Security researchers Talal Haj Bakry and Tommy Mysk have published a video demonstrating how to unlock and start a Tesla by setting up an official-looking Wi-Fi network at charging stations.
The test attack involved using stolen credentials to create a new phone key — a way of unlocking a Tesla vehicle with your cellphone.
However, the task proved far too easy as it lacked proper authentication, the duo, who call their company Mysk Inc., reported.
Mysk used a Model 3 Tesla with Tesla software version 11.1 2024.2.7 and the latest version of the Tesla app, version 4.30.6, in their demonstration.
Tesla dismissed the issue, saying it was out of the scope of their Bug Bounty Program when reported by the researchers.
The phishing attack
The attack involved a captive Wi-Fi network deployed at a Tesla charging station, which imitated “Tesla Guest”, an SSID typically found at a Tesla Supercharger.
Mysk used a Flipper Zero to broadcast the Wi-Fi network. However, the team said an attacker could also use a Rasberry Pi or Android phone.
Once the victim had connected to the captive network, a fake login screen asked for their Tesla login credentials.
These included their username, password, and two-factor one-time PIN used to sign into the app and track the car.
Once logged in, the attacker activated the Phone Key to unlock the car, which had to be done within a few metres of the vehicle.
The car could then be started and stolen.
This lack of authentication brings about a significant risk, according to Mysk, as no notification appears on the user’s phone or the vehicle’s touchscreen when a device is added.
A key card is required for authentication to remove other phone keys, which the duo argues should be the same process for adding a phone key.
When reporting this risk to Tesla, the manufacturer provided the following response:
“Thanks for the report. We have investigated and determined that this is the intended behaviour. The “Phone Key” section of the owner’s manual pager you linked to makes no mention of a key card being required to add a phone key.”
Loading ...
Join the conversation Autoload comments
Comments section policy: MyBroadband has a new article comments policy which aims to encourage constructive discussions. To get your comments published, make sure it is civil and adds value to the discussion.