Researchers use fake WiFi hacking of charging stations to steal Teslas

Security researcher duo Tommy Mysk and Talal Haj Bakry from Mysk Inc. have revealed the surprising security floor of Tesla (NASDAQ:) electric vehicles. This security floor literally allows hackers to steal cars by exploiting user errors.

Using social engineering and relatively inexpensive hardware, two researchers were able to remotely hack Mysk’s Tesla and create a digital key without directly interacting with or touching the car. .

As reported by Gizmodo, Mysk tested the method multiple times in his own car using a newly reset iPhone that had never been paired with a car before. He said it worked every time.

So how did they do it?

The two hacker activists posted a YouTube video explaining their methodology, but were careful to stress that the method had been tested strictly for research purposes and was not condoning car theft. are doing.

Simply put, Mysk and Bakry take advantage of the free Wi-Fi provided by most Tesla charging stations that offer free internet.

The service, dubbed “Tesla Guest” at each station, allows customers to log into the network and access the Internet using their Tesla credentials connected to their car while waiting for their car to charge.

Mysk and Bakry use hacking tools to create a fake version of the “Tesla Gues” Wi-Fi. This directs the victim to a website that is visually identical to his usual Wi-Fi login credentials website used by Tesla.

Once the victim enters their details, the hacker can steal usernames, passwords, and two-factor authentication codes directly from the cloned site.

Hackers must enter their credentials and a two-factor code (a legitimate code generated by Tesla’s systems) before it expires.

From there, you will be able to create digital keys completely remotely. As long as you are within a certain distance of the car, there is no need for a physical key and the driver is completely unaware of the creation of a new digital key.

The hacker can either steal the car on the spot or use Tesla’s app to track the victim to their home or workplace and take the car back at will.

“This means owners could lose their Teslas if their emails and passwords are compromised. This is insane,” said Tommy Miske.

“Phishing and social engineering attacks are so common today, especially with the rise of AI technology, that responsible businesses must factor such risks into their threat models.”

Miske said that when Tesla reported it, the company responded that it investigated and found the feature was working as intended.

Big tech companies rarely respond to requests for comment, and this was no exception.

Read more about Proactive Investors AU

Disclaimer