Why I deactivated Tesla app access

The official Tesla App is unfortunately not available for Ubuntu Phone. And there is no indication that it will be on my next phone, the Librem5 from Purism. On the bright side, from the computer I can control my car using the VisibleTesla desktop app running inside a docker container. But the best part about remotely controlling the car is that the API is publicly documented. Bindings are available for most scripting languages. That allows me to control the car from my Ubuntu phone at the command line. It also allows me to run a cron job to pre heat the car before I drive to and from work. It also allows me to precisely track how much electricity I charge, and where. It also allowed us to open the doors directly from an ethereum smart contract at Hack4Climate. And it allowed me to implement a cool live tracking for our summer holiday road trip. The possibilities are endless.

All my scripts authenticate using a token that is said to expire after 90 days. I set up my scripts so that I can enter my password to get a new token. And then the new token is used from there. Usually I enter the password on a maximally secured system, and then copy the file containing the access token to the other systems. That is because I saw in the API documentation, that remote starting the car requires the password explicitly. So if a hacker gained root access to my server or my phone, he could open the doors, but not drive away with my car.

When I first discovered that the Tesla account is secured only with a password, I was bewildered. I mean, this account is essentially a virtual key to my car. Everything that secures something with a value above a few hundred bucks, has used two factor authentication for many years. Having been in the Bitcoin space for some time, cyber security is very important for me. I refuse to use software based 2FA, instead I insist on hardware solutions. I have used a USB dongle with a secure element to manage my GPG keys for a long time. I use FIDO U2FA wherever I can. Most of my crypto currency holdings are secured by multiple hardware wallets. I switched my bank, because the former used text messages as second factor. And now, I find out that the most expensive thing that I bought in my entire live, is secured with only one factor. Wow! That was shocker No 1! So I picked a very long and hard to guess password. I didn’t store it anywhere. I am very cautious on which devices I even type it. But still I was uneasy about it all along.

Last week some of my scripts started reporting errors. As expected, an access token was expired. But I failed to get a new one by entering the password. So I tried logging in on the Tesla website. What I got to see, was a message that my account was blocked due to too many invalid login attempts. There was a button to reset the password. The result of that reset request was an eMail in my inbox with a link to a web form, where I can enter a new password. Hey, but wait a second. That eMail was NOT encrypted! Even if the link is only valid for a few minutes, everybody who sees it could take over my Tesla account, and steal my car. Seriously? That was shocker No 2!!! If a hacker gained access to my eMail account, he could even delete the mail, and I had no idea what’s going on.

I have regarded unencrypted eMails as an insecure means of communication for many years. And I thought that was common sense. For increased security, I run my own mail server. But my ISP added all the dynamic IP addresses to a spam list, and wants me to pay for an expensive business account in order to have eMail work well. Hence I use an externally hosted eMail address for most of the time, also for my Tesla account. So I wanted to quickly verify the security of that mail account. And while I’m at it, change the password to a more secure one. But the first surprise came in the form of the customer login to the management system. It was http only. No way to enter the password without running the risk of it being eavesdropped on. Seriously? That was shocker No 3!!!

Sure, it’s easy to blame my eMail provider, or me for selecting it. In reality it used to be hosted with another company that was later acquired. That just highlights the fact, that it is outside of your control. Email is not secure, and should not be used to transmit sensitive information, unless it’s encrypted – Period! I read about hacked eMail accounts and account takeovers every week. Lots of websites require some security questions in order to unlock an account. That’s better than nothing, if there is not a lot at stake. But if an account controls anything of value, solid 2 factor authentication is a must. Even if the mail account offers FIDO U2FA, I wouldn’t trust it with my car. For example gmail offers U2FA. But guess what happens when you log in with a browser that has no support for it. Yes right, convenience gets priority over security.

Account Recovery Exploitation is a known problem. Let me quote a paragraph from an article by yubico: 5 Surprisingly Easy Ways Your Online Account Credentials Can Be Stolen

Due to the large scale of users for many services and the general desire to keep support costs low everywhere, account recovery flows can be much weaker than the primary authentication channel. For example, it’s common for companies deploying strong two-factor authentication (2FA) solutions as their primary method to leave SMS as a backup. Alternatively, companies may simply allow help desk personnel to reset credentials or set temporary bypass codes with just a phone call and little to no identity verification requirements.
Services implementing 2FA need to strengthen both the primary and the recovery login flow so that users aren’t compromised by the weaker path.

Unfortunately, both the primary and the recovery login flow of the Tesla account are incredibly weak. As much as I love the cool and convenient features from remotely controlling my car, I disabled app access in the settings screen of the car. I would like to re-enable it very much. But only once I can trust the security of it again.

I read many times how important security is for Tesla. And how fast they respond to fix vulnerabilities. But then I found numerous reports of people complaining about the very same problems from FOUR years ago: 1 2 3. Sure, security means different things to different people. I’m grateful to the engineers who make sure, I don’t get killed in the car. But I also don’t want my car to get stolen or broken into so easily. When discussing this topic on a forum, one guy stated he doesn’t want to carry a secure hardware device the size of a key, and that he doesn’t care if his car is stolen. He has insurance. I have insurance too, but still don’t want to go through that experience.