Tesla stores your Owner Authentication token in plain text ... which leads to a bad Ashton Kutcher movie

Subject: General Tech | November 25, 2016 - 12:52 PM |
Tagged: Android, Malware, hack, tesla, security

You might expect better from Tesla and Elon Musk but apparently you would be dissappointed as the OAuth token in your cars mobile app is stored in plain text.  The token is used to control your Tesla and is generated when you enter in your username and password.  It is good for 90 days, after which it requires you to log in again so a new token can be created.  Unfortunately, since that token is stored as plain text, someone who gains access to your Android phone can use that token to open your cars doors, start the engine and drive away.  Getting an Android user to install a malicious app which would allow someone to take over their device has proven depressingly easy.  Comments on Slashdot suggest it is unreasonable to blame Tesla for security issues in your devices OS, which is hard to argue; on the other hand it is impossible for Telsa to defend choosing to store your OAuth in plain text.

View Full Size

"By leveraging security flaws in the Tesla Android app, an attacker can steal Tesla cars. The only hard part is tricking Tesla owners into installing an Android app on their phones, which isn't that difficult according to a demo video from Norwegian firm Promon. This malicious app can use many of the freely available Android rooting exploits to take over the user's phone, steal the OAuth token from the Tesla app and the user's login credentials."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

November 25, 2016 | 04:14 PM - Posted by Master Chen (not verified)

"Where's My Car, Dude?" is a pretty decent movie, shut up, Jeremiah.

November 25, 2016 | 05:24 PM - Posted by Jeremy Hellstrom

There is only one Dude movie.

November 26, 2016 | 03:20 AM - Posted by Master Chen (not verified)

Yeah, well, that's, just, like, YOUR opinion, man.

November 27, 2016 | 01:50 AM - Posted by wizpig64 (not verified)

My friend made me watch this movie last night and I have to say it's a pretty damn good movie... Though I'm not sure if sober me agrees.

November 26, 2016 | 05:25 PM - Posted by Fourty7

Even if it was encrypted, I don't think I'd feel safe leaving one of these tokens valid for 90 days... 90 minutes maybe? Just seems like a "Master of Lazyness" skill.

November 26, 2016 | 08:42 PM - Posted by Anonymous (not verified)

Victim: Officer, So my car just started on its own and drove itself to the nearest chop shop. Officer: Yes some of the traffic cameras that where able to view your car did not show any human driver and strangely enough we were only able to recover the car’s GPS unit at the now abandoned chop shop. Man the car thieves are going to have it good when all that self driving technology gets here for real. They will never have to leave the comfort of their homes to boost your ride!

November 28, 2016 | 09:19 AM - Posted by Anonymous (not verified)

The OAuth token is stored as plaintext... in Android's Secure Keystore. Which is intended, and recommended, for storing tokens. Because it encrypts them using a hardware key that cannot be accessed without root-level privileges. And it is attacking the Secure Store through a malicious rooting application that is the actual hack, and any app that stores tokens in the Secure Store is also vulnerable.

Complaining this is Tesla's fault is akin to storing your credit card in a lockbox, having somebody exploit that lockbox to take that card and spend your money, then complaining to the bank rather than the lockbox manufacturer.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote><p><br>
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

This question is for testing whether you are a human visitor and to prevent automated spam submissions.