[ad_1]
This article originally appeared on Business Insider.
If you own a Tesla, you may want to be extra careful when logging into your Tesla charging station’s WiFi network.
Security researchers Tommy Mysk and Talal Haj Bakry of Mysk Inc. released a YouTube video Thursday showing how hackers can easily take away your car using clever social engineering tricks.
Here’s how it works:
According to Maiske’s video, many of Tesla’s more than 50,000 charging stations around the world offer a WiFi network, commonly referred to as “Tesla Guest,” that Tesla owners can log into and use. It can be used while waiting for the car to charge.
Researchers created their own “Tesla Guest” WiFi network using a device called Flipper Zero, a simple $169 hacking tool. When the victim attempts to access the network, she is directed to a fake Tesla login page created by the hacker, who then steals her username, password, and two-factor authentication code directly from the cloned site.
Although Mysk used Flipper Zero to set up his own WiFi network, this step of the process can also be done on almost any wireless device, including a Raspberry Pi, laptop, or cell phone, Mysk said in the video. Masu.
Once a hacker steals an owner’s Tesla account credentials, they can use them to log into the real Tesla app, but they need to log in quickly before the 2FA code expires, Mysk said. is explained in the video.
One of the unique features of Tesla cars is that owners can use their mobile phone as a digital key to unlock the car without the need for a physical key card.
After logging into the app using the owner’s credentials, the researchers set up a new phone key a few feet away from the parked car.
The hacker doesn’t even have to steal the car on the spot. They can track the Tesla’s location from the app and go steal it later.
Miske said unsuspecting Tesla owners won’t even be notified when a new phone key is set up. The Tesla Model 3’s instruction manual also states that a physical card is required to set up a new phone key, but according to the video, Mysk found that this was not the case.
“This means owners could lose their Teslas if their emails and passwords are compromised. This is insane,” Tommy Miske told Gizmodo. “Today, phishing and social engineering attacks are so common, especially with the rise of AI technology, that responsible companies must factor such risks into their threat models.”
Maisk said in the video that he reported the issue to Tesla, which responded that it had investigated and determined it was not an issue.
Tesla did not respond to Business Insider’s request for comment.
Tommy Miske tested the method multiple times on his own car, even using a reset iPhone that he had never paired with his car, Gizmodo reported. Mysk claimed it worked every time.
Maisk said (and we agree) that the experiment was for research purposes only and that no one should steal the car.
Maisk said at the end of the video that the problem could be resolved if Tesla required physical key card authentication and notified owners when a new phone key was created.
This isn’t the first time savvy researchers have discovered a relatively easy way to hack into Tesla.
In 2022, a 19-year-old boy announced that he had hacked 25 Teslas around the world (although that particular vulnerability has since been fixed). Later that year, a security firm discovered another way to hack into Teslas from hundreds of miles away.
[ad_2]
Source link
