Security researchers Tommy Mysk and Talal Haj Bakry of Mysk Inc. have recently exposed a critical design flaw in Tesla’s security system, allowing them to hijack a Tesla vehicle using a controversial hacking tool called the Flipper Zero. Priced at $169, this device enables a simple yet effective social engineering attack, where hackers can easily obtain a Tesla owner’s login information, open the Tesla app, and drive away with the vehicle, leaving the unsuspecting victim oblivious to the loss of their $40,000 asset. Mysk demonstrated the exploit by successfully stealing his own car within minutes.
Social Engineering Attack Unveiled – WiFi Network Mimicry
Contrary to conventional hacking, the method employed by the researchers involves a social engineering attack that tricks users into divulging their information willingly. By using the Flipper Zero, Mysk and Haj Bakry set up a fake WiFi network named “Tesla Guest,” mimicking the guest networks used by Tesla at its service centers. The hackers then created a deceptive website resembling Tesla’s login page. Potential victims, especially those near charging stations seeking entertainment, could unknowingly connect to this rogue network, compromising their login credentials.
“This means with a leaked email and password, an owner could lose their Tesla vehicle. This is insane,” said Tommy Mysk. He emphasized the prevalence of phishing and social engineering attacks in today’s technologically advanced landscape, urging responsible companies to consider such risks in their threat models.
Tesla’s Response and Potential Solution – Key Card Authentication Neglected
Despite Tommy Mysk’s attempts to alert Tesla to the vulnerability through its reporting program, the company dismissed the issue, claiming it is the intended behavior. According to Mysk, the vulnerability involves the ability to add a new phone key without the necessity of the physical key card, contradicting Tesla’s documented security measures. Mysk suggested that Tesla should make key card authentication mandatory before adding phone keys and notify users when new keys are created, proposing a simple yet effective solution to mitigate the risk.
Flipper Zero Hack
The Flipper Zero, designed for hobbyists and hackers, serves as a digital Swiss army knife, exposing security flaws in various devices. Although the co-founder claims it aims to reveal shortcomings in big tech’s security practices, other inexpensive devices could potentially exploit Tesla’s vulnerability in the same manner. With a call for action directed at Tesla, the question remains: Will the company take steps to address this security loophole and protect its owners from potential theft?
This revelation raises concerns over the security practices of prominent tech companies and highlights the need for continual vigilance in addressing emerging threats in the ever-evolving landscape of digital security.