Tesla Model S REST API Authentication Flaws 161
An anonymous reader writes "New Tesla owner and Executive DIrector of Cloud Computing at Dell, George Reese, brings the Tesla Model S REST API authentication into question. 'The authentication protocol in the Tesla REST API is flawed. Worse, it's flawed in a way that makes no sense. Tesla ignored most conventions around API authentication and wrote their own. As much as I talk about the downsides to OAuth (a standard for authenticating consumers of REST APIs—Twitter uses it), this scenario is one that screams for its use.' While not likely to compromise the safety of the vehicle, he does go on to say, 'I can target a site that provides value-added services to Tesla owners and force them to use a lot more electricity than is necessary and shorten their battery lives dramatically. I can also honk their horns, flash their lights, and open and close the sunroof. While none of this is catastrophic, it can certainly be surprising and distracting while someone is driving.'"
Hopefully A Light Will Come On Over At Tesla (Score:2, Interesting)
Hopefully a light will come on over at Tesla about API security. Let's just hope it's not a Phillips Hue (http://www.engadget.com/2013/08/14/philips-hue-smart-light-security-issues/)
Major fail for Tesla (Score:5, Interesting)
Re:so besides all that (Score:5, Interesting)
It's fast as hell. It can do 0 - 60 in 4 seconds despite weighing 4600 pounds. Electric motors operate at max torque at all RPMs.
Re:Major fail for Tesla (Score:5, Interesting)
The history of computing is littered with flawed attempts at designing new security protocols. As far as I can tell, the best practice is to adopt an existing open source technology that is well proven. If you're trying to do something new, you probably need to spend an unholy fortune on multiple independent audits of the system, as well as inviting people on security mailing lists to examine it, and possibly offering a bounty for discovered flaws.
Re:You might be right. (Score:4, Interesting)
When the speed limit is 55.
Alternatively, when someone correlates driving patterns with murders and determines that you were parked in the parking lots of restaurants that were within walking distance of three unsolved murders. Can you prove you were eating? The whole time?
Yes, I can think of a lot of scenarios where you might care.
OAuth for Apps? Seriously? (Score:5, Interesting)
The article is mostly FUD. To start, OAuth is not a User->System authentication system, its a three party authentication system. For OAuth to work as intended the three parties involved need secure communication channels between the pairs (e.g. user to api, 3rd party to api, and user to 3rd party). This leads to the fact that his first two complaints about the Tesla service, are also inherently present in OAuth when implemented in a non-web app:
* Entering login information into any application inherently provides it to the application's author
* SSL is required between the 3rd party and the API service, otherwise eavesdroppers are able to obtain the API token, secret and user token
The final two flaws are really the same issue and are not part of authentication; however it is important that users are able to revoke access that they've provided to third parties. Missing that ability is certainly a problem but it is not a flaw with authentication.
While there are better methods for authentication that ought to be used by Tesla for their API (e.g. a long one time token the user enters, a QR code scanned, etc.), OAuth is not a better form of authentication for desktop or mobile application.
Re:so besides all that (Score:1, Interesting)
The Z06 isn't the pinnacle of good car handling. Heck, a $50k base Boxster is superior. American tastes I guess.