I don't get it.

[proxy318]

well, how long before I can download one?

Re:I don't get it.

You wouldn't copy a car, would you?

Re:I don't get it.

[istartedi]

Maybe he really wants an analogue car. You know the kids that are hipsters now, their kids will be totally into ICE cars with carburetors and everything.(sound of dust blowing off paper) I just know these Studebaker share certificates will be worth something some day.

Re:I don't get it.

[theskipper]

Don't copy that jalopy!

Re:I don't get it.

[Fnord666]

You're going to need a bigger printer.

Re:I don't get it.

[Meski]

"All hands, brace for impact!"

not quite correct

The Tesla Model S will not allow you to run any controls remotely while you are driving even when logged into the iOS as a validated user. One can't honk the horn, flash light, vent the sunroof or unlock/lock the car while it is moving.

Re:not quite correct

[smack.addict]

I've done it before.

Re:not quite correct

iOS doesn't "allow" you to jailbreak. Android doesn't "allow" you to root. To say you aren't "allowed" to do something, when all that's needed is a 3-month-useful token? Who knows what can happened that isn't allowed to happen during that time frame?

Re:not quite correct

[msauve]

"One can't honk the horn, flash light, vent the sunroof or unlock/lock the car while it is moving."

What good's a horn or sunroof, if you can't use it while moving?

Re:not quite correct

What good's a horn or sunroof, if you can't use it while moving?

That's because it's a REST API, duh! You can only use it when the car is at rest.

Hopefully A Light Will Come On Over At Tesla

Hopefully a light will come on over at Tesla about API security. Let's just hope it's not a Phillips Hue (http://www.engadget.com/2013/08/14/philips-hue-smart-light-security-issues/)

First World Priorites

It seems pretty obvious that while an attacker couldn't directly cause an accident, say by taking over steering/acceleration/braking, there are many ways that the driver could be distracted, and distracted driving is extremely hazardous.

Of course, the real problem the author identifies is that someone could track your location(!). Obviously, inconspicuousness is a high priority for someone navigating public roads in a cutting edge automobile.

Re:First World Priorites

Actually, it opens the car to theft...

Open sun roof, enter car, drive away...

Re:First World Priorites

[0123456]

Yeah, but the battery will run out two miles down the road, so it's not really a big deal.

Re:First World Priorites

[mlts]

I think a would-be thief still has to fight the battle with the engine anti-theft system to get the vehicle on and moving.

Tesla has some teething pains, as they are in completely new territory, and are not in the usual good ol' boy club with the other automakers, so they have to fight tooth and nail for everything.

For this to be their biggest issue, and in the scheme of things, it isn't that big a deal, it shows that their vehicles are pretty well engineered.

What I'd love to have as an option not just on a Tesla, but on all cars is a master key switch, or a menu option if the car's key is a fob and not a mechanical device. Flip the switch on, the vehicle disables all antennas except the close range one needed to detect if the key is in range (if it is fob), or the passive RFID antenna, if the key is mechanical. That way, when the vehicle is parked in a fairly nasty location, tricks via websites, scanners, et. al. would not work.

Re:First World Priorites

[fuzzyfuzzyfungus]

"Tesla has some teething pains, as they are in completely new territory, and are not in the usual good ol' boy club with the other automakers"

All of that should be an advantage when building the web-related software features... A nice clean slate, no horrible-legacy-spaghetti-of-grafting-more-and-more-shit-onto-the-onboard-bus; but plenty of lessons conveniently learned by other people about how not to fuck up authentication on the internet.

That's the sort of baffling thing about this class of problem. A bad web API isn't a 'Oh, yeah, I can see how that would be a really subtle one if you haven't been building cars for 50 years' type of issue.

Re:First World Priorites

[AaronW]

There is a setting in the car where you can disable remote access. It's trivial to set.

Re:First World Priorites

[Luckyo]

No, not at all. It means that you can bypass the old cruft, but you have to pay for it with teething problems from new tech you replace it with. Both methods have their good and bad points.

how fast

[fyngyrz]

Well, terminal velocity will depend on two factors: The ultimate wind resistance of its tumbling chassis, and how high it is above the ground when you drop it.

Re:how fast

[Kielistic]

That just means the object never reached terminal velocity. Unless I am wrong in remembering terminal velocity being the maximum velocity a falling object can reach. Ie. when its acceleration becomes 0. So I suppose altitude would make a difference due to differences in air pressure but hitting the ground still does not affect the terminal velocity of an object at x air pressure.

Re:how fast

[fyngyrz]

Drop from 22,000 miles: terminal velocity will be different than if you drop from 1 mile. So will several other things, like the temperature of the object, and the cost of the experiment. :)

Not quite getting it

[fyngyrz]

There's something of a difference between "hey, look, some guy in a neat car" and "John Q. Private is currently at mile marker 23 on highway 2, proceeding at 65 mph in an easterly direction, with 100 miles of range remaining."

Major fail for Tesla

[RobinH]

With all the news about medical devices with deadly security flaws, and people even hacking into cars (even if only from the backseat), I can't believe Tesla really didn't even *try* to add proper security to their API. The only right way to do it (from a corporate perspective) is to hire an outside security company to audit your design and implementation, and to continue to monitor the security whenever changes are made (so continuously in this case). It's well known that you can't trust the programmers to implement security properly, especially if you had Elon Musk screaming over your shoulder like Steve Jobs all the time.

Re:Major fail for Tesla

[Stainless_Steel_Mous]

Classic failure mode for companies that do not primarily write software, bur use software in their products. We are seeing more and more of the continued use of security through obscurity followed by goggle-eyed amazement that haxors would figure out a way to penetrate the systems of the device/vehicle/airplane/whatever, finally ending in lawsuits to attempt to hide the existence of grotesque security failures. I cannot wait for the first corporation to be sued for insecure product design.

