Re: You don't mention...
Regardless......what FUCKWIT thought that giving any phone full control of a near $100,000 vehicle was a good idea?
Worse than that. Full control authorized by a remote 3rd party which is @ Tesla central.
1. You do not own your 100K+ car. Elon does. He HOLDS the keys - he issues the auth tokens.
2. Consumer phones have had a crypto module and support for storing there strong keys since some times around Nokia N95 - mid-90es. Business specific stuff like the early XDA - since earlier. It is possible to create a secure channel between a phone and another device. F.E. Car. Even over the internet. If you DO NOT INVOLVE A 3RD PARTY. This is the design flaw here. Elon's Oauth server is the odd man out. It does not belong. It may provide you with assistance on where your car is, what it reported ONE WAY about itself, etc. It should not be the entity which authenticates you. Ever. The authentication should be simultaneous with establishing the secure channel to the car and use something which is proven to be secure and not sniffable by anyone. It should also be done mutually - the phone must authenticate the car and the car must authenticate the phone. It is a trivial RSA exchange where Elon should not be included. By design.