Security researchers say they discovered a design flaw that allowed them to hijack a Tesla car using the Flipper Zero, a controversial $169 handheld multifunction pen testing tool that is also used to hack devices ranging from RFID-enabled hardware (from radio frequency identification), digital access keys, radio communications, NFC (proximity wireless data exchange technology), infrared, Bluetooth and more.
Researchers Tommy Mysk and Talal Haj Bakry of Mysk Inc. said the attack is as simple as stealing a Tesla owner’s login information. According to them, the exploration takes minutes and, to prove that it works, Mysk “stole” his own car. He used a Flipper Zero to transmit to the Wi-Fi network, but notes that the same can be done using a Raspberry Pi or other devices that come with Wi-Fi hotspot capabilities.
After the victim connects to the spoofed network, they receive a fake Tesla car login page asking to log in to their Tesla account. Everything the victim types on the phishing page, the attacker can see on Flipper Zero in real time. After entering Tesla account credentials, the phishing page requests the account’s one-time password to help the attacker bypass two-factor authentication protection.
The attacker needs to move before the OTP (usage password) expires and log in to the Tesla app using the stolen credentials. Once in the account, the attacker can track the vehicle’s location in real time. Tesla account access allows him to add a new ‘phone key’. To do this, they must be close to the car, a few meters away.
Phone keys use the Tesla mobile app in conjunction with the car owner’s smartphone to enable automatic locking and unlocking of the vehicle via a secure Bluetooth connection.
Tesla cars also use card keys, which are thin RFID cards that need to be placed into the center console’s RFID reader to start the vehicle. While safer, Tesla treats them as a backup option if the phone key is unavailable or has run out of battery.
Mysk says adding a new key from your phone through the app doesn’t require the car to be unlocked or the smartphone to be inside the vehicle, which creates a significant security gap.
To make matters worse, once a new phone key has been added, the Tesla owner does not receive a notification about the fact through the app and no alert is shown on the car’s touch screen. This way, the attacker can unlock the car and activate all its systems, allowing you to drive away as if you were the owner.
Mysk notes that the attack was successful on a Tesla Model 3. In the report to the automaker, the researcher notes that the hijacked Tesla account must belong to the main driver and that the vehicle must already be linked to a phone key.
The researchers argue that requiring a physical Tesla Card Key when adding a new phone key would improve security by adding a layer of authentication for the new phone. When informed, the company responded that the investigation concluded that this was the intended behavior and that the Tesla Model 3 owner’s manual does not state that a key card is required to add a phone key.
Source: CisoAdvisor