Re:Major fail for Tesla

[DuckDodgers]

Even for companies that primarily write software, it's easy to design something that looks secure to you but in fact is trivial to defeat. WEP wireless security is inherently flawed. PPTP VPNs from Microsoft are inherently flawed, though not as badly as WEP, and Microsoft has deprecated the entire protocol. WPS wireless easy setup is flawed. The AES encryption used by Megaupload in their re-launch earlier this year was not implemented properly, and thus is useless.

The history of computing is littered with flawed attempts at designing new security protocols. As far as I can tell, the best practice is to adopt an existing open source technology that is well proven. If you're trying to do something new, you probably need to spend an unholy fortune on multiple independent audits of the system, as well as inviting people on security mailing lists to examine it, and possibly offering a bounty for discovered flaws.

Re:Major fail for Tesla

[synapse7]

I would assume Tesla's API to be better than industry standard before I took George's opinion.

Re:Major fail for Tesla

[Em+Adespoton]

I would assume Tesla's API to be better than industry standard before I took George's opinion.

First rule of code security: if you implemented it yourself, it's not secure. Security requires many eyes, as the halting problem has not been solved yet.

Re:Major fail for Tesla

[DarkOx]

WEP was never designed to be "secure" it was designed to be inexpensive so low (compute) power devices could use it. It stands for "Wired Equivalent Privacy" which is not very private. Passively tapping your UTP Ethernet segment isn't exactly hard. All WEP was ever expected to do was discourage the causal snoop; a lock of honest people if you will.

Re:Major fail for Tesla

[DuckDodgers]

TKIP modifies WEP to be secure, and TKIP runs on any hardware that can run WEP.

WEP was designed to be secure, nobody would go through the trouble to invent a security protocol that they knew could be defeated by commodity hardware in under an hour. WEP was just designed poorly.

Re:Major fail for Tesla

[pavera]

The problem with the article and the sentiment you express is that this api is *not* a third party api. It is not published, it is not intended for use by third parties. Oauth is a PITA. Why would tesla setup Oauth between themselves and... themselves?

Oauth is designed to work between 3 parties, the user, the "authenticator", and a third party app that wants to access the authenticated service on behalf of the user. In this case, tesla implemented an API for their app to communicate with, so there is no third party involved, and the system wasn't designed to support third party apps. Now, intrepid hackers have reversed engineered this api, and services have begun popping up that provide "functionality" via this api, but they require you as the user to fully trust a third party that is *violating terms of service* and using an unpublished api that they've reverse engineered. If you as a user trust this third party you are foolish.

There are no Tesla approved third party apps, this API wasn't designed for use by third parties, so why would anyone expect Tesla to implement a third party authentication protocol? Is the argument really that *any* API exposed to the internet must provide access to third party apps? That seems a rather untenable position to take. Certainly its not unreasonable for Tesla to ask for your username/password in *their own app*?

I'm much more concerned about banks not implementing oauth, and the fact that there are literally millions of people handing out their banking credentials to third party apps (mint, money desktop, etc). These apps are storing much more important (and much more valuable) info than any hacked third party app to honk your horn.

Re:Major fail for Tesla

[DarkOx]

That is silly. There was never a need for a fully secure 802.11 specific solution. From the outset anyone who wanted that could just use IPSec tunneled or otherwise, either with 3DES or AES.

That is what people were always advised to do; if they needed both privacy and to run a traditionally clear text protocol over wifi. I have been part of Enterprise wifi deployment in one way or another since 802.11 because a standard and at no point did even any of the vendors attempt to pass WEP off as doing anything more than keeping unapproved clients off your wlan and preventing causal snooping. It was never billed as a replacement for running an transport or application layer cipher; even if the two talkers were layer 2 adjacent.

Re:Major fail for Tesla

[bentcd]

The article doesn't describe a security flaw with Tesla's API. What it does is complain about how Tesla doesn't provide a reasonable framework for allowing third party apps access to the car. Which is probably correct: Tesla never promised this and never intended to deliver it at this point in time.

The API that is provided is a proprietary one that is intended only for communication between the car and Tesla's own app. It has a perfectly fine password-based security implementation for which the article does not even suggest a hack or a workaround: to access the car you absolutely must have the password.

The article then complains that if car owners run around publishing their passwords on the internet this would enable strangers to access their car, and implies that this is a serious security problem with Tesla's cars. Which it is not, it is a security problem with the car's owners. Good luck trying to design a security system for this that cannot be compromised by the car having a stupid owner.

Re:Major fail for Tesla

[DuckDodgers]

For home computer users, it's far easier for someone wanting to listen to your internal network traffic to crack WEP than physically tap into your cat5 cables somewhere in the house. Listening in wirelessly takes a laptop in a car outside the home, listening to the wired network requires at a minimum a physical home invasion - obviously the person can tap your phone, coaxial cable, or fiber connection between the provider and your house, but that doesn't give them the same internal network access as physically tapping your network inside the home router.

And you can't really expect every home user, or even most home users, to go through the trouble of setting up an in-home VPN in addition to their wireless network. You have to assume that for home users, WEP was originally intended to be their complete security solution - and it was a total failure.

Let me get this straight

[DougOtto]

"I can also honk their horns, flash their lights, and open and close the sunroof."

So he discovered a 10 year old?

Re:Let me get this straight

[smack.addict]

I have one of those as well as a 7-year old. They are much more interested in the Slacker access from the 17" screen.

Re:Let me get this straight

[Z_A_Commando]

With this flaw, you could (feasibly) automate Rick Rolls of Model S owners, no small child necessary.

