Tesla Model S REST API Authentication Flaws 161
An anonymous reader writes "New Tesla owner and Executive DIrector of Cloud Computing at Dell, George Reese, brings the Tesla Model S REST API authentication into question. 'The authentication protocol in the Tesla REST API is flawed. Worse, it's flawed in a way that makes no sense. Tesla ignored most conventions around API authentication and wrote their own. As much as I talk about the downsides to OAuth (a standard for authenticating consumers of REST APIs—Twitter uses it), this scenario is one that screams for its use.' While not likely to compromise the safety of the vehicle, he does go on to say, 'I can target a site that provides value-added services to Tesla owners and force them to use a lot more electricity than is necessary and shorten their battery lives dramatically. I can also honk their horns, flash their lights, and open and close the sunroof. While none of this is catastrophic, it can certainly be surprising and distracting while someone is driving.'"
I don't get it. (Score:4, Funny)
Can someone give me a car analog?
Re:I don't get it. (Score:5, Funny)
Sorry, cars are digital these days.
Re: (Score:2)
Maybe he really wants an analogue car. You know the kids that are hipsters now, their kids will be totally into ICE cars with carburetors and everything.(sound of dust blowing off paper) I just know these Studebaker share certificates will be worth something some day.
Re:I don't get it. (Score:4, Funny)
You wouldn't copy a car, would you?
Re:I don't get it. (Score:5, Funny)
Don't copy that jalopy!
Re: (Score:2)
Can someone give me a car analog? (Score:3)
Re: (Score:2)
I'm sure you could get a token revoked with an e-mail to Tesla. The API is not intended for use by third parties so really the only valid criticism here is "Tesla does not have a 3rd party API".
Re: (Score:2)
I don't get it (and I did RTFA which didn't help much).
It looks like this API is the API for third-party Android and iOS apps to use.
In order for those apps to log in, the user must provide the app with their Tesla motors username/password.
That isn't good security. Tesla shouldn't trust that every third-party is handling credentials properly.
Am I missing something?
Re: Can someone give me a car analog? (Score:2)
Agreed. The only way to exploit this security issue is if you give your login credentials to an unauthorized website using a private API. If you do that, shame on you!
Re: (Score:2)
not quite correct (Score:1)
The Tesla Model S will not allow you to run any controls remotely while you are driving even when logged into the iOS as a validated user. One can't honk the horn, flash light, vent the sunroof or unlock/lock the car while it is moving.
Re: (Score:3)
I've done it before.
Re: (Score:2)
What good's a horn or sunroof, if you can't use it while moving?
Hopefully A Light Will Come On Over At Tesla (Score:2, Interesting)
Hopefully a light will come on over at Tesla about API security. Let's just hope it's not a Phillips Hue (http://www.engadget.com/2013/08/14/philips-hue-smart-light-security-issues/)
Major fail for Tesla (Score:5, Interesting)
Re:Major fail for Tesla (Score:5, Insightful)
Re:Major fail for Tesla (Score:5, Interesting)
The history of computing is littered with flawed attempts at designing new security protocols. As far as I can tell, the best practice is to adopt an existing open source technology that is well proven. If you're trying to do something new, you probably need to spend an unholy fortune on multiple independent audits of the system, as well as inviting people on security mailing lists to examine it, and possibly offering a bounty for discovered flaws.
Re: (Score:2)
WEP was never designed to be "secure" it was designed to be inexpensive so low (compute) power devices could use it. It stands for "Wired Equivalent Privacy" which is not very private. Passively tapping your UTP Ethernet segment isn't exactly hard. All WEP was ever expected to do was discourage the causal snoop; a lock of honest people if you will.
Re: (Score:3)
WEP was designed to be secure, nobody would go through the trouble to invent a security protocol that they knew could be defeated by commodity hardware in under an hour. WEP was just designed poorly.
Re: (Score:2)
That is silly. There was never a need for a fully secure 802.11 specific solution. From the outset anyone who wanted that could just use IPSec tunneled or otherwise, either with 3DES or AES.
That is what people were always advised to do; if they needed both privacy and to run a traditionally clear text protocol over wifi. I have been part of Enterprise wifi deployment in one way or another since 802.11 because a standard and at no point did even any of the vendors attempt to pass WEP off as doing anything
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
The problem with the article and the sentiment you express is that this api is *not* a third party api. It is not published, it is not intended for use by third parties. Oauth is a PITA. Why would tesla setup Oauth between themselves and... themselves?
