Researchers Demonstrate Man-in-the-Middle Phishing Attack on Tesla Accounts, Unlocking and Starting Cars
In a shocking demonstration of cyber vulnerability, security researchers have successfully conducted a Man-in-the-Middle (MiTM) phishing attack on Tesla accounts, allowing them to unlock and start the cars. This attack specifically targets the latest Tesla app version 4.30.6 and Tesla software version 11.1 2024.2.7, highlighting a significant security flaw in the system.
The researchers, Talal Haj Bakry and Tommy Mysk, discovered that by registering a new ‘Phone key,’ they could gain unauthorized access to Tesla vehicles. They promptly reported their findings to Tesla, emphasizing the lack of proper authentication security when linking a car to a new phone. However, to their surprise, Tesla dismissed the report as being out of scope.
The phishing attack itself involves the deployment of a fake WiFi network called “Tesla Guest” at a Tesla supercharger station. This network appears legitimate to unsuspecting car owners who are familiar with the “Tesla Guest” SSID commonly found at service centers. The researchers used a device called Flipper Zero to broadcast the network, but they note that other devices such as a Raspberry Pi or Android phones can achieve the same result.
Once a victim connects to the spoofed network, they are directed to a fake Tesla login page that prompts them to enter their Tesla account credentials. Unbeknownst to the victim, the attacker can see everything they enter in real time using the Flipper Zero device. After obtaining the login credentials, the attacker then requests the one-time password (OTP) for the account to bypass the two-factor authentication protection.
To successfully execute the attack, the attacker must act swiftly before the OTP expires. They log into the Tesla app using the stolen credentials and gain access to the victim’s account. From there, they can track the vehicle’s location in real time, posing a significant threat to the owner’s security and privacy.
The most alarming aspect of this attack is the ability for the attacker to add a new ‘Phone Key’ to the victim’s Tesla account. This key allows the attacker to lock and unlock the vehicle automatically using Tesla’s mobile app and the car owner’s smartphone. The researchers discovered that adding a new Phone Key does not require the car to be unlocked or the smartphone to be inside the vehicle, creating a major security gap.
Furthermore, once a new Phone Key is added, neither the Tesla owner nor the app receives any notification or alert. This means that the attacker can unlock the car, activate all its systems, and drive away without raising any suspicion.
Tommy Mysk highlights that this attack specifically targets Tesla Model 3 vehicles. In their report to Tesla, the researchers emphasize that the hijacked Tesla account must belong to the main driver, and the vehicle must already be linked to a Phone Key. They suggest that requiring a physical Tesla Card Key when adding a new Phone Key would significantly enhance security by adding an additional authentication layer.
In response to the researchers’ findings, Tesla claimed that this behavior was intended and that their Model 3 owner’s manual does not state that a key card is necessary to add a phone key. However, it remains unclear whether Tesla plans to address these security concerns with an over-the-air (OTA) update.
BleepingComputer has reached out to Tesla for further clarification on these issues and whether they intend to implement security measures to prevent such attacks. As of now, no response has been received.
This demonstration serves as a stark reminder of the importance of robust cybersecurity measures in an increasingly connected world. As technology advances, it is crucial for companies like Tesla to prioritize the protection of their customers’ personal information and ensure the security of their vehicles.