Re:Let me get this straight

[plover]

"Never gonna roll your windows up,
Never gonna put your top down,
Never gonna run your battery down, or desert you."

Re:Let me get this straight

[roc97007]

With this flaw, you could (feasibly) automate Rick Rolls of Model S owners, no small child necessary.

I want to see this as an Android application. Cross-reference with the license plate.

"Look, a model S"

Oooh, what's the license plate?"

(Hilarity ensues.)

Re:so besides all that

[Ralph+Wiggam]

It's fast as hell. It can do 0 - 60 in 4 seconds despite weighing 4600 pounds. Electric motors operate at max torque at all RPMs.

Re:no exploits, though.

[smack.addict]

In a world of interconnected devices (the Internet of Things), it's not about hypothetical sites. It's about real, interconnected sites. There are real sites out there that talk to Teslas and provide value beyond what Tesla provides. If you are building a connected device in 2013, you should take this reality into account.

Can someone give me a car analog?

[bcong]

Sure. It is like using web based certificates in PKI but in this case there is no revocation system and mandatory 3 month validity for all certs. I have to give this key to a third-party in order to be able to do anything user related like view my emails. That third-party or someone who gains access maliciously to the cert database can use this cert to make a connection to my computer that I can't turn off, to make my cpu spike or use up all the ink in my printer, until the 3 months is over.

...wait a minute, I think I did this wrong

Re:Can someone give me a car analog?

[az1324]

I'm sure you could get a token revoked with an e-mail to Tesla. The API is not intended for use by third parties so really the only valid criticism here is "Tesla does not have a 3rd party API".

Re:Can someone give me a car analog?

[Zalbik]

The API is not intended for use by third parties so really the only valid criticism here is "Tesla does not have a 3rd party API".

I don't get it (and I did RTFA which didn't help much).

It looks like this API is the API for third-party Android and iOS apps to use.

In order for those apps to log in, the user must provide the app with their Tesla motors username/password.

That isn't good security. Tesla shouldn't trust that every third-party is handling credentials properly.

Am I missing something?

Re: Can someone give me a car analog?

[mr_zorg]

The API is not intended for use by third parties so really the only valid criticism here is "Tesla does not have a 3rd party API".

Agreed. The only way to exploit this security issue is if you give your login credentials to an unauthorized website using a private API. If you do that, shame on you!

The Tesla-plane Blues

[TimHunter]

I can also honk their horns, flash their lights, and open and close the sunroof.

I'd said I flashed your lights mama
your horn won't even blow
I even flash my lights mama
this horn won't even blow
Got a short in this connection
hoo-well, babe, its way down below

Re:You might be right.

[dgatwood]

John Q. Private is currently at mile marker 23 on highway 2, proceeding at 65 mph in an easterly direction, with 100 miles of range remaining.

Say I am John Q. Private. Can you give me a scenario where I might care that someone has this information?

When the speed limit is 55.

Alternatively, when someone correlates driving patterns with murders and determines that you were parked in the parking lots of restaurants that were within walking distance of three unsolved murders. Can you prove you were eating? The whole time?

Yes, I can think of a lot of scenarios where you might care.

Not catastrophic?

[RandomUsername99]

I'd say being able to flash someone's headlights if they're driving on a winding, unlit road, at night, could most certainly be catastrophic.

Re:Not catastrophic?

[flimflammer]

That was exactly what I was thinking. That certainly sounds pretty catastrophic to me.

Seems Trollish

[sl4shd0rk]

Tesla is a big target in the crosshairs of the automotive industry right now so I'm very skeptical. Tesla is doing what no other company has been able to do in the US and that seems to be a problem with everyone from dealers to falsified reviews in The New York Times. Let's do without the TFA drama have a look at the the egregious attack vectors listed:

1) You want to leverage a tool on a website with some useful functionality. You enter your email/password. They willfully and incorrectly store that information and are subsequently compromised (or worse, they use it themselves).

This is a really broad claim. What's more, if you haven't logged in over an SSL connection then... well, you're kind of a dumbass.

2) An attacker gains access to a website's database of authenticated tokens. It has free access to all of that siteâ(TM)s cars up to 3 months with no ability for the owners to do anything about it.

This is no less dubious that so many online services that I couldn't begin to count. The risk of compromise is an accepted one and hopefully mitigated. No fair faulting them without seeing how they would handle said compromise.

In a nutshell, TFA is going to need to find more substantial basis for panic than this. Sheesh.

Re:Seems Trollish

[smack.addict]

Re: #1
What has logging in over SSL got to do with anything?

If a third-party is storing credentials that control everything, then you are screwed if that third-party is compromised. Twitter suffered greatly from these kinds of problems prior to adopting OAuth. The trick with OAuth is that the third-party never sees the primary credentials, just an application-specific set of credentials with very specific access rights. Because of the design of OAuth, it's also easy to revoke credentials on an app-by-app basis and thus not impact the other apps interacting with the OAuth system.

Re: #2

Tesla is blameworthy because they opted for a less secure approach than is commonly accepted practice. If a third-party is compromised in an OAuth environment, only that one token with the application's specific access rights are at risk. You can revoke them and re-issue without impacting anything else using those credentials.

Finally, there's no need for any panic at all. TFA is not pushing panic. It's pushing the facts of an architectural flaw that does not arise to the level of being an active vulnerability. A flaw that exists for no good reason at all.

Re:no exploits, though.

[geekoid]

And the stupidest phrase ever award goes to:
  Internet of Things!

Not a security flaw

[Pup05]

Read the article. This 'flaw' requires a Tesla owner's email address AND password to 'exploit'.