Oauth is designed to work between 3 parties, the user, the "authenticator", and a third party app that wants to access the authenticated service on behalf of the user. In this case, tesla implemented an API for their app to communicate with, so there is no
Re: (Score:2)
The article doesn't describe a security flaw with Tesla's API. What it does is complain about how Tesla doesn't provide a reasonable framework for allowing third party apps access to the car. Which is probably correct: Tesla never promised this and never intended to deliver it at this point in time.
The API that is provided is a proprietary one that is intended only for communication between the car and Tesla's own app. It has a perfectly fine password-based security implementation for which the article does
Let me get this straight (Score:5, Funny)
So he discovered a 10 year old?
Re: (Score:2)
I have one of those as well as a 7-year old. They are much more interested in the Slacker access from the 17" screen.
Re: (Score:3)
Re: (Score:2)
With this flaw, you could (feasibly) automate Rick Rolls of Model S owners, no small child necessary.
I want to see this as an Android application. Cross-reference with the license plate.
"Look, a model S"
Oooh, what's the license plate?"
(Hilarity ensues.)
Re:Let me get this straight (Score:5, Funny)
"Never gonna roll your windows up,
Never gonna put your top down,
Never gonna run your battery down, or desert you."
The Tesla-plane Blues (Score:2)
I'd said I flashed your lights mama
your horn won't even blow
I even flash my lights mama
this horn won't even blow
Got a short in this connection
hoo-well, babe, its way down below
Not catastrophic? (Score:2)
I'd say being able to flash someone's headlights if they're driving on a winding, unlit road, at night, could most certainly be catastrophic.
Re: (Score:2)
That was exactly what I was thinking. That certainly sounds pretty catastrophic to me.
Seems Trollish (Score:5, Insightful)
Tesla is a big target in the crosshairs of the automotive industry right now so I'm very skeptical. Tesla is doing what no other company has been able to do in the US and that seems to be a problem with everyone from dealers [huffingtonpost.com] to falsified reviews in The New York Times [time.com]. Let's do without the TFA drama have a look at the the egregious attack vectors listed:
1) You want to leverage a tool on a website with some useful functionality. You enter your email/password. They willfully and incorrectly store that information and are subsequently compromised (or worse, they use it themselves).
This is a really broad claim. What's more, if you haven't logged in over an SSL connection then... well, you're kind of a dumbass.
2) An attacker gains access to a website's database of authenticated tokens. It has free access to all of that siteâ(TM)s cars up to 3 months with no ability for the owners to do anything about it.
This is no less dubious that so many online services that I couldn't begin to count. The risk of compromise is an accepted one and hopefully mitigated. No fair faulting them without seeing how they would handle said compromise.
In a nutshell, TFA is going to need to find more substantial basis for panic than this. Sheesh.
Re: (Score:2)
Re: #1
What has logging in over SSL got to do with anything?
If a third-party is storing credentials that control everything, then you are screwed if that third-party is compromised. Twitter suffered greatly from these kinds of problems prior to adopting OAuth. The trick with OAuth is that the third-party never sees the primary credentials, just an application-specific set of credentials with very specific access rights. Because of the design of OAuth, it's also easy to revoke credentials on an app-by-app bas
Those who attempt to re-create Oauth... (Score:2)
...are doomed to so so in a way that is somewhat less secure but infinitely more usable.
Re: (Score:2)
When done right, OAuth is more secure and equally usable.
Usability issues crop up when OAuth is applied to contexts in which it makes no sense (systemsystem authentication).
Re: (Score:2)
Well, I'd argue this is one such context. There is no third party, Tesla's API is not designed for third party access, its designed for Tesla app -> Tesla API communication. Adding Oauth to this workflow, just for kicks, certainly would decrease usability, as you'd get redirected to a third Tesla page, to provide your credentials and generate a token for Tesla's own app.... The facebook and twitter apps published *by those companies* don't use oauth, they ask directly for your username/password
Saying T
Re: (Score:2)
Tesla wasn't even trying to re-create Oauth, they *don't* provide third party api access. They implemented a perfectly reasonable first party api authentication mechanism. If users are inclined to give their creds to *unauthorized* third party apps then that is on the user.
