Join The Community

Flaws in REST API Authentication

I wrote up a critique of the authentication model in the Tesla REST API:

The troll hunters will hate it, I'm sure.

I never said any such thing.

If you are an actual writer, as you claim, then you will know exactly what kind of message it is that you are transmitting, and that was your message.

The title alone "Authentication Flaws in the Tesla Model S REST API" sends that message, the text that follows in the article further reinforces it.

If you do not understand this then you are not a writer, you are a hack.

Which is probably fine too, the modern media scene is full of hacks. People will get used to it.

AuthC = AuthN = Authentication
AuthZ = Authorization

Hardly non-standard and a bit peculiar you wouldn't know the abbreviations since you write about them, I must admit.

If you are an actual writer, as you claim, then you will know exactly what kind of message it is that you are transmitting, and that was your message.

Wait. Which is it? I wrote it or I didn't? You can't have it both ways.

"Authentication Flaws in the Tesla Model S REST API" is an accurate and factual description of the issue. It is not sensationalism. The article is about authentication flaws in the Tesla Model S REST API.

And I start the article making it damn clear that this is not a safety issue.

I have no trouble sleeping at night with the tone I picked for the article.

This issue is not only a Tesla problem, even though it hasn't occured yet. VW Group announced a couple of weeks ago that they were placing a lawsuit against an university to stop from publishing a way to hack into VW cars (which are VW, Audi, Porsche, Bentley, and Bugatti). In a way, it's good and bad that this article got published. Good in the way, that Tesla and other vehicle manufacturers can keep an eye on this and make the necessary changes to keep their vehicles safe and secure. Bad in the way, it opens the eyes to every hacker to hack into our vehicles seeing that it is possible. Trust me hackers will find a way. One good thing for us, Tesla owners, (or in my case, soon to be owner) is that we just have to get a download and it's fixed. Other are not so lucky.

I know enough.
Thanks for pointing this flaw out, George.
I'm confident Tesla will fix it in due time.

+1 omarsultan, +1 GReese

Let's lighten up on GReese. His article is factually correct, and if we ever want to have secure third-party apps and web services for our Teslas, it will be very helpful if Tesla engineers create a public API that resolves the issues he raised. I don't think he's trying to say "ZOMG hackers can log into your Tesla today" -- instead, I think he's saying "Entrepreneurs are so desperate for a good secure public API that they are willing to reverse-engineer the unpublished one that Tesla uses today in order to add value to the car, but they are concerned about the long-range implications of that de-facto API".

I, for one, am intensely interested in releasing an iPhone app for Tesla. While researching the reverse-engineered (supposedly 'private') API, I ran into exactly the same issues as GReese did.

I could have released a valuable cloud-based web service for Tesla owners last month, but I stopped work on it because it would require people to give their secret username/password credentials to my website. Even though some owners might trust me enough to do that, it's such a huge security concern that I decided not to offer it. I don't want to be the guy responsible for an accidental security leak of thousands of passwords (or 3-month tokens).

This whole situation mirrors the early iPhone days -- Apple didn't publish APIs, and didn't want third-party native apps. But the coding community reverse-engineered and made some amazing stuff (which sometimes had bad side-effects). Once Apple came around, and created a robust public API, the market exploded (in a good way).

By creating a public API, Tesla can control its destiny. By keeping it private, hackers will control its destiny. Which would we prefer?

Just to make it clear: The published flaw is NOT "a way to hack into" a Tesla. You can't hack into a Tesla in any known way. Maybe later, but not now.

And anybody who says different, I'll gladly challenge to hack into my car.

... Oh wait... I don't have it yet! Darn. (Counting months.)

Shouldn't this conversation be locked?

I don't think he's trying to say "ZOMG hackers can log into your Tesla today"

You are probably right. He probably just doesn't understand what effect his words will have. The timing of the market is perfect now for a Tesla hit piece, but if nothing else this debate has convinced me that that was probably not his intention even if it may end up being the result.

+9.24 (6.25%)

+1 mrspaghetti -- about 30 comments ago.


So you're argument is that I should not write about anything that isn't a glowing puff piece on Tesla?


I'm not paid to be in Tesla's PR department. I am an expert in cloud computing and API design and I write articles from time-to-time on those subjects. I'm also a Tesla owner. Made for a natural thing to do on my day off yesterday to write an article combining the two.

