Researchers use fake charging station WiFi to hack and steal your Tesla

Two researchers have found a way to use social engineering to potentially steal Teslas parked at charging stations.Kena Betancur/Getty Images

  • Hackers have a potential new way to steal your Tesla.
  • Researchers created a fake Tesla WiFi network to steal the owner’s credentials and set up a new phone key.
  • Teams have previously found other hacking vulnerabilities in high-tech Teslas.

If you own a Tesla, you may want to be extra careful when logging into the WiFi networks at Tesla charging stations.

Security researchers Tommy Mysk and Talal Haj Bakry of Mysk Inc. published a YouTube video explaining how easy it can be for hackers to make off with your car using a clever social engineering trick.

This is how it works.

Many Tesla charging stations – of which there are more than 50,000 worldwide – offer a WiFi network commonly called “Tesla Guest” that Tesla owners can log into and use while waiting for their car to charge, according to the video from Mysk.

Using a device called Flipper Zero – a simple $169 hacking tool – the researchers created their own ‘Tesla Guest’ WiFi network. When a victim tries to access the network, he or she is directed to a fake Tesla login page created by the hackers. They then steal their username, password, and two-factor authentication code directly from the duplicate site.

Although Mysk used a Flipper Zero to set up their own WiFi network, this step of the process can also be accomplished with virtually any wireless device, such as a Raspberry Pi, a laptop or a cell phone, Mysk said in the video.

Once the hackers steal the owner’s Tesla account credentials, they can use it to log into the real Tesla app, but they must do so quickly before the 2FA code expires, Mysk explains in the video.

One of the unique features of Tesla vehicles is that owners can use their phone as a digital key to unlock their car without the need for a physical key card.

After logging into the app with the owner’s credentials, the researchers set up a new phone key while staying a few feet away from the parked car.

The hackers wouldn’t even have to steal the car on the spot; they were able to track the Tesla’s location through the app and later steal it.

Mysk said the unsuspecting Tesla owner isn’t even notified when a new phone key is set. And while the Tesla Model 3 owner’s manual states that the physical card is required to set up a new phone key, Mysk found that this was not the case, according to the video.

“This means that an owner with a leaked email address and password could lose their Tesla vehicle. This is insane,” Tommy Mysk told Gizmodo. “Phishing and social engineering attacks are very common today, especially with the rise of AI technologies, and responsible companies must factor such risks into their threat models.”

When Mysk reported the problem to Tesla, the company responded that it had investigated it and decided it was not a problem, Mysk said in the video.

Tesla did not respond to Business Insider’s request for comment.

Tommy Mysk said he tested the method several times on his own vehicle and even used a reset iPhone that had never been paired to the vehicle before, Gizmodo reported. Mysk claimed it worked every time.

Mysk said they conducted the experiment for research purposes only and that no one should steal cars (we agree).

At the end of their video, Mysk said the issue could be resolved if Tesla mandates physical key card authentication and notifies owners when a new phone key is created.

This isn’t the first time that clever researchers have found relatively simple ways to hack Teslas.

In 2022, a 19-year-old said he had hacked 25 Teslas around the world (although the specific vulnerability has since been patched); Later that year, a security company found another way to hack Teslas from hundreds of miles away.

Leave a Reply

Your email address will not be published. Required fields are marked *