Every API in the world shouldn't be *required* to provide third party access.
As usual, some things got left out... (Score:2)
Like the fact that Tesla's API is closed and 3rd-party applications are unauthorized and using it without any documentation other than what's been figured out through reverse-engineering. No doubt they need to do some work before publishing an API, but there's no warranty when you use homebrew.
Re: (Score:3)
There really is no excuse for this. It's just sloppy security practices.
Re: (Score:2)
It can be closed and the documentation sealed in a titanium safe stored inside a reinforced container dropped at the bottom of the Mariana Trench for all I care; if the API is active in production models, it's going to get discovered and exploited. Nefarious usage, especially, won't be stopped by "Hey, you're not supposed to use this!"
There really is no excuse for this. It's just sloppy security practices.
I'm not trying to excuse anything, simply pointing out that this exploit can only be executed with the end-user as a willing, active participant. Please, show me a security model that works in that scenario.
Re: (Score:2)
How is it sloppy security practice? You're seriously arguing that *every* *single* *api* on the internet *must* implement oauth right now because the api *will* be reverse engineered and users will be tricked into providing their credentials directly to a third party? Even when third party apps are not authorized? Every company with an api on the net *must* provide for third party access?
Oauth doesn't provide any security anyway. Users will still be tricked into providing their credentials directly to t
Heater & A/C (Score:2)
This brings 2 questions to mind:
1) Can an attacker use this exploit to remotely alter the heat and A/C settings?
2) Presuming the answer to 1 is yes, couldn't they use said exploit to overheat the element or over-cycle the compressor, causing a fire?
Third, kinda related question: Knowing that compressor motors and heating coils are the biggest amp draws in any circuit, how much does heater or A/C usage affect range? As in, running the A/C | heat at full blast would reduce the range from ~300 miles to what?
Re: (Score:2)
1. Only if there is a vulnerable third-party site with whom the user has shared their credentials. Out of the box, no.
2. I would consider that a flaw in the car if you could do that. The API and the fact it resulted from a hack would be incidental to the whole thing.
OAuth for Apps? Seriously? (Score:5, Interesting)
The article is mostly FUD. To start, OAuth is not a User->System authentication system, its a three party authentication system. For OAuth to work as intended the three parties involved need secure communication channels between the pairs (e.g. user to api, 3rd party to api, and user to 3rd party). This leads to the fact that his first two complaints about the Tesla service, are also inherently present in OAuth when implemented in a non-web app:
* Entering login information into any application inherently provides it to the application's author
* SSL is required between the 3rd party and the API service, otherwise eavesdroppers are able to obtain the API token, secret and user token
The final two flaws are really the same issue and are not part of authentication; however it is important that users are able to revoke access that they've provided to third parties. Missing that ability is certainly a problem but it is not a flaw with authentication.
While there are better methods for authentication that ought to be used by Tesla for their API (e.g. a long one time token the user enters, a QR code scanned, etc.), OAuth is not a better form of authentication for desktop or mobile application.
Re: (Score:2)
Not really. I believe the author's biggest beef is that the user should not be providing the app with their credentials to Tesla Motors.
This is true, and with OAuth they don't have to. All the third-party app get's is an access token. The access token can have completely different rights than the user account, and can be revoked /controlled by the user.
You can use OAuth for mobile/desktop access, it's just not as seamless as it is on the web. Here's a post that has some oth
Re: (Score:2)
Not really. I believe the author's biggest beef is that the user should not be providing the app with their credentials to Tesla Motors.
And I'm not arguing against that, the problem is that the suggestion of OAuth is moronic. The very same article you're linking conveniently also explains what I stated - to write a desktop application with OAuth the user must enter the username and password in the application. This entirely negates not trusting a third party with authentication, also known as the entire point of OAuth. (Though the article's author argues that the point is moot as a user is inherently trusting an application they install
Re: (Score:3)
The problem with the article is there are *no* authorized third party apps that use this API. Tesla does not provide third party access.
People have reverse engineered the api, and then if you give these third parties your credentials, they can make calls to the api and do things to your car. The article is arguing that *any* API that is exposed on the net *must* implement oath so that third parties can use it. Seems pretty crazy to argue that any api exposed to the internet must implement third party app
Re: (Score:2)
The article is arguing that *any* API that is exposed on the net *must* implement oath so that third parties can use it. Seems pretty crazy to argue that any api exposed to the internet must implement third party app access.
