Slashdot Mirror
Tesla Model S REST API Authentication Flaws
An anonymous reader writes "New Tesla owner and Executive DIrector of Cloud Computing at Dell, George Reese, brings the Tesla Model S REST API authentication into question. 'The authentication protocol in the Tesla REST API is flawed. Worse, it's flawed in a way that makes no sense. Tesla ignored most conventions around API authentication and wrote their own. As much as I talk about the downsides to OAuth (a standard for authenticating consumers of REST APIs—Twitter uses it), this scenario is one that screams for its use.' While not likely to compromise the safety of the vehicle, he does go on to say, 'I can target a site that provides value-added services to Tesla owners and force them to use a lot more electricity than is necessary and shorten their battery lives dramatically. I can also honk their horns, flash their lights, and open and close the sunroof. While none of this is catastrophic, it can certainly be surprising and distracting while someone is driving.'"
Can someone give me a car analog?
Hopefully a light will come on over at Tesla about API security. Let's just hope it's not a Phillips Hue (http://www.engadget.com/2013/08/14/philips-hue-smart-light-security-issues/)
I've done it before.
Well, terminal velocity will depend on two factors: The ultimate wind resistance of its tumbling chassis, and how high it is above the ground when you drop it.
I've fallen off your lawn, and I can't get up.
There's something of a difference between "hey, look, some guy in a neat car" and "John Q. Private is currently at mile marker 23 on highway 2, proceeding at 65 mph in an easterly direction, with 100 miles of range remaining."
I've fallen off your lawn, and I can't get up.
With all the news about medical devices with deadly security flaws, and people even hacking into cars (even if only from the backseat), I can't believe Tesla really didn't even *try* to add proper security to their API. The only right way to do it (from a corporate perspective) is to hire an outside security company to audit your design and implementation, and to continue to monitor the security whenever changes are made (so continuously in this case). It's well known that you can't trust the programmers to implement security properly, especially if you had Elon Musk screaming over your shoulder like Steve Jobs all the time.
"I have never let my schooling interfere with my education." - Mark Twain
Yeah, but the battery will run out two miles down the road, so it's not really a big deal.
"I can also honk their horns, flash their lights, and open and close the sunroof."
So he discovered a 10 year old?
Solving Unix problems since 1989...
It's fast as hell. It can do 0 - 60 in 4 seconds despite weighing 4600 pounds. Electric motors operate at max torque at all RPMs.
Sure. It is like using web based certificates in PKI but in this case there is no revocation system and mandatory 3 month validity for all certs. I have to give this key to a third-party in order to be able to do anything user related like view my emails. That third-party or someone who gains access maliciously to the cert database can use this cert to make a connection to my computer that I can't turn off, to make my cpu spike or use up all the ink in my printer, until the 3 months is over.
...wait a minute, I think I did this wrong
There is a setting in the car where you can disable remote access. It's trivial to set.
This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
When the speed limit is 55.
Alternatively, when someone correlates driving patterns with murders and determines that you were parked in the parking lots of restaurants that were within walking distance of three unsolved murders. Can you prove you were eating? The whole time?
Yes, I can think of a lot of scenarios where you might care.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Tesla is a big target in the crosshairs of the automotive industry right now so I'm very skeptical. Tesla is doing what no other company has been able to do in the US and that seems to be a problem with everyone from dealers to falsified reviews in The New York Times. Let's do without the TFA drama have a look at the the egregious attack vectors listed:
1) You want to leverage a tool on a website with some useful functionality. You enter your email/password. They willfully and incorrectly store that information and are subsequently compromised (or worse, they use it themselves).
This is a really broad claim. What's more, if you haven't logged in over an SSL connection then... well, you're kind of a dumbass.
2) An attacker gains access to a website's database of authenticated tokens. It has free access to all of that siteâ(TM)s cars up to 3 months with no ability for the owners to do anything about it.
This is no less dubious that so many online services that I couldn't begin to count. The risk of compromise is an accepted one and hopefully mitigated. No fair faulting them without seeing how they would handle said compromise.
In a nutshell, TFA is going to need to find more substantial basis for panic than this. Sheesh.
Join the Slashcott! Feb 10 thru Feb 17!
It can be closed and the documentation sealed in a titanium safe stored inside a reinforced container dropped at the bottom of the Mariana Trench for all I care; if the API is active in production models, it's going to get discovered and exploited. Nefarious usage, especially, won't be stopped by "Hey, you're not supposed to use this!"
There really is no excuse for this. It's just sloppy security practices.
The article is mostly FUD. To start, OAuth is not a User->System authentication system, its a three party authentication system. For OAuth to work as intended the three parties involved need secure communication channels between the pairs (e.g. user to api, 3rd party to api, and user to 3rd party). This leads to the fact that his first two complaints about the Tesla service, are also inherently present in OAuth when implemented in a non-web app:
* Entering login information into any application inherently provides it to the application's author
* SSL is required between the 3rd party and the API service, otherwise eavesdroppers are able to obtain the API token, secret and user token
The final two flaws are really the same issue and are not part of authentication; however it is important that users are able to revoke access that they've provided to third parties. Missing that ability is certainly a problem but it is not a flaw with authentication.
While there are better methods for authentication that ought to be used by Tesla for their API (e.g. a long one time token the user enters, a QR code scanned, etc.), OAuth is not a better form of authentication for desktop or mobile application.
The only other 4 door car that can do 0-60 in 4 seconds is the M5. Comparing a 5 passenger sedan to a 2 seater roadster isn't fair. It's also $30k less than your Roadster and almost every other car with sub 4 second 0-60 times.
Nitpick - max power at all RPMs. If a power source supplies a constant 10kw, the electric motor will of course operate at a constant power of 10kw. It should be obvious that 10kw equates to very different torque values a 1 rpm and 10,000 rpm.
The advantage of electric motors, which you allude to, is that the max power (150 kw, 200 hp, whatever) is available immediately, rather than only once engine revs climb high enough like in a petrol engine. (Although due to real-world esoteric reasons I don't fully understand, the efficiency with which that power is turned into motive force isn't constant throughout the rev range - max torque of many electric motors is actually not right at 0 rpm, but the concept is close enough to reality to illustrate the differences between electric motors and internal-combustion engines.)
So a Tesla Model S will essentially operate at 310 kw regardless of engine speed, while an ICE with the same peak power output will generate 310 kw only at one specific RPM, and will be less, sometimes a lot less, at all other speeds.
ps - why is one a "motor" and another an "engine?" What's the difference?
> why is one a "motor" and another an "engine?" What's the difference?
In modern usage an engine is a device that burns fuel to generate torque. Historically it was used for any device that converts force into motion: hence battering rams and catapults being siege engines, and the cotton (en)gin(e).
Motors apply to pretty much everything else that might once have been called an engine. Most commonly they convert electrical, elastic, or compressed-gas energy into mechanical energy. But there are even molecular motors such as the myosin in muscles that converts chemical energy into mechanical work.
My personal rule of thumb - if it's powered by heat it's an engine. Heat being a very low-quality form of power it suffers from large and theoretically unavoidable thermodynamic inefficiencies when converting to higher-quality forms. An electric or spring-driven motor on the other hand could, in theory, be 100% efficient.
--- Most topics have many sides worth arguing, allow me to take one opposite you.