Recent findings by security researchers reveal a potential vulnerability in Tesla vehicles that could allow hackers to gain unauthorized access and potentially steal cars.
Tommy Mysk and Talal Haj Bakry of Mysk Inc. demonstrated how hackers could exploit Tesla’s WiFi networks at charging stations to obtain login credentials and set up a new phone key, granting them access to the vehicle.
The researchers created a fake Tesla Guest WiFi network using a device called a Flipper Zero, which mimicked the legitimate network found at Tesla charging stations.
When Tesla owners attempted to connect to the network, they were directed to a fraudulent login page where hackers could steal their username, password, and two-factor authentication code.
Using the stolen credentials, hackers could then log into the Tesla app and set up a new phone key, allowing them to unlock and potentially steal the car remotely.
Despite Tesla’s indication in the Model 3 owner’s manual that a physical key card is required to set up a new phone key, the researchers found this not to be the case in their experiments.
Tommy Mysk emphasized the severity of the issue, stating that with leaked login credentials, an owner could lose their Tesla vehicle, highlighting the importance of addressing such security risks. However, when Mysk reported the issue to Tesla, the company reportedly investigated and deemed it not a concern.
This revelation adds to previous instances where security vulnerabilities were found in Tesla vehicles, including a 19-year-old hacker’s demonstration of accessing 25 Teslas worldwide and another security company’s discovery of remote hacking capabilities.
The researchers recommend that Tesla implement mandatory physical key card authentication and provide notifications to owners when a new phone key is created to mitigate this security risk.
While the experiment was conducted for research purposes, it underscores the need for robust security measures in connected vehicles to prevent unauthorized access and potential theft.