It's also crazy to claim that OAuth is the only mechanism for doing it. There are others that are stronger, though more of a PITA; we were doing secure third party service access by other mechanisms (there are a few variations based on client-authenticated SSL with security assertions) 10 years ago, and that expertise still exists. The good thing about OAuth is that it works very easily with browsers and is relatively simple for simple websites to support, but if there are no browsers or it's not a simple c
RE N Y Times road test (Score:2)
Much of Tesla's criticism of the Times was based on , supposedly, data that Tesla downloaded from the test vehicle.
Does this security flaw make it more likely that tesla, or a tesla employee, could have altered the data ?
It's not REST (Score:2)
If you look at that API and you think it's REST, then you don't know what REST is. Here's Roy Fielding's blog post [gbiv.com] where he points out that these types of APIs aren't REST. Roy Fielding is the guy that described this architectural style and coined the term "REST" in the first place.
Here's one example: You perform a GET request at /vehicles to obtain a list of vehicles. These vehicles take the form of JSON data, including an id attribute. If you want to perform operations on a vehicle, you need to con
Re: (Score:2)
I remember reading Fielding's blogs and work when REST was becoming a popular term. The idea of hypertext links was not as prevelent. It was there with some mention to atom rss and the likes, but it wasn't the main point of REST.
There are some that think any stateless json/http webservice means rest. There are some that think anything with resources and actions on those resources is restful (ie: an sql select statement or your webservice example). And then there are those that follow R. Fieldings work a
Re: (Score:2)
Hypermedia as the engine of application state is listed as one of the four fundamental constraints of REST in his thesis. It's a central part of REST. It wasn't retrofitted later. If you missed it, you weren't paying attention. REST is essentially a description of the archi
Re: (Score:2)
I understand what they mean. Multiple business partners use the term. This isn't just "the people that work next to me". This is my observation among web developers across the board. I'm talking about all the big players, they use the term wrong. While I can applaud people for having concise definitions, I'm not about to tell all the third party APIs I use daily that their REST api's aren't REST. It's too much work. If you campaign to get everyone to use the term correctly, more power to you.
(PS - I
Re: (Score:2)
Here is what you originally said:
We weren't talking about the whole world fucking up, we were talking about your colleagues not knowing what they were talking about. To which my r
Re: (Score:2)
I don't feel like we are communicating well. What are you trying to tell me? I am talking about years after he published his Thesis. I'm talking about 2004 or so, when it became the fad to start calling things RESTful. At that time if you did a google for "REST" you would get a webpage from Fielding. That's what I found at the time and went with until I researched it more. And, no, I don't put effort into correcting people on this topic. You seem to think it warrants correcting people, I don't. Word
Re: (Score:2)
The point you were trying to make is that links being important is actually something that came later, and you tried to argue this point by saying you read his early work and blogs and it wasn't mentioned.
I am pointing out that it was a central theme right from day one. It was mentioned in his thesis published in 2000, and it's also ludicrous once you recognise the fact that REST is a description of the architecture of the WWW, which clearly revolves around links. It's not plausible that you could ever
I don't get it... (Score:2)
Why is this an issue?
Everything is secure, as long as a malicious piece of code doesn't steal the users' username, password and/or temporary authentication token. So - how would they claim to permit any type of login without this information being on the device - unless you make the user ente
how fast (Score:5, Funny)
Well, terminal velocity will depend on two factors: The ultimate wind resistance of its tumbling chassis, and how high it is above the ground when you drop it.
Re: (Score:2)
Re: (Score:2)
Drop from 22,000 miles: terminal velocity will be different than if you drop from 1 mile. So will several other things, like the temperature of the object, and the cost of the experiment. :)
Re:so besides all that (Score:5, Interesting)
It's fast as hell. It can do 0 - 60 in 4 seconds despite weighing 4600 pounds. Electric motors operate at max torque at all RPMs.
Re: (Score:3)
Nitpick - max power at all RPMs. If a power source supplies a constant 10kw, the electric motor will of course operate at a constant power of 10kw. It should be obvious that 10kw equates to very different torque values a 1 rpm and 10,000 rpm.
