[ad_1]
This article originally appeared on Interested in trade.
If you own a Tesla, you may want to be extra careful when logging into WiFi networks at Tesla charging stations.
Security researchers Tommy Misk and Talal Haj Bakri of Misk. She posted a video on YouTube on Thursday Explaining how easy it is for hackers to escape with your car using a clever social engineering trick.
Here’s how it works.
Many Tesla charging stations – of which there are more 50,000 in the world – Offers a WiFi network commonly called “Tesla Guest” that Tesla owners can log into and use while waiting for their car to charge, according to a Mysk video.
Using a device called Flipper Zero — A Simple hacking tool worth $169 – Researchers created their own “Tesla Guest” WiFi network. When a victim tries to access the network, they are taken to a fake Tesla login page created by hackers, who then steal their username, password, and two-factor authentication code directly from the duplicate site.
Although Mysk used Flipper Zero to set up its WiFi network, this step of the process can also be done using almost any wireless device, such as a Raspberry Pi, laptop or cell phone, Mysk said in the video.
Once hackers steal an owner’s Tesla account credentials, they can use them to log into the real Tesla app, but they have to do so quickly before the two-factor authentication code expires, Mysk explains in the video.
One unique feature of Tesla vehicles is that owners can use their phone as a digital key to unlock their car without needing a physical key card.
Once logged into the app using the owner’s credentials, the researchers set up a new phone key while remaining a few feet away from the parked car.
Hackers wouldn’t even need to steal the car right away; They can track Tesla’s location from the app and steal it later.
Miske said that an unsuspecting Tesla owner is not even notified when a new phone key is set up. Although the Tesla Model 3 owner’s manual states that a physical card is required to set up a new phone key, Mysk found that was not the case, according to the video.
“This means that with the email and password leaked, the owner could lose his Tesla. This is crazy,” Tommy Miske Gizmodo said. “Phishing and social engineering attacks are very common today, especially with the advent of artificial intelligence technologies, and responsible companies must take such risks into account in their threat models.”
When Misk reported the issue to Tesla, the company responded that it investigated the matter and determined it was not a problem, Misk said in the video.
Tesla did not respond to Business Insider’s request for comment.
Tommy Meek said he tested the method on his own car several times, and even used an iPhone that had never been paired with a vehicle before, Gizmodo reported. Misk claimed he succeeded every time.
Misk said they conducted the experiment for research purposes only and said no one should steal cars (we agree).
At the end of the video, Mysk said the issue could be solved if Tesla made physical key card authentication mandatory and notified owners when a new phone key is generated.
This is not the first time that clever researchers have found relatively simple ways to hack Tesla cars.
In 2022, A.J A 19-year-old said he hacked into 25 Tesla cars Worldwide (although the identified vulnerability has since been fixed); Later that year, A security company found another way To hack Teslas from hundreds of miles away.
[ad_2]
Source link
