
Security Evaluation of Tesla Model S API - Ighart
http://www.dhanjani.com/blog/2014/03/curosry-evaluation-of-the-tesla-model-s-we-cant-protect-our-cars-like-we-protect-our-workstations.html
======
suprgeek
A bit tangential to the Main post, however, taking a quick look at the so
called "REST API" of Tesla:

/vehicles/{id}/command/charge_port_door_open - Open the charge port.

/vehicles/{id}/command/charge_max_range - Set the charge mode to max range

/vehicles/{id}/command/door_lock - lock doors

These are all GET Methods.

I am a bit surprised that the company that claims to pay so much attention to
detail has used Blatantly incorrectly principles (Using Idempotent & Safe
designated HTTP methods for actions that change the state of the Car) for
their "REST" API.

~~~
georgemcbay
Where does Tesla call it a "REST" API?

AFAIK the API isn't even publicly documented (officially) and is only known
because it was reverse engineered by sniffing traffic from the iOS and/or
Android apps. The people who did that work refer to it as a "REST" API, but
they aren't Tesla.

As far as whether they should be using GET for these calls regardless of
whether they call the API a "REST" one or not -- they are a pragmatic company,
and the simpler the software is on an embedded device like a car the better;
strict adherence to the intent of various http methods is less important than
just keeping things as simple as possible, maybe they didn't even implement
post or put, I doubt they are running apache on that thing.

~~~
cynicalkane
If they only have one method it should be POST. HTTP clients are free to retry
GETs without warning the user or even without their direction.

~~~
Perseids
Do you know of any library that generates multiple GETs without some blatant
warning in the documentation? I would guess that even though it might be
allowed in the RFC it poses no problem in practice.

------
theboss
Car security is a big deal. The amount of code running on cars compared to the
amount of security researchers working on it is incredible. I can count the
car security researchers I know of on one hand.

This is really something we really need more of, even in cars without nice
pretty APIs like Tesla's because they have a lot of code on them too.

------
zxcvgm
Letting the car automatically phone home to the manufacturer worries me.
Collecting anonymous stats about the car's health and battery condition will
help them design better vehicles and firmware in future, so that's okay. But
isn't knowing the location of each and every Tesla vehicle, and who they
belong to some kind of privacy risk? Is law enforcement able to subpoena the
manufacturer to release all previously recorded locations of an individual and
use that as evidence against him?

The ability to remotely unlock the car opens up a whole new can of worms.
Could someone potentially steal a car (like how they steal domains and twitter
handles) through social engineering? Or perhaps by stealing the auth token on
the user's mobile device? If you don't continue paying the loan for your car,
could they refuse to unlock the vehicle remotely?

~~~
toomuchtodo
> The ability to remotely unlock the car opens up a whole new can of worms.
> Could someone potentially steal a car (like how they steal domains and
> twitter handles) through social engineering? Or perhaps by stealing the auth
> token on the user's mobile device? If you don't continue paying the loan for
> your car, could they refuse to unlock the vehicle remotely?

You know GM's OnStar
[[http://en.wikipedia.org/wiki/OnStar](http://en.wikipedia.org/wiki/OnStar)]
has existed since 1995, and allows not only for vehicle tracking, but the
remote shutdown of the vehicle (typically used in the event of theft),
correct?

~~~
eurleif
And cars that won't start if you don't pay your loan are already a thing:
[http://edition.cnn.com/2009/LIVING/wayoflife/04/17/aa.bills....](http://edition.cnn.com/2009/LIVING/wayoflife/04/17/aa.bills.shut.engine.down/index.html)

------
coreymgilmore
So, just to summarize and understand this article:

Basically, the Tesla software has some holes that need to be patched and some
security settings changed. However, there has not been a proven method to
penetrate the cars' software yet.

I see this becoming a concern the in the coming months as more people purchase
a Model S and more people start to tinker with it. I am intrigued to see if
systems such as propulsion and braking are easily hacked considering how the
whole car is basically networked. We shall see...

~~~
stingrae
I would summarize it more as, the main vulnerability is the user's choice of
password, the security of their email account(including phishing emails), or
the possibility that a tesla employee could fall for social engineering. None
of which are actual vulnerabilities.

There is the possibility that one day an issue could be found in one of their
services, but these issues could be found in almost any modern service.

~~~
hueving
>None of which are actual vulnerabilities.

That's an extremely dangerous position to take. Any reasonably secure system
deals precisely with these problems through password policies and principle of
least privilege. For example, successfully phishing a Tesla engineer's email
credentials should not get you access to active vehicles. If this were the
case, I would classify this as a major vulnerability because many things can
result in access to someone's email.

------
israelyc
OnStar by GM has many of these features (app, location, unlock, customer
service representative can unlock etc.). I don't think there is a recorded
hijack/hack there too.

~~~
honksillet
It's not that these features exists which is the problem. It's that Tesla has
implemented it's security poorly, potentially exposing these features to
hackers.

~~~
israelyc
Calling from the registered phone number and verifying address is all you need
to get OnStar to unlock your car (I am not sure if its still the case now, but
it was the case two years ago).

Same thing for username and password. That's all you need to log into their
app. Not sure about failed attempts, but there are no other authentication
methods.

