Security researchers report they uncovered a design flaw that let them hijack a Tesla using a Flipper Zero, a controversial $169 hacking tool. Partners Tommy Mysk and Talal Haj Bakry of Mysk Inc. said the attack is as simple as swiping a Tesla owner’s login information, opening the Tesla app, and driving away. The victim would have no idea they lost their $40,000 vehicle. Mysk said the exploit takes minutes, and to prove it all works, he stole his own car.
The issue isn’t “hacking” in the sense of breaking into software, it’s a social engineering attack that fools a user into handing over their information. Using a Flipper, the researchers set up a WiFi network called “Tesla Guest,” the name Tesla uses for its guest networks at service centers. Mysk then created a website that looks like Tesla’s login page.
The process is simple. In this scenario, hackers could broadcast the network near a charging station, where a bored driver might be looking for entertainment. The victim connects to the WiFi network and enters their username and password on the fake Tesla website. The hacker then uses the credentials to log in to the real Tesla app, which triggers a two-factor authentication code. The victim enters that code into the fake website, and the thief gains access to their account. Once you’re logged into the Tesla app, you can set up a “phone key” which lets you unlock and control the car over Bluetooth with a smartphone. From there, the car is yours.
You can see Mysk’s demonstration of the attack in the video below.
According to Mysk, Tesla doesn’t notify users when new keys are created, so the victim wouldn’t know they’ve been compromised. Mysk said the bad guys wouldn’t need to steal the car right away, either, because the app shows you the physical location of the vehicle. The Tesla owner could finish charging the car and drive off to go shopping or park outside their house. The thief would just watch the car’s location using the app, and then waltz up at an opportune moment and drive away.
“This means with a leaked email and password, an owner could lose their Tesla vehicle.
[…]
Source: Want to Steal a Tesla? Try Using a Flipper Zero
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft