A simple phishing attack using a Flipper Zero device can compromise your Tesla account, unlock your car, and start it. This attack works on the latest Tesla app version 4.30.6 and Tesla software version 11.1 2024.2.7.
security researcher Talal Haji Bakri and tommy miske reported to Tesla its findings that the link between the car and the new cell phone lacked adequate authentication security. The automaker has determined that this report is not applicable.
Phishing attack
Attackers at Tesla Supercharger stations could deploy a WiFi network called “Tesla Guest.” This SSID is commonly found at Tesla service centers and is well known to car owners.
Mysk used a Flipper Zero to broadcast a WiFi network, but says the same thing can be accomplished using a Raspberry Pi or other devices with WiFi hotspot capabilities.
Once victims connect to the spoofed network, they are presented with a fake Tesla login page that asks them to log in using their Tesla account credentials. Whatever the victim types on the phishing page, the attacker can see it in real time on her Flipper Zero.
After entering Tesla account credentials, the phishing page asks for a one-time password for the account, allowing the attacker to bypass two-factor authentication protection.
The attacker must move on and use the stolen credentials to log into the Tesla app before the OTP expires. Once the account is compromised, the threat actor can track the vehicle’s location in real-time.
Adding a new key
Once they have access to the victim’s Tesla account, the attacker can add a new “phone key.” For this, you need to be very close to the car, just a few meters away.
Phone Keys uses Tesla’s mobile app in conjunction with a car owner’s smartphone, allowing them to automatically lock and unlock their vehicle via a secure Bluetooth connection.
Tesla cars also use key cards. This is a slim RFID card that must be placed in the RFID reader in the center console to start the vehicle. Although more secure, Tesla treats it as a backup option in case your phone key is unavailable or your battery dies.
Mysk says adding a new phone key through the app doesn’t require you to unlock your car or leave your smartphone inside, which creates a major security gap.
Even worse, when a new phone key is added, Tesla owners receive no notification of that fact through the app, nor do they see any warnings on the car’s touchscreen.
With the new phone key, the attacker can unlock the car, activate all systems, and drive away as if he were the owner.
Mysk notes that this attack was successful on a Tesla Model 3. In a report to the car company, researchers say the hijacked Tesla account must belong to the primary driver and the vehicle must already be linked to a phone key. .
Researchers claim that requiring a physical Tesla card key when adding a new phone key improves security by adding a layer of authentication to new phones.
“I was able to add a second phone key to my new iPhone without the Tesla app prompting me to use my key card to authenticate the session on my new iPhone. I used a username and password for my new iPhone. “The phone key was activated as soon as I gave the app access to location services,” Tommy Misk and Talal Haji Bakri wrote in a report to Tesla. ing.
The company responded that an investigation determined this was intended behavior and that the Tesla Model 3 owner’s manual does not state that a keycard is required to add a phone key.
BleepingComputer reached out to Tesla with questions about the above and whether it plans to issue an OTA update that introduces security measures to prevent these attacks, but has not yet heard back.