Re:Not a security flaw

[CanHasDIY]

Read the article. This 'flaw' requires a Tesla owner's email address AND password to 'exploit'.

Well, then, thank $deity that email addresses are impossible to find out, and that passwords are uncrackable.

Re: Not a security flaw

[mr100percent]

OR someone to log into a dodgy third party site, OR someone to crack a third party site and get all the tokens

Re: Not a security flaw

[Pup05]

Right, but then how is this a flaw on Tesla's part?

Re: Not a security flaw

[mr100percent]

That's something OAuth already addresses (which is why twitter and Facebook use it). When you log in via the portal page, it gives the third party app a token rather than letting them see your password. The token can be revoked at any time from your permissions page or the company can blacklist that app. Tesla's implementation shares the password with the third party apps AND the token can't be revoked early.

Re: Not a security flaw

[Pup05]

That's a great reason to use OAuth for third party API access. But Tesla doesn't have a third party API. Tesla doesn't share passwords with third parties. Owners wanting to use third party applications (which have reverse engineered Tesla's app's communication) would have to share their passwords, which is on the customer and unwise. Even then, owners can change their passwords and any existing tokens are invalidated and third party apps would then be locked out. Remember, all this communication happens through Tesla's servers, not directly to the car. The argument seems to be that Tesla should have made a third party API to avoid the potential for their customers to share their passwords with third parties. That's a reasonable argument, but not a security flaw on Tesla's part.

Those who attempt to re-create Oauth...

[SuperKendall]

...are doomed to so so in a way that is somewhat less secure but infinitely more usable.

Re:Those who attempt to re-create Oauth...

[smack.addict]

When done right, OAuth is more secure and equally usable.

Usability issues crop up when OAuth is applied to contexts in which it makes no sense (systemsystem authentication).

Re:Those who attempt to re-create Oauth...

[pavera]

Tesla wasn't even trying to re-create Oauth, they *don't* provide third party api access. They implemented a perfectly reasonable first party api authentication mechanism. If users are inclined to give their creds to *unauthorized* third party apps then that is on the user.

Every API in the world shouldn't be *required* to provide third party access.

Re:Those who attempt to re-create Oauth...

[pavera]

Well, I'd argue this is one such context. There is no third party, Tesla's API is not designed for third party access, its designed for Tesla app -> Tesla API communication. Adding Oauth to this workflow, just for kicks, certainly would decrease usability, as you'd get redirected to a third Tesla page, to provide your credentials and generate a token for Tesla's own app.... The facebook and twitter apps published *by those companies* don't use oauth, they ask directly for your username/password

Saying Tesla's app should use oauth is crazy. Saying that anyone who publishes an API on the internet *must* implement oauth so third parties can access the API is equally crazy.

As usual, some things got left out...

[Anonymous+Psychopath]

Like the fact that Tesla's API is closed and 3rd-party applications are unauthorized and using it without any documentation other than what's been figured out through reverse-engineering. No doubt they need to do some work before publishing an API, but there's no warranty when you use homebrew.

Re:As usual, some things got left out...

[Nemyst]

It can be closed and the documentation sealed in a titanium safe stored inside a reinforced container dropped at the bottom of the Mariana Trench for all I care; if the API is active in production models, it's going to get discovered and exploited. Nefarious usage, especially, won't be stopped by "Hey, you're not supposed to use this!"

There really is no excuse for this. It's just sloppy security practices.

Re:As usual, some things got left out...

[Anonymous+Psychopath]

It can be closed and the documentation sealed in a titanium safe stored inside a reinforced container dropped at the bottom of the Mariana Trench for all I care; if the API is active in production models, it's going to get discovered and exploited. Nefarious usage, especially, won't be stopped by "Hey, you're not supposed to use this!"

There really is no excuse for this. It's just sloppy security practices.

I'm not trying to excuse anything, simply pointing out that this exploit can only be executed with the end-user as a willing, active participant. Please, show me a security model that works in that scenario.

Re:As usual, some things got left out...

[pavera]

How is it sloppy security practice? You're seriously arguing that *every* *single* *api* on the internet *must* implement oauth right now because the api *will* be reverse engineered and users will be tricked into providing their credentials directly to a third party? Even when third party apps are not authorized? Every company with an api on the net *must* provide for third party access?

Oauth doesn't provide any security anyway. Users will still be tricked into providing their credentials directly to third parties (on phishing oauth portals). Whats going to stop someone from spoofing an oauth portal, and distributing an app that redirects to said portal? User enters username/password on spoofed oauth portal, third party has creds, does nefarious deeds. Oauth provides precisely 0 security if the user is not careful.

Re:so besides all that

[CanHasDIY]

"RPMs" has been a standard abbreviation for "Revolutions Per Minute" since... well, probably since the advent of reciprocating assemblies.

Where the hell have you been?

Heater & A/C

[CanHasDIY]

This brings 2 questions to mind:

1) Can an attacker use this exploit to remotely alter the heat and A/C settings?

2) Presuming the answer to 1 is yes, couldn't they use said exploit to overheat the element or over-cycle the compressor, causing a fire?

Third, kinda related question: Knowing that compressor motors and heating coils are the biggest amp draws in any circuit, how much does heater or A/C usage affect range? As in, running the A/C | heat at full blast would reduce the range from ~300 miles to what?

Re:Heater & A/C

[smack.addict]

1. Only if there is a vulnerable third-party site with whom the user has shared their credentials. Out of the box, no.

2. I would consider that a flaw in the car if you could do that. The API and the fact it resulted from a hack would be incidental to the whole thing.

Re:Heater & A/C

[fast+turtle]

He's the deal. It's Connected to the Internet thus insecure.

