Security Flaw in Tesla Vehicles Exposed by Researchers Using Inexpensive Devices

A significant security vulnerability in Tesla vehicles has been uncovered by cybersecurity experts, demonstrating how easily electric vehicles (EVs) can be compromised using affordable and readily available technology. Tommy Mysk and Talal Haj Bakry, cybersecurity researchers at tech firm Mysk, managed to access a Tesla Model 3 by exploiting the vehicle’s digital key system, despite the account’s protection by two-factor authentication (2FA).

The hack was executed using a $169 Flipper Zero device, a versatile tool for security researchers that emulates various signals, and a Wi-Fi development board. These devices enabled the researchers to create a counterfeit Tesla login page and deceive a car owner into divulging their credentials. This breach was detailed in a presentation shared on March 7, highlighting the ease with which attackers could gain control over a Tesla.

The exploitation process involved setting up a spurious Wi-Fi network mimicking those found at Tesla service centers, enticing Tesla owners to connect. Upon connection, victims were presented with a fake Tesla login screen. Once login details were entered, attackers could access the Tesla account, enabling them to locate and take control of the vehicle remotely through the Tesla app.

This method of attack, which could be particularly effective in locations frequented by Tesla owners, such as SuperCharger stations, underscores the potential risks associated with digital key technology. The researchers demonstrated that upon acquiring the victim’s credentials, they could unlock the vehicle, start it, and drive away without triggering any alerts on the car’s built-in systems or the owner’s app.

Interestingly, the research also highlighted a discrepancy in the security measures for adding and removing digital keys. While Tesla’s owner’s manual indicates that a physical key card is required for both adding and removing digital keys, the researchers found that this was only true for removal. Tesla Product Security has acknowledged this finding but described it as “intended behavior.”

The incident has sparked a debate on the safety of EVs and the need for stronger security measures to protect against social engineering and phishing attacks. Experts suggest that requiring key card authentication for adding digital keys and notifying owners of new keys added to their accounts could enhance security. The accessibility of devices like the Flipper Zero, while useful for legitimate research, also presents a new vector for malicious activities, emphasizing the need for heightened awareness and protective measures against potential cybersecurity threats.