You might expect better from Tesla and Elon Musk but apparently you would be dissappointed as the OAuth token in your cars mobile app is stored in plain text. The token is used to control your Tesla and is generated when you enter in your username and password. It is good for 90 days, after which it requires you to log in again so a new token can be created. Unfortunately, since that token is stored as plain text, someone who gains access to your Android phone can use that token to open your cars doors, start the engine and drive away. Getting an Android user to install a malicious app which would allow someone to take over their device has proven depressingly easy. Comments on Slashdot suggest it is unreasonable to blame Tesla for security issues in your devices OS, which is hard to argue; on the other hand it is impossible for Telsa to defend choosing to store your OAuth in plain text.
"By leveraging security flaws in the Tesla Android app, an attacker can steal Tesla cars. The only hard part is tricking Tesla owners into installing an Android app on their phones, which isn't that difficult according to a demo video from Norwegian firm Promon. This malicious app can use many of the freely available Android rooting exploits to take over the user's phone, steal the OAuth token from the Tesla app and the user's login credentials."
Here is some more Tech News from around the web:
- CERT tells Microsoft to keep EMET alive because it's better than Win 10's own security @ The Register
- Amazon Makes Good On Its Promise To Delete 'Incentivized' Reviews @ Slashdot
- Tech giants warn IoT vendors to get real about security @ The Register
- 8 of the best outdoor gadgets and accessories @ The Inquirer
“Where’s My Car, Dude?” is a
“Where’s My Car, Dude?” is a pretty decent movie, shut up, Jeremiah.
There is only one Dude movie.
There is only one Dude movie.
Yeah, well, that’s, just,
Yeah, well, that’s, just, like, YOUR opinion, man.
My friend made me watch this
My friend made me watch this movie last night and I have to say it’s a pretty damn good movie… Though I’m not sure if sober me agrees.
Even if it was encrypted, I
Even if it was encrypted, I don’t think I’d feel safe leaving one of these tokens valid for 90 days… 90 minutes maybe? Just seems like a “Master of Lazyness” skill.
Victim: Officer, So my car
Victim: Officer, So my car just started on its own and drove itself to the nearest chop shop. Officer: Yes some of the traffic cameras that where able to view your car did not show any human driver and strangely enough we were only able to recover the car’s GPS unit at the now abandoned chop shop. Man the car thieves are going to have it good when all that self driving technology gets here for real. They will never have to leave the comfort of their homes to boost your ride!
The OAuth token is stored as
The OAuth token is stored as plaintext… in Android’s Secure Keystore. Which is intended, and recommended, for storing tokens. Because it encrypts them using a hardware key that cannot be accessed without root-level privileges. And it is attacking the Secure Store through a malicious rooting application that is the actual hack, and any app that stores tokens in the Secure Store is also vulnerable.
Complaining this is Tesla’s fault is akin to storing your credit card in a lockbox, having somebody exploit that lockbox to take that card and spend your money, then complaining to the bank rather than the lockbox manufacturer.