Security researchers discovered a potential phishing vulnerability in Tesla’s login system. If exploited, this vulnerability could allow attackers to steal a car. Tommy Mysk and Talal Haj Bakry of Mysk Inc. highlighted the issue by demonstrating how a malicious actor could use a readily available tool, the Flipper Zero, to intercept a Tesla owner’s login credentials.
This could then be used to access the Tesla app and potentially steal the vehicle. The researchers emphasized the importance of remaining vigilant against phishing attempts and not entering login information on untrusted networks.
How does the attack happen?
This attack doesn’t involve directly hacking Tesla’s software. Instead, it exploits a social engineering technique. Attackers trick the user into revealing their login information. The researchers achieved this by setting up a fake Wi-Fi network named “Tesla Guest,” which mimics the legitimate guest network offered by Tesla service centers.
They then created a website that closely resembled Tesla’s official login page. By connecting to this fake network and entering their credentials on the lookalike website, unsuspecting users unknowingly hand over their login details to the attacker.
The attack exploits a user’s trust in familiar names. Hackers could set up a fake “Tesla Guest” Wi-Fi network near a charging station, mimicking the legitimate network offered by Tesla service centers. If a Tesla owner connects and tries to access the internet, they might be directed to a fake login page that resembles Tesla’s official one.
Here, the attacker could steal the victim’s login credentials, including any two-factor authentication codes entered. With this information, the attacker could access the real Tesla app and potentially create a digital “phone key.” This key would allow them to unlock and control the car through Bluetooth on their smartphone.
