Security researchers report they uncovered a design flaw that let them hijack a Tesla using a Flipper Zero, a controversial $169 hacking tool. Partners Tommy Mysk and Talal Haj Bakry of Mysk Inc. said the attack is as simple as swiping a Tesla ownerâs login information, opening the Tesla app, and driving away. The victim would have no idea they lost their $40,000 vehicle. Mysk said the exploit takes minutes, and to prove it all works, he stole his own car.
The issue isnât âhackingâ in the sense of breaking into software, itâs a social engineering attack that fools a user into handing over their information. Using a Flipper, the researchers set up a WiFi network called âTesla Guest,â the name Tesla uses for its guest networks at service centers. Mysk then created a website that looks like Teslaâs login page.
The process is simple. In this scenario, hackers could broadcast the network near a charging station, where a bored driver might be looking for entertainment. The victim connects to the WiFi network and enters their username and password on the fake Tesla website. The hacker then uses the credentials to log in to the real Tesla app, which triggers a two-factor authentication code. The victim enters that code into the fake website, and the thief gains access to their account. Once youâre logged into the Tesla app, you can set up a âphone keyâ which lets you unlock and control the car over Bluetooth with a smartphone. From there, the car is yours.
You can see Myskâs demonstration of the attack in the video below.
According to Mysk, Tesla doesnât notify users when new keys are created, so the victim wouldnât know theyâve been compromised. Mysk said the bad guys wouldnât need to steal the car right away, either, because the app shows you the physical location of the vehicle. The Tesla owner could finish charging the car and drive off to go shopping or park outside their house. The thief would just watch the carâs location using the app, and then waltz up at an opportune moment and drive away.
âThis means with a leaked email and password, an owner could lose their Tesla vehicle. This is insane,â Tommy Mysk said. âPhishing and social engineering attacks are very common today, especially with the rise of AI technologies, and responsible companies must factor in such risks in their threat models.â
When you buy a Tesla, the company provides you with a physical keycard for the car. The Tesla Model 3 ownerâs manual says âThe key card is used to âauthenticateâ phone keys to work with Model 3 and to add or remove other keys.â However, when Mysk tried this exploit, it seemed that wasnât true.
đŹ With the rise of social engineering and phishing attacks thanks to #AI, Tesla fails to recognize them as a threat. We created a short demo showing the limits of what an attacker can do with the stolen credentials of a Tesla account.
SPOILER ALERT: No limits
Tesla says it's⊠pic.twitter.com/CTzOjvpjke
— Mysk đšđŠđ©đȘ (@mysk_co) March 7, 2024
According to Mysk, he tested the vulnerability multiple times with his own Tesla. Mysk said he used a freshly reset iPhone that had never been paired with his car before, and he made sure there was no link between that phone and his real identity through the Apple ID or IP address. Mysk said he was able to create a phone key multiple times without access to the Teslaâs physical key card.
Mysk said he contacted Tesla through its vulnerability reporting program, but the company responded that this isnât a real problem. He shared a copy of the exchange with Gizmodo. âWe have investigated and determined that this is the intended behavior,â Tesla said in the email. âThe âPhone Keyâ section of the ownerâs manual page you linked to makes no mention of a key card being required to add a phone key.â
Tesla, which typically ignores questions from the media, did not immediately respond to a request for comment.
âTesla Product Security teamâs confirmation that this is the âintended behaviorâ is preposterous,â Mysk said. âThe design to pair a phone key is clearly made super easy at the expense of security.â
According to Mysk, it seems the physical key card is only necessary to âauthenticateâ the phone key as a fail-safe mechanism. In Myskâs tests, he was able to set up the phone key when he was standing near or sitting in the car. If the car was too far away, the setup process would fail, and the app asked for the physical key card. But as long as he was close by, Mysk said he was able to add a new phone key without the key card.
âWith Teslaâs current design, if an attacker has the victimâs username and password, they can drive away with the victimâs vehicle,â Mysk said. âIf a victim is tricked to expose their credentials, they shouldnât lose it all. They shouldnât lose their car.â
The Flipper Zero is a controversial device thatâs designed for hobbyists, hackers, and people who want to stop them. Itâs like a digital Swiss army knife, with a variety of wireless connectivity features that let you play with (and break into) other devices. Recently, the Flipperâs co-founder told Gizmodo the whole point of the device is to expose big techâs shoddy security practices. However, itâs worth noting that there are a wide variety of other inexpensive devices that would let you exploit this Tesla vulnerability in the exact same way.
It wouldnât be hard for Tesla to solve this problem. Musk said the company should make key card authentication mandatory before you add phone keys, and Tesla should notify users when new keys are created. But without action from the company, Tesla owners may be sitting ducks.
Sometimes a sleek, fancy computer interface carries an illusion of safety, but more often than not, the extra layers of complexity make us more vulnerable. 20 years ago, car thieves basically had two choices: get a hold of the driverâs key chain, or hot wire the vehicle. But when your car key is a bunch of ones and zeros, things can get messy.
