An interesting feature with Tesla (TSLA) vehicles is your ability to use your smartphone as a key to unlock, lock and even start the vehicle.
While it might seem convenient to use such a feature, a pair of cybersecurity researchers took to YouTube to share a very concerning flaw they found that could possibly result in precious cars being stolen.
Related: Rivian's trio of sleek, compact electric vehicles is its new advantage over Tesla
Partners Tommy Mysk and Talal Haj Bakry of Mysk Inc. discovered a way for car thieves to potentially steal Teslas in a matter of minutes without breaking any glass, wiring anything, and without the owner even knowing their car was stolen.
Mysk and Bakry found that a simple phishing attack (a social engineering attack that tricks users into handing over sensitive information) was all it took to seize a car.
Mysk's team demonstrated their method in a video on YouTube.
For example, the researchers used a digital multi-tool called Flipper Zero to set up a captive Wi-Fi network called “Tesla Guest,” the same name Tesla uses at its service centers. They also set up a fake web page that looks like Tesla's login page.
With these tools, a theoretical attack would develop like this:
A potential thief would stake out a location where Tesla drivers tend to frequent, such as a Tesla Supercharger. The ultimate goal is to steal critical credentials from a Tesla account.
In the scenario they demonstrated, a driver of a Tesla Model 3 stops in front of a Supercharger. They plug in, but they'll have to wait a while for their car to charge, and during that time they'll end up getting bored.
Seeing that “Tesla” has free Wi-Fi, the driver connects to it on his phone and is instantly greeted with a login page that looks like the one on the app. The thing is, once the driver enters his username and password, this is where the real problem starts to arise.
On the other side of that fake website is the thief, or “hacker” in this scenario: They simply stole the Model 3 driver login information and will attempt to log into the Tesla app on your phone using the stolen information. Immediately, the Model 3 driver will receive a two-factor authentication code as an in-app notification from him, which will log into the fake website and allow the hacker full access to his account.
Once the thief or 'hacker' logs in, they have the ability to clone a “phone key”, allowing them to unlock, lock and control the car as they wish. In the demonstration, they were able to start the car using this method.
More electric vehicle deals:
- A complete list of electric and hybrid vehicles that qualify for federal tax credits
- Here's why electric vehicle experts are criticizing Joe Biden's car policy
- The electric vehicle industry faces an unusual new problem
The Tesla app allows owners to track where their cars are and operate certain functions remotely. This also means that would-be thieves who have stolen login information can stalk their victims and steal vehicles when it is most convenient for them.
Tesla provides two physical access cards with the purchase of a car, which are used to activate phone keys and physical key fobs that can be purchased from Tesla. In the video, Mysk points out that the key card is necessary to remove the key's access to the car and that the owner receives a notification once the key is removed. Additionally, Mysk mentioned that a key card is needed to pair a phone key with a car when someone is physically too far from the car.
Mysk told Tesla about the vulnerabilities, and they responded that they “investigated the manner and determined that (the demonstrated phone key activation) is the intended behavior.”
Mysk recommended at the end of the video that Tesla should make keycard activation mandatory when adding another phone key and that Tesla should notify owners when new keys are created.
Related: A veteran fund manager picks his favorite stocks for 2024
