Researchers have revealed a concerning vulnerability in Tesla’s security protocols, demonstrating a Man-in-the-Middle phishing attack that exploits weaknesses in the Tesla app and software. Talal Haj Bakry and Tommy Mysk illustrate how attackers could compromise Tesla accounts, unlock vehicles, and even start them, utilizing a method that targets version 4.30.6 of the Tesla app and software version 11.1 2024.2.7. Despite their efforts to alert Tesla to the issue, the carmaker dismissed the report, stating that the behavior was intentional and not mentioned in the Tesla Model 3 owner’s manual.
The attack involves setting up a fake Tesla Guest WiFi network, typically found at Tesla service centers, to lure victims into connecting. Once connected, victims are presented with a fake Tesla login page, where attackers can capture their credentials in real-time. This allows attackers to bypass two-factor authentication and gain access to the victim’s Tesla account, enabling them to add a new ‘Phone Key’ and take control of the vehicle.
One of the key concerns raised by the researchers is the ease with which a new Phone Key can be added without proper authentication. They highlight the fact that Tesla does not require physical authentication, such as a key card, when adding a new Phone Key via the Tesla app. This significant security gap allows attackers to remotely add a new Phone Key and gain full control over the vehicle without the owner’s knowledge or notification.
Reference:
