Researchers have discovered a cybersecurity flaw in Tesla charging stations that could allow hackers to steal vehicles using a simple and affordable hacking tool called a Flipper Zero, Raspberry Pi, or laptop.
Attackers can gain access to a Tesla vehicle with just a leaked email and password. This exploit is particularly concerning given the prevalence of phishing and social engineering attacks. Hackers create a fake Wi-Fi network called “Tesla Guest” and trick victims into entering their login information into a duplicate site. These stolen login credentials bypass Tesla’s two-factor authentication, allowing access to the victim’s Tesla smartphone app and allowing the creation of a new “phone key” to unlock and steal the vehicle without needing the vehicle’s physical key card.
Mysk was able to demonstrate this vulnerability in its own Tesla, despite Tesla’s assurances in the user manual that this was not possible. After notifying Tesla, the company downplayed the issue and described it as “intended conduct.”
It is claimed that Tesla can fix this security vulnerability by notifying users when a new phone key is created, but it remains unclear whether Tesla will take action.
Cybersecurity researchers have long warned about the risks associated with keyless entry systems in the automotive industry, but reiterated that companies should take such threats into account in their security measures.
Compiled by: Eliz Canyurt