So you're argument is that I should not write about anything that isn't a glowing puff piece on Tesla?

No, if you had been paying attention you would have noticed that my argument is you did a sensationalist hyperbole piece misleading people to think there is an actual security problem in the car, when in fact the only issue is that the car is lacking a feature that you'd rather it had. Third-party access to the car may mean the world to you, and would certainly have been nice to have, but you would have been better served actually asking for that instead of pretending its absence is an actual security issue.

I'm gonna disable API access to my girl and plead Tesla to go this route:

Kidding! ;-)

@Greese, you are dead right in everything you wrote. I am amazed at the stupidity of some of the attacks here both on your person, and on the content of your message.

If my online bank had a security mechanism like this, I wouldn't worry. Because there is no way anyone could ever tempt me to give them my password. And if someone was STUPID enough to do that, shame on them and their loss, like several posters above have mentioned.

But the capabilities of the Tesla Model S API, and the incredibly USEFUL applications that could be developed on top of it, make it SO tempting that even people who have been warned about the fact that with access to their battery statistics, they also give a third party access to the GPS location of their car and the capability to unlock it, they still go ahead and willingly supply their username/password to someone they know nothing about. Volkerize search on my handle and the term OAuth to see me pulling my hairs out over that one.

Tesla should have gone OAuth with their API from the get go. I have looked up a profile on Linked In from someone who looked like he was lead architect for Tesla's software design team and contacted him about it months ago, but no reaction. I hope this gets their attentions.

This just in:

I am “expert” reviewer of banks, and I have to warn you that your money in the bank is not safe.

I have just discovered that if you give the userid and password of your online bank account to someone else, they can steal your money! That clearly means that banks security API is flawed: it allows other users to type in your credentials!

Let’s call Forbes and have them write a nasty article criticizing banks!


Actually, the authentication for most banks is fundamentally flawed.

There are very good reasons for allowing third-parties access to your bank accounts, Tesla account, or Twitter account. These entities should make sure they are designed in such a way that doing so does not create or at least minimizes the problems that can cause.

Twitter does that.

Banks don't.

Tesla does not.

Do you not have a day job?

@sia, read my post and try to wrap your head around it. I have seen and spoken with many people on this forum, who would NEVER give the username/password of their bank account to anyone, that still have willingly given their Tesla username/password to unknown third parties who did nothing other than promise, cross their hearts hope to die, to not misuse that. Why? Because the third party offered a nice web app that shows battery statistics.

Tesla owners are being persuaded into giving their password away to unknown parties on a daily basis. This is actually happening! Volkerize it! Until now, these third parties have proven to be been relyable. But anyone who just finished "Programming 101" in community college can write such a web app and get Tesla owners to give up their password. If one of them misuses that trust and THAT gets picked up by the media, the shitstorm coming down on Tesla will be tremendous!

All it takes is one mediocre programmer that shorted on TSLA, and one more gullible Tesla owner

If one of them misuses that trust and THAT gets picked up by the media, the shitstorm coming down on Tesla will be tremendous!

Well said.

The issue of street cred came up so I amazon'ed George for a refresher of what was written so far. It seems like your knowledge is seasoned in JDBC, MySQL, Java, REST, and cloud. In the reviews for your REST book, a reader mentions that examples were simple, focused around GETs only, and gave dangerous security advice. It's easy to find 1 bad review everywhere though. Moving on, I checked out your Cloud Architectures book, which focused only on Amazon EC2 and maybe 1-2 other services as an addendum. Reading the sample chapters, it was mostly command lines and general musings about what people think the word cloud means.

It seems to me you're good at the basic college student stack, had an early career change, got a MBA after a BA in philosophy, and became a technical journalist. Now, why this is important, is for each reader to interpret. If you did not mention your fame it would not be under attention atm.

Those technologies are great, but you wait for people to make something then criticize or assert improvements without thinking up clear examples (as mentioned by the readers who bought and reviewed your books). It's cool to be passionate and ambitious about theory, download and use popular web stacks, then talk about them. It's just fun and profitable though.

The internet of things is more than a CRUD. My radio can already GET waves, so what. Either you really believe that bringing REST to public attention would be revolutionary for consumers, or just wanted a name behind an idea, it isn't pushing ideas forward and even set back a legendary man's name (Tesla not Elon (okay Elon too)) back by 3, by stifling advancement with example-less writings. Those are just books, which you may not have total content control over.

