Security researchers report they uncovered a design flaw that let them hijack a Tesla using a Flipper Zero, a controversial $169 hacking tool. Partners Tommy Mysk and Talal Haj Bakry of Mysk Inc. said the attack is as simple as swiping a Tesla owner’s login information, opening the Tesla app, and driving away. The victim would have no idea they lost their $40,000 vehicle. Mysk said the exploit takes minutes, and to prove it all works, he stole his own car.
The issue isn’t “hacking” in the sense of breaking into software, it’s a social engineering attack that fools a user into handing over their information. Using a Flipper, the researchers set up a WiFi network called “Tesla Guest,” the name Tesla uses for its guest networks at service centers. Mysk then created a website that looks like Tesla’s login page.
The process is simple. In this scenario, hackers could broadcast the network near a charging station, where a bored driver might be looking for entertainment. The victim connects to the WiFi network and enters their username and password on the fake Tesla website. The hacker then uses the credentials to log in to the real Tesla app, which triggers a two-factor authentication code. The victim enters that code into the fake website, and the thief gains access to their account. Once you’re logged into the Tesla app, you can set up a “phone key” which lets you unlock and control the car over Bluetooth with a smartphone. From there, the car is yours.
You can see Mysk’s demonstration of the attack in the video below.
According to Mysk, Tesla doesn’t notify users when new keys are created, so the victim wouldn’t know they’ve been compromised. Mysk said the bad guys wouldn’t need to steal the car right away, either, because the app shows you the physical location of the vehicle. The Tesla owner could finish charging the car and drive off to go shopping or park outside their house. The thief would just watch the car’s location using the app, and then waltz up at an opportune moment and drive away.
“This means with a leaked email and password, an owner could lose their Tesla vehicle. This is insane,” Tommy Mysk said. “Phishing and social engineering attacks are very common today, especially with the rise of AI technologies, and responsible companies must factor in such risks in their threat models.”
When you buy a Tesla, the company provides you with a physical keycard for the car. The Tesla Model 3 owner’s manual says “The key card is used to ‘authenticate’ phone keys to work with Model 3 and to add or remove other keys.” However, when Mysk tried this exploit, it seemed that wasn’t true.
According to Mysk, he tested the vulnerability multiple times with his own Tesla. Mysk said he used a freshly reset iPhone that had never been paired with his car before, and he made sure there was no link between that phone and his real identity through the Apple ID or IP address. Mysk said he was able to create a phone key multiple times without access to the Tesla’s physical key card.
Mysk said he contacted Tesla through its vulnerability reporting program, but the company responded that this isn’t a real problem. He shared a copy of the exchange with Gizmodo. “We have investigated and determined that this is the intended behavior,” Tesla said in the email. “The ‘Phone Key’ section of the owner’s manual page you linked to makes no mention of a key card being required to add a phone key.”
Tesla, which typically ignores questions from the media, did not immediately respond to a request for comment.
“Tesla Product Security team’s confirmation that this is the ‘intended behavior’ is preposterous,” Mysk said. “The design to pair a phone key is clearly made super easy at the expense of security.”
According to Mysk, it seems the physical key card is only necessary to “authenticate” the phone key as a fail-safe mechanism. In Mysk’s tests, he was able to set up the phone key when he was standing near or sitting in the car. If the car was too far away, the setup process would fail, and the app asked for the physical key card. But as long as he was close by, Mysk said he was able to add a new phone key without the key card.
“With Tesla’s current design, if an attacker has the victim’s username and password, they can drive away with the victim’s vehicle,” Mysk said. “If a victim is tricked to expose their credentials, they shouldn’t lose it all. They shouldn’t lose their car.”
The Flipper Zero is a controversial device that’s designed for hobbyists, hackers, and people who want to stop them. It’s like a digital Swiss army knife, with a variety of wireless connectivity features that let you play with (and break into) other devices. Recently, the Flipper’s co-founder told Gizmodo the whole point of the device is to expose big tech’s shoddy security practices. However, it’s worth noting that there are a wide variety of other inexpensive devices that would let you exploit this Tesla vulnerability in the exact same way.
It wouldn’t be hard for Tesla to solve this problem. Mysk said the company should make key card authentication mandatory before you add phone keys, and Tesla should notify users when new keys are created. But without action from the company, Tesla owners may be sitting ducks.
Sometimes a sleek, fancy computer interface carries an illusion of safety, but more often than not, the extra layers of complexity make us more vulnerable. 20 years ago, car thieves basically had two choices: get a hold of the driver’s key chain, or hot wire the vehicle. But when your car key is a bunch of ones and zeros, things can get messy.