Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tesla Model S REST API Authentication Flaws

Posted by Soulskill on from the honk-if-i-control-your-car-remotely dept.

An anonymous reader writes "New Tesla owner and Executive DIrector of Cloud Computing at Dell, George Reese, brings the Tesla Model S REST API authentication into question. 'The authentication protocol in the Tesla REST API is flawed. Worse, it's flawed in a way that makes no sense. Tesla ignored most conventions around API authentication and wrote their own. As much as I talk about the downsides to OAuth (a standard for authenticating consumers of REST APIs—Twitter uses it), this scenario is one that screams for its use.' While not likely to compromise the safety of the vehicle, he does go on to say, 'I can target a site that provides value-added services to Tesla owners and force them to use a lot more electricity than is necessary and shorten their battery lives dramatically. I can also honk their horns, flash their lights, and open and close the sunroof. While none of this is catastrophic, it can certainly be surprising and distracting while someone is driving.'"

14 of 161 comments (clear)

  1. I don't get it. by Anonymous Coward · · Score: 4, Funny

    Can someone give me a car analog?

    1. Re:I don't get it. by Rosco+P.+Coltrane · · Score: 4, Funny

      Sorry, cars are digital these days.

      --
      "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    2. Re:I don't get it. by Anonymous Coward · · Score: 4, Funny

      You wouldn't copy a car, would you?

    3. Re:I don't get it. by theskipper · · Score: 4, Funny

      Don't copy that jalopy!

  2. how fast by fyngyrz · · Score: 4, Funny

    Well, terminal velocity will depend on two factors: The ultimate wind resistance of its tumbling chassis, and how high it is above the ground when you drop it.

    --
    I've fallen off your lawn, and I can't get up.
  3. Major fail for Tesla by RobinH · · Score: 4, Interesting

    With all the news about medical devices with deadly security flaws, and people even hacking into cars (even if only from the backseat), I can't believe Tesla really didn't even *try* to add proper security to their API. The only right way to do it (from a corporate perspective) is to hire an outside security company to audit your design and implementation, and to continue to monitor the security whenever changes are made (so continuously in this case). It's well known that you can't trust the programmers to implement security properly, especially if you had Elon Musk screaming over your shoulder like Steve Jobs all the time.

    --
    "I have never let my schooling interfere with my education." - Mark Twain
    1. Re:Major fail for Tesla by Stainless_Steel_Mous · · Score: 5, Insightful

      Classic failure mode for companies that do not primarily write software, bur use software in their products. We are seeing more and more of the continued use of security through obscurity followed by goggle-eyed amazement that haxors would figure out a way to penetrate the systems of the device/vehicle/airplane/whatever, finally ending in lawsuits to attempt to hide the existence of grotesque security failures. I cannot wait for the first corporation to be sued for insecure product design.

    2. Re:Major fail for Tesla by DuckDodgers · · Score: 4, Interesting

      Even for companies that primarily write software, it's easy to design something that looks secure to you but in fact is trivial to defeat. WEP wireless security is inherently flawed. PPTP VPNs from Microsoft are inherently flawed, though not as badly as WEP, and Microsoft has deprecated the entire protocol. WPS wireless easy setup is flawed. The AES encryption used by Megaupload in their re-launch earlier this year was not implemented properly, and thus is useless.

      The history of computing is littered with flawed attempts at designing new security protocols. As far as I can tell, the best practice is to adopt an existing open source technology that is well proven. If you're trying to do something new, you probably need to spend an unholy fortune on multiple independent audits of the system, as well as inviting people on security mailing lists to examine it, and possibly offering a bounty for discovered flaws.

  4. Re:First World Priorites by 0123456 · · Score: 5, Funny

    Yeah, but the battery will run out two miles down the road, so it's not really a big deal.

  5. Let me get this straight by DougOtto · · Score: 4, Funny

    "I can also honk their horns, flash their lights, and open and close the sunroof."

    So he discovered a 10 year old?

    --
    Solving Unix problems since 1989...
    1. Re:Let me get this straight by plover · · Score: 4, Funny

      "Never gonna roll your windows up,
      Never gonna put your top down,
      Never gonna run your battery down, or desert you."

      --
      John
  6. Re:so besides all that by Ralph+Wiggam · · Score: 4, Interesting

    It's fast as hell. It can do 0 - 60 in 4 seconds despite weighing 4600 pounds. Electric motors operate at max torque at all RPMs.

  7. Seems Trollish by sl4shd0rk · · Score: 4, Insightful

    Tesla is a big target in the crosshairs of the automotive industry right now so I'm very skeptical. Tesla is doing what no other company has been able to do in the US and that seems to be a problem with everyone from dealers to falsified reviews in The New York Times. Let's do without the TFA drama have a look at the the egregious attack vectors listed:

    1) You want to leverage a tool on a website with some useful functionality. You enter your email/password. They willfully and incorrectly store that information and are subsequently compromised (or worse, they use it themselves).

    This is a really broad claim. What's more, if you haven't logged in over an SSL connection then... well, you're kind of a dumbass.

    2) An attacker gains access to a website's database of authenticated tokens. It has free access to all of that siteâ(TM)s cars up to 3 months with no ability for the owners to do anything about it.

    This is no less dubious that so many online services that I couldn't begin to count. The risk of compromise is an accepted one and hopefully mitigated. No fair faulting them without seeing how they would handle said compromise.

    In a nutshell, TFA is going to need to find more substantial basis for panic than this. Sheesh.

    --
    Join the Slashcott! Feb 10 thru Feb 17!
  8. OAuth for Apps? Seriously? by Luthair · · Score: 4, Interesting

    The article is mostly FUD. To start, OAuth is not a User->System authentication system, its a three party authentication system. For OAuth to work as intended the three parties involved need secure communication channels between the pairs (e.g. user to api, 3rd party to api, and user to 3rd party). This leads to the fact that his first two complaints about the Tesla service, are also inherently present in OAuth when implemented in a non-web app:
    * Entering login information into any application inherently provides it to the application's author
    * SSL is required between the 3rd party and the API service, otherwise eavesdroppers are able to obtain the API token, secret and user token

    The final two flaws are really the same issue and are not part of authentication; however it is important that users are able to revoke access that they've provided to third parties. Missing that ability is certainly a problem but it is not a flaw with authentication.

    While there are better methods for authentication that ought to be used by Tesla for their API (e.g. a long one time token the user enters, a QR code scanned, etc.), OAuth is not a better form of authentication for desktop or mobile application.