In one of your blogs "The Good, the Bad, and the Ugly of REST APIs" it mentions that "chatty APIs suck." In your definition a chatty API is one where "any API that requirements me to do more than a single call to perform a single, common function." Aside from a grammar error no one has caught since 2011, you are not even considering Web Sockets, secure handshakes, or asynchronous behavior using the JVM's more modern techniques. Chatty APIs are the essence of "internet of things." When discussing such high concurrent processing in real-time and real-life, some more advance languages, practices, and thinking required. For example, Erlang is the basis for modern messaging servers, Scala + Netty to accept tiny incoming REST requests, or even Erlang as the HTTPS front-end. Why focus on such low-level options when a world of software on the level of Tesla S's ingenuity exists?

Grow old and think young. Software is a humble man's game.

In the reviews for your REST book, a reader mentions that examples were simple, focused around GETs only, and gave dangerous security advice. It's easy to find 1 bad review everywhere though.

And yet you willfully selected the one negative review in a sea of good to great reviews. If you actually read the content of that review with respect to the rest of the reviews, you'd know that particular reviewer clearly didn't know what they were talking about.

I brought up my expertise because people were asking me why I would write this article. I wrote this article because of my expertise in REST API design.

As far as verification goes, it's easy to verify my body of work. You had to try really, really hard to paint that work in a negative light. I will guarantee you will not find an informed critic who is aware of my work who won't concede I know what the hell I am doing with REST APIs and cloud computing.

The rest of your analysis is actually worse than your cherry-picking of a single negative book review above.

Thanks GReese for the information. I had wondered about the security and I do not know enough to check it out myself. I am glad you put this information out there.

@Greese...we have issues with some of your unreasonable statements such as giving an ICE car for a loaner is the biggest injustice perpetrated on Model S owners, even in the short term due to shortage of Model S loaners. One has to look at your assertion more closely to validate your present claim given your WAR off base remarks in the past before it can be taken seriously. I still want to know if you own a Model S in a pic taken with you as well as a well known landmark of your city, which I believe you claimed to be Seattle a while ago.

WAY off base

In the above post "Way off base" should read "WAY off base".

@ justineet -> troll hunter

@GReese....I don't know if you are accurate on this issue. I will leave that for folks in the computer field to analyze and give their opinion. But I know one thing for sure: some of your past statements have been very inaccurate or unreasonable....

But I know one thing for sure: some of your past statements have been very inaccurate or unreasonable....

For instance?

You mention me complaining about giving out ICE loaners when Tesla is supposed to give you out Teslas. It's NOT acceptable. I did not, however, describe it as "biggest injustice perpetrated on Model S owner".

Actually, it probably is the biggest injustice perpetrated on a Model S owner. But that's relative comment. After all, there does have to be a "biggest injustice perpetrated on a Model S owner". I think that actually qualifies. In the scheme of things, however, it's not in itself a horror. It's just wrong and inconsistent with other luxury car maker lending policies.

Fortunately, that hasn't been my experience. I got a Model S 60 loaner when I took mine in.

So, basically, we have you disagreeing with one thing I said and now you're making a big unrelated to-do about in your troll hunting? You are indeed the king of the troll hunters.

Wow, a bunch of people who don't know what they're talking about got their panties in a twist because of a sort of critical article.

George laid out a case for why the API should have a better AuthN and AuthZ model. He called the shortcomings "flaws" and pointed out that their are other well established, simple ways of doing things, especially given that Tesla's API is not some completely off the wall brand new kind of thing. It's a basic REST API that allows an authenticated client to do some things. It's not exactly groundbreaking.

I think he is right to question why it was done this way and call out that it should be improved.

As for why it is the way it is, I'm sure you could only know if you were there at Tesla. I wouldn't doubt that lack of time and manpower at least played some part. Perhaps the performance review process at Tesla encourages developers to make homegrown stuff instead of look for existing solutions. Maybe the developers they hired only know embedded systems and they don't have experience with apps and stuff. Maybe they just did what they that was quick and cheap and intended to fix it later. Who knows. We don't. But why are you guys mad at George for discussing it?

X Deutschland Site Besuchen