Personally, I don't give a damn how secure the car is from a computer standpoint because if it is connected to the internet, then it is insecure. Just like all the water systems and the electrical grid in the United States. All of the Scada systems that were never designed to be connected and now are.

Re:You might be right.

[YrWrstNtmr]

Say I am John Q. Private. Can you give me a scenario where I might care that someone has this information?

A stalker, your spouses lawyer, just to name a couple.
It's not a case of 'what can they do', or 'I have nothing to hide', but rather a case of 'it should not be that easy'.

OAuth for Apps? Seriously?

[Luthair]

The article is mostly FUD. To start, OAuth is not a User->System authentication system, its a three party authentication system. For OAuth to work as intended the three parties involved need secure communication channels between the pairs (e.g. user to api, 3rd party to api, and user to 3rd party). This leads to the fact that his first two complaints about the Tesla service, are also inherently present in OAuth when implemented in a non-web app:
* Entering login information into any application inherently provides it to the application's author
* SSL is required between the 3rd party and the API service, otherwise eavesdroppers are able to obtain the API token, secret and user token

The final two flaws are really the same issue and are not part of authentication; however it is important that users are able to revoke access that they've provided to third parties. Missing that ability is certainly a problem but it is not a flaw with authentication.

While there are better methods for authentication that ought to be used by Tesla for their API (e.g. a long one time token the user enters, a QR code scanned, etc.), OAuth is not a better form of authentication for desktop or mobile application.

Re:OAuth for Apps? Seriously?

[Zalbik]

The article is mostly FUD.

Not really. I believe the author's biggest beef is that the user should not be providing the app with their credentials to Tesla Motors.

This is true, and with OAuth they don't have to. All the third-party app get's is an access token. The access token can have completely different rights than the user account, and can be revoked /controlled by the user.

You can use OAuth for mobile/desktop access, it's just not as seamless as it is on the web. Here's a post that has some other perfectly reasonable suggestions for how to use it in these situations:
http://hueniverse.com/2009/02/beyond-the-oauth-web-redirection-flow/

Re:OAuth for Apps? Seriously?

[Luthair]

Not really. I believe the author's biggest beef is that the user should not be providing the app with their credentials to Tesla Motors.

And I'm not arguing against that, the problem is that the suggestion of OAuth is moronic. The very same article you're linking conveniently also explains what I stated - to write a desktop application with OAuth the user must enter the username and password in the application. This entirely negates not trusting a third party with authentication, also known as the entire point of OAuth. (Though the article's author argues that the point is moot as a user is inherently trusting an application they install on their machine which is largely true for the desktop, less true for mobile applications thanks to sandboxing).

The remainder of the article talks about potential workarounds for the fundamental desktop OAuth flaw, however none of these solutions are specific to OAuth nor do any benefit from OAuth at all. I'm not saying OAuth is entirely pointless, but it is entirely pointless when when the third party isn't a web application.

Sorry but I expect more from a supposed Senior Distinguished Engineer and Executive Director of Cloud Computing at a major corporation, particularly one who writes for O'Reilly.

Re:OAuth for Apps? Seriously?

[pavera]

The problem with the article is there are *no* authorized third party apps that use this API. Tesla does not provide third party access.

People have reverse engineered the api, and then if you give these third parties your credentials, they can make calls to the api and do things to your car. The article is arguing that *any* API that is exposed on the net *must* implement oath so that third parties can use it. Seems pretty crazy to argue that any api exposed to the internet must implement third party app access.

Re:OAuth for Apps? Seriously?

[dkf]

The article is arguing that *any* API that is exposed on the net *must* implement oath so that third parties can use it. Seems pretty crazy to argue that any api exposed to the internet must implement third party app access.

It's also crazy to claim that OAuth is the only mechanism for doing it. There are others that are stronger, though more of a PITA; we were doing secure third party service access by other mechanisms (there are a few variations based on client-authenticated SSL with security assertions) 10 years ago, and that expertise still exists. The good thing about OAuth is that it works very easily with browsers and is relatively simple for simple websites to support, but if there are no browsers or it's not a simple conventional website? OAuth might not be for you. (In fact, it definitely can't be for you if you don't have a user in the loop; some other mechanism is required.)

Re:so besides all that

[Ralph+Wiggam]

The only other 4 door car that can do 0-60 in 4 seconds is the M5. Comparing a 5 passenger sedan to a 2 seater roadster isn't fair. It's also $30k less than your Roadster and almost every other car with sub 4 second 0-60 times.

Re:so besides all that

The Z06 isn't the pinnacle of good car handling. Heck, a $50k base Boxster is superior. American tastes I guess.

Re:so besides all that

[Ralph+Wiggam]

In a normal gas powered car with multiple gears, when you shift gears and drop the RPMs down, you lose torque and acceleration. In an electric car, which typically only have one gear, the car accelerates smoothly and evenly.

Re:so besides all that

[jshazen]

Electric motors operate at max torque at all RPMs.

RPMs - is that Revolutions Per Minutes?

Actually, yes. (Revolutions Per Minute)s.

If you're talking about a single angular velocity, use RPM. (The tach reads 'RPM', not 'RPMs'.)

But the GP used the phrase "at *all* RPMs", so he was clearly talking about multiple angular velocities.

Re:You might be right.

[roc97007]

John Q. Private is currently at mile marker 23 on highway 2, proceeding at 65 mph in an easterly direction, with 100 miles of range remaining.

Say I am John Q. Private. Can you give me a scenario where I might care that someone has this information?

I really can't think of anything bad that could happen to me if that information fell into the wrong hands. Or at least, nothing worse or more likely than many things that could already be done to me by someone with far less information.

