Using a Flipper Zero device, a simple phishing attack can compromise Tesla accounts, unlock vehicles, and start them. The attack is compatible with the most recent versions of the Tesla app, version 4. 30. 6, and the latest versions of the Tesla software, version 11. 1 2024. 2. 7.
According to reports from security researchers Talal Haj Bakry and Tommy Mysk, Tesla claims that connecting a car to a new phone lacks proper authentication security. The automaker determined that the report lacked scope.
Phishing attack
Tesla Supercharger station attackers have access to a WiFi network known as” Tesla Guest,” an SSID that is frequently found at Tesla service centers and is widely used by automakers.
The WiFi network can be broadcast using a Raspberry Pi or other devices with WiFi hotspot capabilities, according to Mysk, who only recently used a Flipper Zero to do so.
A fake Tesla login page that asks users to log in using their Tesla account credentials is displayed once the victim logs into the spoofed network. The attacker can see on the Flipper Zero anything a victim enters on the phishing page in real time.
The phishing page asks for the Tesla account’s one-time password in order to enable the attacker to bypass the two-factor authentication protection after receiving the account credentials after entering the account information.
Before the OTP expires, the attacker must use the stolen credentials to log into the Tesla app. The threat actor has the ability to track the location of the car in real-time once it has been captured in the account.
Adding a new key
The attacker can create a new” Phone Key” with access to the victim’s Tesla account. They must be a few meters away from the car in order for this to occur.
Phone Keys uses the car owner’s smartphone and Tesla’s mobile app to automatically unlock and lock the vehicle via a secure Bluetooth connection.
Tesla automobiles also employ Card Keys, which are small RFID cards that must be inserted into the center console’s RFID reader. Even though they are safer, Tesla uses them as a backup plan when the phone key is dead or in use.
According to Mysk, adding a new Phone Key via the app does not require the car’s smartphone or unlock, which creates a significant security gap.
Even worse, once a new Phone Key is added, the Tesla owner is not notified via the app or the car’s touchscreen when an alert is displayed.
The attacker can unlock the car and activate all of its components with the new Phone Key, enabling them to leave as if they were the car’s owner.
embedded content ]
Mysk notes that the Tesla Model 3 attack was successful. The researcher notes in the report to the car manufacturer that the main driver must already be connected to a Phone Key and that the stolen Tesla account must already be there.
The researchers contend that adding a physical Tesla Card Key when adding a new Phone Key would increase security by adding a layer of authentication for the new phone.
Without the Tesla app requiring me to use a key card to authenticate the session on the new iPhone, I was able to add a second phone key. The app activated the phone key after I gave it access to the location services on the new iPhone using only my username and password, according to Tommy Mysk and ’s Talal Haj Bakry in a report to Tesla.
The company responded by stating that the investigation revealed the desired behavior and that the Tesla Model 3 owner’s manual does not require a key card to add a phone key.
We have not heard back from Tesla, but BleepingComputer has contacted them with questions regarding the above and whether they intend to release an OTA update that introduces security measures to stop these attacks.