Hackers can steal a Tesla Model 3 via a Man-in-The-Middle (MiTM) phishing attack on car owners’ Tesla accounts. This allows them to unlock and steal the car eventually.
In their study, security researchers Talal Haj Bakry and Tommy Mysk describe how they could open and then steal a Tesla car via a MiTM phishing attack on Tesla users’ accounts.
The researchers executed the attack via the 4.30.6 version of the Tesla App, which acts as the car’s key, and version 11.1 2024.2.7 of the underlying Tesla software. The attack created a new “Phone key” that can be used to unlock the Tesla car.
The investigation shows that connecting the car to a new phone does not have proper authentication security. If the hackers have the correct login credentials and Phone key, they can easily use the Tesla app to open the car and drive away, even if a phone other than the owner’s is used.
MiTM attack path
Hacking a Tesla requires a MiTM phishing method to obtain login credentials to a Tesla account. According to the researchers, this is relatively simple and can be performed without too much specialized equipment.
The hackers position themselves at a Tesla charging station and can launch a malicious Wi-Fi network there named “Tesla Guest. This SSID is often available at Tesla stations, where Tesla drivers are familiar.
To broadcast this malicious Wi-Fi network, the hackers can use a Flipper Zero. This is a portable open-source multi-tool for hardware probing, firmware flashing, debugging, and fuzzing. They can also use any device that can set up a Wi-Fi hotspot.
After connecting to the malicious Wi-Fi network, victims are presented with a fake login page and asked to log in. The hackers can read these login credentials directly on the Flipper Zero.
Bypassing two-factor authentication
Next, the phishing page asks for a one-time password. With this, the hackers bypass two-factor authentication. Then, before this password expires, the hackers must log in to the Tesla app they control.
After logging in, the hackers can track the location of the affected Tesla in real time and strike later. To do this, the new Phone key is then registered to open the car and drive away.
Creating this new phone key does not require opening the car. All that is required is for the hackers to be close to it.
The original owner never receives the warning that a new Phone key has been created, nor does a notification appear on the screen in the car. Therefore, the owner does not know that the car has been hacked and can be stolen.
The researchers successfully carried out their test attack on a Tesla Model 3, although this car must be in the owner’s possession and already connected to a Phone key.
Combination physical RFID card is solution
To solve the hacking problem, the researchers propose that opening and starting a Tesla with the Phone key is done in combination with the physical Tesla Card Key. This physical smart RFID card must be placed on the RFID reader on the central console inside the car to start the car.
For Tesla drivers, this smart RFID card is a backup option when the Phone key is unavailable or the smartphone runs out of battery. Thus, a combined approach of the two methods would provide more security.
In response to the study, Tesla downplayed the researchers’ proposed solution. According to the automaker, using the Phone key is the intended behavior to open and start a Tesla. In addition, the Tesla Model 3 manual would not indicate that the RFID card must be added to the Phone key.
Also read: Darktrace: Sharp rise in number of novel social engineering attacks
19 hours ago
