Poor Tesla Security Proves Us Wrong, The Flipper Zero And Other Devices Can Steal A Modern Car
I’m Driving With A Man In The Middle
The Flipper Zero has been in the news lately, thanks to the Canadian government deciding it is a hacking tool capable of helping people steal cars instead of a handy tool to learn about how the networks all around you work. Sadly, Tesla has decided to prove them right by having an incredibly insecure WiFi network configuration. There is apparently a network familiar to Tesla users called Tesla Guest, which is easily spoofed using a Raspberry Pi, Flipper Zero or other devices capable of broadcasting a SSID.
Since it is familiar to Tesla owners, they would have no compunction against logging into their Tesla account while connected to that network. Unfortunately that would mean that the person broadcasting the hotspot would now have your login info, can then feed it to the actual Tesla Guest network to generate and capture a one time key to get around the MFA protection on the Tesla account. That would give them everything they need to generate a new Phone Key. There is no notification sent to the owner of this new key being generated, so they would have no idea a total stranger can now unlock their Tesla, start it up and drive away.
Bleeping Computer suggests that some very simple security requirements, such as the phone needing to be physically inside the Tesla to be able to generate a new Phone Key and requiring a physical Tesla Card Key be present would mitigate the issue.
Researchers demonstrated how they could conduct a Man-in-the-Middle (MiTM) phishing attack to compromise Tesla accounts, unlocking cars, and starting them. The attack works on the latest Tesla app, version 4.30.6, and Tesla software version 11.1 2024.2.7.
More Tech News From Around The Web
- Windows 10 KB5001716 update fails with 0x80070643 errors, how to fix @ Bleeping Computer
- Attack wrangles thousands of web users into a password-cracking botnet @ Ars Technica
- Microsoft says Russian hackers breached its systems, accessed source code @ Bleeping Computer
- Venturing beyond the default OS on Raspberry Pi 5 @ The Register
- Samsung Making It Harder To Know What Type of OLED TV You’re Getting @ Slashdot
- Apple’s trademark tight lips extend to new iPhone, iPad zero-days @ The Register
- Millions of Research Papers at Risk of Disappearing From the Internet @ Slashdot
- Best Of Both Worlds: The MacPad @ Hackaday
- Ethernet For Hackers: Transformers, MACs And PHYs @ Hackaday
- Chrome users – get an alert when extensions are in danger of falling into wrong hands @ The Register
- Cat qubits reach a new level of stability @ Physicsworld
- Logitech MX Brio 705 – where Ultra HD meets Ultra AI @ The Register
- Researchers Jailbreak AI Chatbots With ASCII Art @ Slashdot
- MikroTik CRS326-4C+20G+2Q+RM Switch Review 2.5GbE 10GbE and 40GbE @ Serve The Home
This hack had nothing whatsoever to do with the Flipper, any device able to generate a WiFi hotspot would work, as the attack is a basic MITM attack.
The ‘hack’ was to create a fake charger station, and along with it create a fake WiFi hotspot with the expected Tesla hotspot name. Then, create a captive portal page that visually resembled the real Tesla one, and use that to snarf username, password, and 2FA token. Then use those details within the 2FA-valid window to register another phone with the Tesla app.
Mitigations have nothing to do with the car itself, but instead in user education (not to ignore the security warnings on the spoofed captive portal page), add notifications of another phone app being registered, and ideally change the captive portal authentication method to use an app-generated key rather than regular login credentials – however this last one again is vulnerable to users ignoring security warnings and entering valid credentials anyway.
^^ all that
It was tongue in cheek! I thought I’d made it pretty clear it was because users are idiots?