Search
Close this search box.
A wall painted in bright red displays a large white Tesla logo at the top center. Below it, the word "TESLA" is written in a stylized font. The shiny black edge of a car is visible in the bottom right corner of the image, evoking thoughts of innovation amidst rising cyberthreats.

A Tesla may be unlocked and stolen by a MiTM hacking strike.

Update: Changed title and content to understand that this is a Flipper Zero-style phishing attack that could be carried out on other devices.

Researchers demonstrated how to hack Tesla accounts, unlock cars, and start them using a Man-in-the-MiTM ( MiTM) phishing attack. The attack is compatible with the most recent versions of the Tesla game, version 4.30.6, and the latest versions of the Tesla software, version 11.1 2024.2.7.

Security experts Talal Haj Bakry and Tommy Mysk&nbsp created a new” Phone key” that could be used to gain access to the Tesla as part of this invasion.

Tesla, which claims that connecting a automobile to a new phone lacks proper authentication safety, is the subject of a report from the researchers to. The automaker, but, determined that the document was inappropriate.

The researchers used a Flipper Zero to carry out this hacking attack, but it could also be carried out using different hardware, such as a computer, a Raspberry Pi, or Android devices.

Phishing strike

A hacker at a Tesla compressor place could use an SSID known as” Tesla Guest,” which is prevalent in Tesla service locations and Tesla car owners are familiar with.

The WiFi system can be broadcast using a Raspberry Pi or different products with WiFi hotspot features, according to Mysk, who only recently used a Flipper Zero to do so.

A false Tesla registration page that asks users to log in using their Tesla accounts credentials is displayed once the target logs into the spoofed network. The intruder can see on the Dolphin Zero anything a prey enters on the spoofing page in real time.

The phishing process
The Mysk spoofing procedure

The hacking site asks for the Tesla account’s one-time password in order to enable the attacker to pass the two-factor authentication protection after receiving the account credentials after entering the account information.

Before the OTP expires, the perpetrator must use the stolen credentials to log into the Tesla software. The risk artist has the ability to track the location of the car in real-time once it has been captured in the account.

Adding a fresh code

The attacker can create a new” Phone Key” with access to the murderer’s Tesla bill. They may be a dozen feet away from the car in order for this to occur.

Phone Keys uses the car owner’s smartphone and Tesla’s mobile app to instantly unlock and lock the vehicle via a secure Mobile connection.

Tesla automobiles even employ Card Keys, which are small RFID cards that must be inserted into the core console’s RFID reader. Even though they are safer, Tesla uses them as a backup plan when the phone code is dead or in use.

According to Mysk, adding a fresh Phone Key via the software does not require the car’s smartphone or unlock, which creates a major security gap.

Adding a new Phone Key
Adding a fresh Mysk phone major

Even worse, once a fresh Phone Key is added, the Tesla user is not notified via the application or the car’s touchscreen when an alert is displayed.

The perpetrator can unlock the car and unlock all of its components with the fresh Phone Key, enabling them to leave as if they were the car’s owner.

embedded content ]

Mysk information that the Tesla Model 3 attack was successful. The scholar notes in the statement to the car manufacturer that the primary driver must already be connected to a Phone Key and that the stolen Tesla account must already be there.

The researchers contend that adding a bodily Tesla Card Key when adding a fresh Phone Key would increase safety by adding a level of authentication for the new phone.

Without the Tesla software requiring me to use a key cards to confirm the program on the new iPhone, I was able to put a second phone key. The game activated the smartphone key after I gave it access to the area services on the new iPhone using only my username and password, according to Tommy Mysk and&nbsp’s Talal Haj Bakry in a report to Tesla.

The company responded by stating that the investigation revealed the desired behavior and that the Tesla Model 3 manager’s guide does not require a key cards to include a phone essential.

We have never heard back from Tesla, but BleepingComputer has contacted them with questions regarding the above and whether they intend to release an OTA upgrade that introduces safety measures to stop these problems.

Lean More About DoD Cybersecurity, Cyber Threats and Related Contents

Learn why IDShield offers the best security and value.

www.sentrypc.com

PureVPN - Best VPN and Your Trusted Partner for Internet Freedom

🔥BIG SAVINGS 82% Off PureVPN.🔥 Secure Your Online Privacy Now. LIMITED OFFER!

🔥 SAVE 82% OFF 🔥 on PureVPN! Limited Offer – Enhance Your Digital Security Today.
Click To View Offer on PureVPN Website

NordVPN - Your Passport to Unrestricted Freedom

Embrace Digital Freedom and Security with NordVPN.
🔥Up To 63% Off🔥

Start Today Your Journey to a Safer Internet Today!
Click To View Offer on NordVPN Website

Protect Your Data with DeleteMe the Go-To-Solution

DeleteMe is Your Guardian Against Identity Theft and Online Exposure!
🔥Take 20% Off - Click Here to View Code🔥
Malwarebytes Browser Guard filters out annoying ads and scams while blocking trackers that spy on you.
Malwarebytes for Home | Anti-Malware Premium | Free Trial Download
Try Ultahost - The best place to get secure, inexpensive shared web hosting services!
View deals and specials on Used Macs, Mac hardware, Mac accessories, and more. Shop now!

DoD Cybersecurity protecting your digital world one secure step at a time with DoD Cybersecurity Blogs.
DoDCybersecurityblogs.com | All Rights Reserved | Designed by Omar Solomon

Skip to content