You might want to think twice before connecting to WiFi networks at Tesla charging stations. According to security researchers Tommy Mysk and Talal Haj Bakry of Mysk Inc., hackers could exploit a clever trick to gain access to your car.
Here’s how it works:
Tesla charging stations, numbering over 50,000 worldwide, often provide a WiFi network named “Tesla Guest” for owners to use while waiting for their vehicles to charge. Mysk and Bakry demonstrated in a YouTube video how they could create their own “Tesla Guest” WiFi network using a device called a Flipper Zero, a tool available for just $169. When unsuspecting Tesla owners attempted to connect to this fake network, they were directed to a fraudulent login page set up by the hackers. Through this page, the hackers were able to steal the victim’s username, password, and even their two-factor authentication code.
Mysk emphasized that while they used a Flipper Zero for their demonstration, the same attack could be carried out with various wireless devices like a Raspberry Pi, laptop, or cell phone.
Once the hackers obtained the victim’s Tesla account credentials, they could swiftly log into the Tesla app, leveraging one of Tesla’s unique features: using a smartphone as a digital key to unlock the car. With access to the app, the hackers could set up a new phone key from a short distance away. They wouldn’t even need to steal the car immediately; they could monitor its location via the app and take it at a later time.
What’s more alarming is that Tesla owners aren’t notified when a new phone key is set up, contrary to what the Tesla Model 3 owner’s manual states about requiring a physical key card for this process.
Tommy Mysk expressed concern over this vulnerability, highlighting the risk posed by phishing and social engineering attacks in today’s digital landscape. Despite reporting the issue to Tesla, Musk mentioned that the company dismissed it as a non-issue.
In response to this potential threat, Mysk suggested that Tesla make physical key card authentication mandatory and implement notifications for owners when a new phone key is created to mitigate the risk.
This isn’t the first time vulnerabilities in Tesla’s security have been exposed. In 2022, a 19-year-old hacker claimed to have accessed 25 Teslas worldwide, prompting the company to address the vulnerability. Similarly, another security company identified a separate method to remotely hack into Teslas later that year.
As Tesla continues to innovate in the electric vehicle market, addressing and mitigating security concerns like these will be crucial in maintaining customer trust and ensuring the safety of their vehicles.