You might expect better from Tesla and Elon Musk but apparently you would be dissappointed as the OAuth token in your cars mobile app is stored in plain text. The token is used to control your Tesla and is generated when you enter in your username and password. It is good for 90 days, after which it requires you to log in again so a new token can be created. Unfortunately, since that token is stored as plain text, someone who gains access to your Android phone can use that token to open your cars doors, start the engine and drive away. Getting an Android user to install a malicious app which would allow someone to take over their device has proven depressingly easy. Comments on Slashdot suggest it is unreasonable to blame Tesla for security issues in your devices OS, which is hard to argue; on the other hand it is impossible for Telsa to defend choosing to store your OAuth in plain text.
"By leveraging security flaws in the Tesla Android app, an attacker can steal Tesla cars. The only hard part is tricking Tesla owners into installing an Android app on their phones, which isn't that difficult according to a demo video from Norwegian firm Promon. This malicious app can use many of the freely available Android rooting exploits to take over the user's phone, steal the OAuth token from the Tesla app and the user's login credentials."
Here is some more Tech News from around the web:
- CERT tells Microsoft to keep EMET alive because it's better than Win 10's own security @ The Register
- Amazon Makes Good On Its Promise To Delete 'Incentivized' Reviews @ Slashdot
- Tech giants warn IoT vendors to get real about security @ The Register
- 8 of the best outdoor gadgets and accessories @ The Inquirer