March 7, 2024 at 12:11PM
Researchers demonstrated a phishing attack on Tesla accounts using a Flipper Zero device. By creating a fake Tesla Guest WiFi network, attackers trick users to input their credentials on a spoofed login page. Once accessed, attackers can add a new Phone Key to unlock and drive away with the vehicle. Security concerns have been raised to Tesla.
After analyzing the meeting notes, several key points emerge:
1. Security researchers have discovered a phishing attack using devices such as Flipper Zero or Raspberry Pi to spoof a WiFi network called “Tesla Guest,” allowing attackers to obtain Tesla account credentials and bypass two-factor authentication.
2. Once the attacker gains access to a victim’s Tesla account, they can add a new ‘Phone Key’ without requiring physical authentication via a Tesla Card Key, enabling them to unlock and start the car.
3. The researchers emphasize that this attack is successful on a Tesla Model 3 and highlight the need for additional security measures, such as requiring a physical Tesla Card Key when adding a new Phone Key, to prevent such exploits.
4. Tesla’s response indicated that the behavior of adding a new Phone Key without requiring a key card authentication was intended according to the company’s investigation, and it was not documented in the Tesla Model 3 owner’s manual.
5. BleepingComputer attempted to reach Tesla for further clarification and inquire about potential over-the-air (OTA) updates to address these security vulnerabilities but had not received a response at the time of the meeting notes.
These takeaways outline the critical security implications of the reported vulnerabilities and the ongoing dialogue with Tesla regarding potential security updates to mitigate these risks.