Security Flaw Exposed: How Fake WiFi Networks Could Threaten Your Tesla
In an eye-opening revelation, security researchers have demonstrated a novel method by which hackers could potentially hijack Tesla vehicles. Leveraging the convenience of WiFi at charging stations, this new technique employs a blend of technology and social engineering to compromise Tesla owners’ security.
Tommy Mysk and Talal Haj Bakry of Mysk Inc. have spotlighted a vulnerability where fake Tesla WiFi networks are used as bait to pilfer login credentials from unsuspecting Tesla owners. The duo elaborated on their findings in a detailed YouTube presentation, illustrating the ease with which a Tesla can be targeted and potentially stolen.
The researchers utilized a device known as Flipper Zero, priced at a modest $169, to establish a counterfeit “Tesla Guest” WiFi network. Tesla owners, mistaking this network for the legitimate service provided at charging stations, could find themselves lured into a phishing trap. The fake login page, crafted with precision by Mysk and Bakry, captures the owner’s username, password, and even the two-factor authentication code.
Although the demonstration featured the Flipper Zero, Mysk highlighted that a range of wireless devices could serve the same purpose, from a Raspberry Pi to a simple smartphone. With the stolen credentials, the attackers gain access to the Tesla app, swiftly using the acquired information to set up a new phone key for the vehicle.
Tesla’s digital key feature, which allows the car to be unlocked and started with just a smartphone, becomes the Achilles’ heel in this scenario. The hackers, now in possession of the digital key, can either immediately abscond with the vehicle or opt to track and steal it at their leisure through the app.
Alarmingly, Tesla owners receive no notification of a new phone key being established, a fact that Mysk found contrary to the stipulations in the Tesla Model 3 owner’s manual. Mysk’s communications with Tesla yielded a dismissive response, with the company deeming the issue non-critical.
This investigation into Tesla’s security practices raises significant concerns, especially in an era where phishing and social engineering attacks are becoming increasingly sophisticated. Mysk advocates for mandatory physical key card authentication and prompt notifications to owners upon the creation of new phone keys as measures to mitigate such risks.
This incident is not Tesla’s first encounter with security vulnerabilities. Previous exploits have demonstrated the potential for remote hacks on Tesla vehicles, though those vulnerabilities were subsequently addressed. This ongoing saga underscores the importance of robust security measures in the face of evolving digital threats.