My car physically suddenly misbehaving, even if limited to peripheral systems -- that I can easily imagine causing a distraction and subsequently an accident.

Twenty miles due east of John Q. Public's current location, cellular services cease. Police response time to that location is estimated at 2.5 hours minimum. John Q. Public is driving a really expensive car, may be wearing expensive bling, and almost certainly has credit cards in his possession.

You can't think of anything bad that could happen?

Re:You might be right.

[roc97007]

Say I am John Q. Private. Can you give me a scenario where I might care that someone has this information?

I really can't think of anything bad that could happen to me if that information fell into the wrong hands. Or at least, nothing worse or more likely than many things that could already be done to me by someone with far less information.

Millions of restraining orders issued in the US every year. Not everyone has the luxury of not having to worry about who all might be out to get them. 1.5-2k women murdered per year in US by their SOs. You obviously have no idea what it is like to have to constantly watch over your shoulder. I hope you never do.

Maybe he should be, and just doesn't realize it yet.

To say these are flaws is an opinion

[TomGreenhaw]

It is a button press away to turn off remote access on the Tesla S console so if an owner is concerned they can turn the interface off. TFA implies that if you give away your credentials and get hacked, you're screwed for 3 months which is not true. Tesla warns repeatedly to be very careful about who you give your user name and password to, not that doing so creates a danger, they are just trying to educate their owners. Tesla's use of a proprietary system as opposed to OAuth isn't necessarily wrong or less secure. It does however point to a more interesting policy; Tesla will have more of an Apple style walled garden than a wide open Android marketplace for anything that communicates with the car. Finally the whole business of economic loss and damage to the batteries is silly. I seriously doubt that less than a dollars worth of electricity if somebody turns the air or heater on are going to be an issue for the typical Tesla owner. And no, the interface does not allow you to turn on the heater and the air conditioning at the same time - you can set the target temperature for the interior. Nobody is going to put up with this happening all the time and suggesting battery damage by using the car in a way it was designed to do exposes the article for what it is.

Re:To say these are flaws is an opinion

[smack.addict]

If I were to try this attack, I would up the car to a range charge and turn air conditioning on full blast. Then I would go through cycles of charging the battery up full and discharging it.

The electricity will add up, but maybe not a lot for most who can afford an $80K+ car.

The bigger issue is that this will decrease the battery life.

Re:To say these are flaws is an opinion

[TomGreenhaw]

I really don't think something like that would go on without being noticed. The first thing a Tesla owner looks at when they get in the car is its range and if was set to range mode or if the charge status was unexpected they would immediately be suspicious. In any case the batteries are covered unconditionally by Tesla for 8 years so the I really wouldn't take a hit.

Re:To say these are flaws is an opinion

[RobinH]

Ok, so they made a car with (limited) remote controls that have the same security as a typical website. What could go wrong? Honestly, it's just a really bad idea. I would want it guaranteed that there was a way to completely disable any remote control functionality, so if you still want to have diagnostics and monitoring, etc., then you have to install some kind of data diode to really made it secure. But that's the right way to do it.

Re:To say these are flaws is an opinion

[TomGreenhaw]

I believe that is exactly what they have, i.e. the ability to completely disable the remote feature. The remote app API stuff is completely separated from the other systems and can easily (and comes disabled by default) be turned off. As a Tesla owner, I'm just trying to get the straight story out. I'm sure there is room for improvement, but is not as though Tesla has somehow done anything stupid here.

Re:so besides all that

[elistan]

It's fast as hell. It can do 0 - 60 in 4 seconds despite weighing 4600 pounds. Electric motors operate at max torque at all RPMs.

Nitpick - max power at all RPMs. If a power source supplies a constant 10kw, the electric motor will of course operate at a constant power of 10kw. It should be obvious that 10kw equates to very different torque values a 1 rpm and 10,000 rpm.

The advantage of electric motors, which you allude to, is that the max power (150 kw, 200 hp, whatever) is available immediately, rather than only once engine revs climb high enough like in a petrol engine. (Although due to real-world esoteric reasons I don't fully understand, the efficiency with which that power is turned into motive force isn't constant throughout the rev range - max torque of many electric motors is actually not right at 0 rpm, but the concept is close enough to reality to illustrate the differences between electric motors and internal-combustion engines.)

So a Tesla Model S will essentially operate at 310 kw regardless of engine speed, while an ICE with the same peak power output will generate 310 kw only at one specific RPM, and will be less, sometimes a lot less, at all other speeds.

ps - why is one a "motor" and another an "engine?" What's the difference?

RE N Y Times road test

[cinnamon+colbert]

Much of Tesla's criticism of the Times was based on , supposedly, data that Tesla downloaded from the test vehicle.
Does this security flaw make it more likely that tesla, or a tesla employee, could have altered the data ?

Re:You might be right.

[Em+Adespoton]

Say I am John Q. Private. Can you give me a scenario where I might care that someone has this information?

A stalker, your spouses lawyer, just to name a couple.
It's not a case of 'what can they do', or 'I have nothing to hide', but rather a case of 'it should not be that easy'.

I was thinking something more along the lines of "Hmm... let's see if there are any Teslas in the area right now. Oh, there's one that's parked over in the shopping district! I think I'll go over, open the sun roof and see if there's anything I like inside...."

Re:You might be right.

[Em+Adespoton]

You're driving around in a potentially $90k vehicle which contains theft deterrents that pretty much only work when the car is locked and hasn't been started yet. Please tell me you're not daft enough that you fail to see how the information you listed could be put to use in a way that would deprive you of your shiny new toy.

Note to self: never drive Tesla in Florida.

Re:so besides all that

[keytoe]

ps - why is one a "motor" and another an "engine?" What's the difference?

According to MIT, not really anything these days.

They both came to describe the same thing from two different linguistic directions. It seems the only distinction between the terms these days is more rooted in nomenclature within a specific discipline and less on overall semantic accuracy.

Rest assured...

[axis_omega]

Rest assured that the matter will be taken care of... And the trick will be to honk the car of Mr. Musk and it will be taken care of promptly.

Re:You might be right.

[ArcadeNut]

Maybe I'm waiting to break into your house, and I want to know where you are currently at so I don't get caught....

Re:so besides all that

[Immerman]

> why is one a "motor" and another an "engine?" What's the difference?
In modern usage an engine is a device that burns fuel to generate torque. Historically it was used for any device that converts force into motion: hence battering rams and catapults being siege engines, and the cotton (en)gin(e).

Motors apply to pretty much everything else that might once have been called an engine. Most commonly they convert electrical, elastic, or compressed-gas energy into mechanical energy. But there are even molecular motors such as the myosin in muscles that converts chemical energy into mechanical work.

My personal rule of thumb - if it's powered by heat it's an engine. Heat being a very low-quality form of power it suffers from large and theoretically unavoidable thermodynamic inefficiencies when converting to higher-quality forms. An electric or spring-driven motor on the other hand could, in theory, be 100% efficient.

Re: so besides all that

[ColaMan]

Certain electric motors have max torque at zero rpm. DC motors with series wound fields do (eg. Starter motors) . The AC motor in the Tesla will have a lot of torque at zero rpm, but I'll wager that there is a higher value somewhere above zero.

Re:You might be right.

[Kielistic]

If presumption of innocence can be eliminated based solely on where your car was parked I think you've got way bigger problems to worry about.

Re:so besides all that

[KingMotley]

Well the boxster has a maximum lateral acceleration of 1.0g, while last years corvette has a maximum lateral acceleration of 1.13g, so I would say you don't know your cars very well. Every major car reviewer disagrees with you, including edmond's, motortrend, etc. Please go away.

Re:so besides all that

[KingMotley]

I should also note that the $50k Boxster is worse in handling (1.0g vs 1.13g), acceleration 0-60 (5.1s vs 3.6s), quarter mile (12.7s vs 11.6s), the figure 8 test, and slalom runs. Of course, you could add an auto trans to drop it's 0-60 to 4.5s, but that isn't the base model as you claim, and it's still not even in the same ballpark as 3.6s. The boxster doesn't even perform as well as the baseline corvettes, so your comparison is silly.

Re:so besides all that

[KingMotley]

There are a few others, like the Cadillac CTS-V Sedan can do it in 3.9s, the Mercedes E63 AMG Sedan in 3.8s, etc.

Re:You might be right.

[dgatwood]

What's the phrase? Once is chance, twice is a coincidence, three times is a pattern.

It's not REST

[Bogtha]

If you look at that API and you think it's REST, then you don't know what REST is. Here's Roy Fielding's blog post where he points out that these types of APIs aren't REST. Roy Fielding is the guy that described this architectural style and coined the term "REST" in the first place.

Here's one example: You perform a GET request at /vehicles to obtain a list of vehicles. These vehicles take the form of JSON data, including an id attribute. If you want to perform operations on a vehicle, you need to construct URLs of the form /vehicles/{id}/.... That is not REST.

REST is hypertext driven. It revolves around content types, not manual URI construction. If that were a RESTful API, it would describe a vehicle list media type, and that media type would contain URIs, not IDs that you have to construct new URIs from using out of band knowledge. Their approach is like if every web browser was hard-coded to find articles at /articles instead of using links. It's dumb.

This misunderstanding is far too common. Don't guess at what REST is when you construct an API like these guys did, look it up for yourself.

Re:It's not REST

[Moses48]

I remember reading Fielding's blogs and work when REST was becoming a popular term. The idea of hypertext links was not as prevelent. It was there with some mention to atom rss and the likes, but it wasn't the main point of REST.
There are some that think any stateless json/http webservice means rest. There are some that think anything with resources and actions on those resources is restful (ie: an sql select statement or your webservice example). And then there are those that follow R. Fieldings work and know what he means by REST.

When I hear a colleague say REST it usually means what you have in your example. So much so, that it would take to much time and effort to correct everyone. That's the thing with language. Once a term is generally accepted among a group to mean something, it's easier to pick up their term than try to change everyone in the group. In rare cases do I run into people that think your example isn't RESTful.

TL;DR: What the author meant it to mean, and what it means to most programmers isn't the same.

Re:It's not REST

[Bogtha]

I remember reading Fielding's blogs and work when REST was becoming a popular term. The idea of hypertext links was not as prevelent. It was there with some mention to atom rss and the likes, but it wasn't the main point of REST.

Hypermedia as the engine of application state is listed as one of the four fundamental constraints of REST in his thesis. It's a central part of REST. It wasn't retrofitted later. If you missed it, you weren't paying attention. REST is essentially a description of the architectural style of the WWW. And you're saying that the idea of hypertext links wasn't prevalent from the start? What WWW have you been using?

When I hear a colleague say REST it usually means what you have in your example.

Then you work with people who don't know what they are talking about. You can either point that out to them so that they can fix their ignorance, or you can let them labour under the misapprehension that they know what they are doing. Do them a favour and point it out to them. Or at the very least, ask whomever is in charge of documentation not to refer to it as REST.

REST is not some nebulous term where you can argue your case. It's got a specific meaning. Mislabelling any old HTTP web service as REST is like confusing Java with JavaScript - something nobody who claims to know what they are talking about should be mixing up.

