Trusting strangers with API tokens

Opening the frunk of a Tesla is a clumsy process. You have to either get inside the car and tap the screen, or open the iPhone app and tap the button there. There must be a better way.

I found a set of iOS Shortcuts on Github which does the job nicely. Now I can open the frunk using any of the many automation triggers built into iOS, including Siri, geo-fence, and NFC tags. Thanks to Dan Burkland, the good samaritan who came up with this. He even does a nice job explaining how to set it up for folks who aren’t familiar with Shortcuts.

There’s only one problem with this approach: The app sends your private Tesla API token through Dan’s server. According to the readme, the authentication token is never logged or recorded in any way, shape or form. This sounds good, but why should I trust a stranger on the internet? The consequences of this token getting into the wrong hands are pretty severe, allowing a bad actor to:

  • see the car’s GPS location
  • unlock the doors/trunk and steal my stuff
  • start the motor and drive away
  • perhaps more mischief I haven’t thought of

So I forked the repo and built a copy of this server in my own AWS account. Then I went a step further and built a CloudFormation template so that anyone else can easily replicate this, without having to be an expert at AWS. This took the better part of a day because CloudFormation syntax is complicated, but I had fun learning something new and I’m proud to share my latest infrastructure as code. Read the steps below if you want to run it yourself. The cost of these cloud resources is negligible, about $0.0000017 for each invocation.

How to deploy this infrastructure in your own environment:

  1. Create an AWS account or if you already have one, make sure your IAM user has permission to create resources.
  2. Click this link to deploy the CloudFormation stack, which takes about 2 minutes.
  3. When that’s finished, click the Output tab and copy the LambdaURL shown. This is your own personal web server that your iOS Shortcuts will point to.
  4. Follow Dan’s original instructions to install the shortcuts.
  5. After running Create Tesla Token, you will have a file called ios_shortcuts/tesla/config.json in iCloud Drive. Edit this file to replace the URL with your own.
  6. All done!

– I’m using the term server to mean a collection of public-facing resources on the internet. Technically this code runs on Lambda which is serverless.

Leave a comment