Tesla
While unlocking vehicles with smartphone apps rather than physical keys offers significant convenience benefits, it also significantly expands the attack surface.
Security researchers have discovered a method that uses a $169 Flipper Zero device to deceive Tesla owners into relinquishing control of their cars to a malicious third party, enabling the vehicle to be unlocked and even driven away.
Also: 7 hacking tools that look harmless but can do real damage
Researchers Tommy Mysk and Talal Haj Bakry of Mysk Inc have devised a method for fooling a Tesla owner into handing over their vehicle’s login credentials: An attacker would use the Flipper Zero and a Wi-Fi development board to broadcast a fake Tesla guest Wi-Fi network login page — “Tesla Guest” is the name given to Wi-Fi networks at service centers — and then use those credentials to log into the owner’s account and create new virtual “keys” to the car.
Everything that the owner enters into the fake login page — username, password, and two-factor authentication code — is captured and displayed on the Flipper Zero.
Here’s a walkthrough of the process.
This attack also bypasses the two-factor authentication because the fake Tesla guest Wi-Fi network login page requests the two-factor authentication code that the attacker then uses to access the account. This does mean that the hacker has to work fast, and be able to request and then subsequently use that code rapidly to be able to access the account.
Will the physical keycard that Tesla supplied you protect you from this attack? According to the user manual, it should, because this “key card is used to ‘authenticate’ phone keys to work with Model 3 and to add or remove other keys.” But, according to Mysk, this is not the case.
Also: The best mobile VPNs: Expert tested
Mysk said it approached Tesla for comment on this vulnerability and was told that the company had “investigated and determined that this is the intended behavior,” which is worrying.
Mysk recommends that Tesla should make it mandatory to use the key card to create new keys in the app, and that owners should be notified when new keys are created.
While Mysk and Bakry are using a Flipper Zero here, there are plenty of other tools that could be used to carry out this attack, such as a Wi-Fi Pineapple or Wi-Fi Nugget.
ZDNET has asked Tesla for comment, and we’ll update this article with their response.
Also: Cybersecurity 101: Everything on how to protect your privacy and stay safe online
How do you protect yourself from this type of attack? First, don’t panic. This attack is unlikely to be widespread: The attacker would need to be close to your vehicle and carry out the login to your Tesla account in real-time.
Second, note that you do not need to enter your two-factor authentication code to be able to connect to Tesla’s guest Wi-Fi account. If in doubt, avoid free Wi-Fi.