Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Transportation Security

Tesla Model S REST API Authentication Flaws 161

Posted by Soulskill from the honk-if-i-control-your-car-remotely dept.
An anonymous reader writes "New Tesla owner and Executive DIrector of Cloud Computing at Dell, George Reese, brings the Tesla Model S REST API authentication into question. 'The authentication protocol in the Tesla REST API is flawed. Worse, it's flawed in a way that makes no sense. Tesla ignored most conventions around API authentication and wrote their own. As much as I talk about the downsides to OAuth (a standard for authenticating consumers of REST APIs—Twitter uses it), this scenario is one that screams for its use.' While not likely to compromise the safety of the vehicle, he does go on to say, 'I can target a site that provides value-added services to Tesla owners and force them to use a lot more electricity than is necessary and shorten their battery lives dramatically. I can also honk their horns, flash their lights, and open and close the sunroof. While none of this is catastrophic, it can certainly be surprising and distracting while someone is driving.'"
This discussion has been archived. No new comments can be posted.

Tesla Model S REST API Authentication Flaws More

Tesla Model S REST API Authentication Flaws

Comments Filter:

  • Not quite getting it (Score:4, Insightful)

    by fyngyrz ( 762201 ) on Tuesday August 27, 2013 @03:19PM (#44689433) Homepage Journal

    There's something of a difference between "hey, look, some guy in a neat car" and "John Q. Private is currently at mile marker 23 on highway 2, proceeding at 65 mph in an easterly direction, with 100 miles of range remaining."

  • Re:Major fail for Tesla (Score:5, Insightful)

    by Stainless_Steel_Mous ( 1130169 ) on Tuesday August 27, 2013 @03:34PM (#44689585) Homepage
    Classic failure mode for companies that do not primarily write software, bur use software in their products. We are seeing more and more of the continued use of security through obscurity followed by goggle-eyed amazement that haxors would figure out a way to penetrate the systems of the device/vehicle/airplane/whatever, finally ending in lawsuits to attempt to hide the existence of grotesque security failures. I cannot wait for the first corporation to be sued for insecure product design.

  • Seems Trollish (Score:5, Insightful)

    by sl4shd0rk ( 755837 ) on Tuesday August 27, 2013 @04:05PM (#44689955)

    Tesla is a big target in the crosshairs of the automotive industry right now so I'm very skeptical. Tesla is doing what no other company has been able to do in the US and that seems to be a problem with everyone from dealers [huffingtonpost.com] to falsified reviews in The New York Times [time.com]. Let's do without the TFA drama have a look at the the egregious attack vectors listed:

    1) You want to leverage a tool on a website with some useful functionality. You enter your email/password. They willfully and incorrectly store that information and are subsequently compromised (or worse, they use it themselves).

    This is a really broad claim. What's more, if you haven't logged in over an SSL connection then... well, you're kind of a dumbass.

    2) An attacker gains access to a website's database of authenticated tokens. It has free access to all of that siteâ(TM)s cars up to 3 months with no ability for the owners to do anything about it.

    This is no less dubious that so many online services that I couldn't begin to count. The risk of compromise is an accepted one and hopefully mitigated. No fair faulting them without seeing how they would handle said compromise.

    In a nutshell, TFA is going to need to find more substantial basis for panic than this. Sheesh.

Slashdot Top Deals

Intel CPUs are not defective, they just act that way. -- Henry Spencer

Close