The advantage of electric motors, which you allude to, is that the max power (150 kw, 200 hp, whatever) is available immediately, rathe
Re: (Score:2)
According to MIT [mit.edu], not really anything these days.
They both came to describe the same thing from two different linguistic directions. It seems the only distinction between the terms these days is more rooted in nomenclature within a specific discipline and less on overall semantic accuracy.
Re: (Score:3)
> why is one a "motor" and another an "engine?" What's the difference?
In modern usage an engine is a device that burns fuel to generate torque. Historically it was used for any device that converts force into motion: hence battering rams and catapults being siege engines, and the cotton (en)gin(e).
Motors apply to pretty much everything else that might once have been called an engine. Most commonly they convert electrical, elastic, or compressed-gas energy into mechanical energy. But there are even mol
Re: (Score:2)
Dang. Learned another new thing today. Thanks.
Re: (Score:2)
The advantage of electric motors, which you allude to, is that the max power (150 kw, 200 hp, whatever) is available immediately, rather than only once engine revs climb high enough like in a petrol engine.
Nitpick - The torque on an electric motor vs RPM varies significantly based on winding type. For some motors, like a DC series-wound, you have an incredible amount of torque at 0 RPM (which is why they are used for starter motors). There are others - such as AC synchronous motors- that have nearly any torque at startup, and are usually built with a second motor on the same shaft to try to get the unit turning under load. Given a constant power source (i.e. voltage) the internal resistance (and hence current
Re: (Score:2)
Re: (Score:2)
"RPMs" has been a standard abbreviation for "Revolutions Per Minute" since... well, probably since the advent of reciprocating assemblies.
Where the hell have you been?
Re: (Score:2)
In a normal gas powered car with multiple gears, when you shift gears and drop the RPMs down, you lose torque and acceleration. In an electric car, which typically only have one gear, the car accelerates smoothly and evenly.
Re: (Score:3)
The only other 4 door car that can do 0-60 in 4 seconds is the M5. Comparing a 5 passenger sedan to a 2 seater roadster isn't fair. It's also $30k less than your Roadster and almost every other car with sub 4 second 0-60 times.
Re: (Score:2)
There are a few others, like the Cadillac CTS-V Sedan can do it in 3.9s, the Mercedes E63 AMG Sedan in 3.8s, etc.
Re: (Score:2)
Oh yeah. The CTS-V is a monster.
Re: (Score:2)
I've done 4.9 in my stock 2012 SRT8 Charger, and I'm sure it's capable of doing better than that.
Re: (Score:2)
Well the boxster has a maximum lateral acceleration of 1.0g, while last years corvette has a maximum lateral acceleration of 1.13g, so I would say you don't know your cars very well. Every major car reviewer disagrees with you, including edmond's, motortrend, etc. Please go away.
Re: (Score:2)
I should also note that the $50k Boxster is worse in handling (1.0g vs 1.13g), acceleration 0-60 (5.1s vs 3.6s), quarter mile (12.7s vs 11.6s), the figure 8 test, and slalom runs. Of course, you could add an auto trans to drop it's 0-60 to 4.5s, but that isn't the base model as you claim, and it's still not even in the same ballpark as 3.6s. The boxster doesn't even perform as well as the baseline corvettes, so your comparison is silly.
Re: so besides all that (Score:2)
Certain electric motors have max torque at zero rpm. DC motors with series wound fields do (eg. Starter motors) . The AC motor in the Tesla will have a lot of torque at zero rpm, but I'll wager that there is a higher value somewhere above zero.
Not quite getting it (Score:4, Insightful)
There's something of a difference between "hey, look, some guy in a neat car" and "John Q. Private is currently at mile marker 23 on highway 2, proceeding at 65 mph in an easterly direction, with 100 miles of range remaining."
Re:You might be right. (Score:4, Interesting)
When the speed limit is 55.
Alternatively, when someone correlates driving patterns with murders and determines that you were parked in the parking lots of restaurants that were within walking distance of three unsolved murders. Can you prove you were eating? The whole time?
Yes, I can think of a lot of scenarios where you might care.
Re: (Score:2)
Re: (Score:2)
What's the phrase? Once is chance, twice is a coincidence, three times is a pattern.
Re: (Score:2)
What's the phrase? Once is chance, twice is a coincidence, three times is a pattern
At least in Goldfinger, the third time is "enemy action." Got Mr. Bond James Bond in a little trouble.