Re:It's not REST

[Moses48]

I understand what they mean. Multiple business partners use the term. This isn't just "the people that work next to me". This is my observation among web developers across the board. I'm talking about all the big players, they use the term wrong. While I can applaud people for having concise definitions, I'm not about to tell all the third party APIs I use daily that their REST api's aren't REST. It's too much work. If you campaign to get everyone to use the term correctly, more power to you.

(PS - I didn't read his thesis at the time. He came out with some web pages that described REST. They didn't mention linking as a part of REST, but that it was useful. As in MAY/RECOMMENDED, not even SHOULD or MUST. I'm not excusing people, I'm just letting you know how the current usage came about)

Re:It's not REST

[Bogtha]

This isn't just "the people that work next to me".

I'm not about to tell all the third party APIs I use daily that their REST api's aren't REST. It's too much work.

Here is what you originally said:

When I hear a colleague say REST it usually means what you have in your example. So much so, that it would take to much time and effort to correct everyone.

We weren't talking about the whole world fucking up, we were talking about your colleagues not knowing what they were talking about. To which my response is: tell them they are fucking up so they can stop fucking up. "I can't change the world" isn't a response to that.

I didn't read his thesis at the time.

Again, this is what you originally said:

I remember reading Fielding's blogs and work when REST was becoming a popular term. The idea of hypertext links was not as prevelent. It was there with some mention to atom rss and the likes

If it mentioned Atom, then you're talking about years after he published his thesis. You say you remember reading his work, but you clearly didn't read it despite it being available at the time. Just some nebulous "blogs" (that couldn't have existed because he didn't start blogging until years afterwards).

Re:It's not REST

[Moses48]

I don't feel like we are communicating well. What are you trying to tell me? I am talking about years after he published his Thesis. I'm talking about 2004 or so, when it became the fad to start calling things RESTful. At that time if you did a google for "REST" you would get a webpage from Fielding. That's what I found at the time and went with until I researched it more. And, no, I don't put effort into correcting people on this topic. You seem to think it warrants correcting people, I don't. Words change, that's what happens to language. Amazon, Google, Twitter, et al use it to mean the calling style and statelessness (as per their API docs). If enough people care to correct their colleagues (I don't) then it'll change, but don't hold your breath.

Re:It's not REST

[Bogtha]

The point you were trying to make is that links being important is actually something that came later, and you tried to argue this point by saying you read his early work and blogs and it wasn't mentioned.

I am pointing out that it was a central theme right from day one. It was mentioned in his thesis published in 2000, and it's also ludicrous once you recognise the fact that REST is a description of the architecture of the WWW, which clearly revolves around links. It's not plausible that you could ever understand REST but not understand how important links are to it.

You didn't read his work. You admit you didn't read his thesis, and although you claim you read blogs by him at the time (2004 or so), he didn't start blogging until 2008. You are now citing some webpage you found by googling REST, but you conveniently don't mention which one, why it would contradict the things we know he has been saying from 2000 onwards, or why you think reading some webpage you found with Google counts as actually reading the relevant material.

REST has a precise definition that includes linking, just as "Java" has a precise definition that is distinct from "JavaScript", despite a lot of people misunderstanding that. You say that words change, but you are helping to cause the change whenever you mislabel something as REST, so to hold your hands up to say that you can't do anything about it rings as hollow as your claims to have read the material at the time.

Re:so besides all that

[dcw3]

I've done 4.9 in my stock 2012 SRT8 Charger, and I'm sure it's capable of doing better than that.

I don't get it...

[bradgoodman]

I don't get it...at all. The article "bashes" the security, but makes no suggestions or recommendations how to improve it. And frankly, I see no problem. It see it as a "minor issue" that you need to use SSL encryption.

Why is this an issue?

Everything is secure, as long as a malicious piece of code doesn't steal the users' username, password and/or temporary authentication token. So - how would they claim to permit any type of login without this information being on the device - unless you make the user enter a password on every login (which I guess could still be snooped). Pretty much every authentication system I can think of - from "plain", to Kerberos to things with session tokens have a vulnerability where if someone could "steal" a piece of data (like a token) one could get in. The only real way around it would be to perhaps put a two-factor authentication system with a very short timeout - but that just closes the window and makes it more annoying for the user.

So - what is this article really getting at???

Re:so besides all that

[dbitter1]

The advantage of electric motors, which you allude to, is that the max power (150 kw, 200 hp, whatever) is available immediately, rather than only once engine revs climb high enough like in a petrol engine.

Nitpick - The torque on an electric motor vs RPM varies significantly based on winding type. For some motors, like a DC series-wound, you have an incredible amount of torque at 0 RPM (which is why they are used for starter motors). There are others - such as AC synchronous motors- that have nearly any torque at startup, and are usually built with a second motor on the same shaft to try to get the unit turning under load. Given a constant power source (i.e. voltage) the internal resistance (and hence current draw, and hence, by definition, power) will vary over RPM.

That said, on average, I think we all agree the torque curve is WAY more impressive than either a diesel or a gasoline engine (both of which have different torque curves).

Re:so besides all that

[elistan]

Awesome, thanks for that - those are some of the "real-world esoteric reasons I don't fully understand" that I mentioned in my previous comment.

Re:so besides all that

[elistan]

hence battering rams and catapults being siege engines, and the cotton (en)gin(e).

Dang. Learned another new thing today. Thanks.

Re:so besides all that

[Ralph+Wiggam]

Oh yeah. The CTS-V is a monster.

Re:You might be right.

[cellocgw]

What's the phrase? Once is chance, twice is a coincidence, three times is a pattern

At least in Goldfinger, the third time is "enemy action." Got Mr. Bond James Bond in a little trouble.

Re:no exploits, though.

[devman]

http://en.wikipedia.org/wiki/Internet_of_Things