Re: (Score:2)
A stalker, your spouses lawyer, just to name a couple.
It's not a case of 'what can they do', or 'I have nothing to hide', but rather a case of 'it should not be that easy'.
Re: (Score:2)
John Q. Private is currently at mile marker 23 on highway 2, proceeding at 65 mph in an easterly direction, with 100 miles of range remaining.
Say I am John Q. Private. Can you give me a scenario where I might care that someone has this information?
I really can't think of anything bad that could happen to me if that information fell into the wrong hands. Or at least, nothing worse or more likely than many things that could already be done to me by someone with far less information.
My car physically suddenly misbehaving, even if limited to peripheral systems -- that I can easily imagine causing a distraction and subsequently an accident.
Twenty miles due east of John Q. Public's current location, cellular services cease. Police response time to that location is estimated at 2.5 hours minimum. John Q. Public is driving a really expensive car, may be wearing expensive bling, and almost certainly has credit cards in his possession.
You can't think of anything bad that could happen?
Re: (Score:2)
Maybe I'm waiting to break into your house, and I want to know where you are currently at so I don't get caught....
Re: (Score:2)
Say I am John Q. Private. Can you give me a scenario where I might care that someone has this information?
I really can't think of anything bad that could happen to me if that information fell into the wrong hands. Or at least, nothing worse or more likely than many things that could already be done to me by someone with far less information.
Millions of restraining orders issued in the US every year. Not everyone has the luxury of not having to worry about who all might be out to get them. 1.5-2k women murdered per year in US by their SOs. You obviously have no idea what it is like to have to constantly watch over your shoulder. I hope you never do.
Maybe he should be, and just doesn't realize it yet.
Re:First World Priorites (Score:5, Funny)
Yeah, but the battery will run out two miles down the road, so it's not really a big deal.
Re: (Score:2)
I think a would-be thief still has to fight the battle with the engine anti-theft system to get the vehicle on and moving.
Tesla has some teething pains, as they are in completely new territory, and are not in the usual good ol' boy club with the other automakers, so they have to fight tooth and nail for everything.
For this to be their biggest issue, and in the scheme of things, it isn't that big a deal, it shows that their vehicles are pretty well engineered.
What I'd love to have as an option not just on a
Re: (Score:2)
All of that should be an advantage when building the web-related software features... A nice clean slate, no horrible-legacy-spaghetti-of-grafting-more-and-more-shit-onto-the-onboard-bus; but plenty of lessons conveniently learned by other people about how not to fuck up authentication on the internet.
That's the sort of baffling thing about this class of problem
Re: (Score:2)
No, not at all. It means that you can bypass the old cruft, but you have to pay for it with teething problems from new tech you replace it with. Both methods have their good and bad points.
Re:First World Priorites (Score:4, Informative)
There is a setting in the car where you can disable remote access. It's trivial to set.
Re: (Score:2)
In a world of interconnected devices (the Internet of Things), it's not about hypothetical sites. It's about real, interconnected sites. There are real sites out there that talk to Teslas and provide value beyond what Tesla provides. If you are building a connected device in 2013, you should take this reality into account.
Re: (Score:2)
And the stupidest phrase ever award goes to:
Internet of Things!
Re: (Score:2)
Re: (Score:2)
Read the article. This 'flaw' requires a Tesla owner's email address AND password to 'exploit'.
Well, then, thank $deity that email addresses are impossible to find out, and that passwords are uncrackable.
Re: Not a security flaw (Score:2)
OR someone to log into a dodgy third party site, OR someone to crack a third party site and get all the tokens
Re: Not a security flaw (Score:2)
That's something OAuth already addresses (which is why twitter and Facebook use it). When you log in via the portal page, it gives the third party app a token rather than letting them see your password. The token can be revoked at any time from your permissions page or the company can blacklist that app. Tesla's implementation shares the password with the third party apps AND the token can't be revoked early.
Re: (Score:2)
If I were to try this attack, I would up the car to a range charge and turn air conditioning on full blast. Then I would go through cycles of charging the battery up full and discharging it.
The electricity will add up, but maybe not a lot for most who can afford an $80K+ car.
The bigger issue is that this will decrease the battery life.
Re: (Score:2)