NEW YORK – Researchers demonstrated how they could conduct a Man-in-the-Middle (MiTM) phishing attack to compromise Tesla accounts, unlocking cars, and starting them. The attack works on the latest Tesla app, version 4.30.6, and Tesla software version 11.1 2024.2.7.Ph
As part of this attack, security researchers Talal Haj Bakry and Tommy Mysk register a new ‘Phone key’ that could be used to access the Tesla.
The researchers reported their findings to Tesla saying that linking a car to a new phone lacks proper authentication security. However, the car maker determined the report to be out of scope.
While the researchers performed this phishing attack using a Flipper Zero, it could easily be done with other devices, such as a computer, a Raspberry Pi, or Android phones.
An attacker at a Tesla supercharger station could deploy a WiFi network called “Tesla Guest,” an SSID that is commonly found at Tesla service centers and car owners are familiar with it.
Mysk used a Flipper Zero to broadcast the WiFi network but notes that the same can be accomplished using a Raspberry Pi or other devices that come with WiFi hotspot capabilities.
Once the victim connects to the spoofed network, they are served a fake Tesla login page asking to log in using their Tesla account credentials. Whatever the victim enters on the phishing page, the attacker can see on the Flipper Zero in real time.
After entering the Tesla account credentials, the phishing page requests the one-time password for the account, to help the attacker bypass the two-factor authentication protection.
The attacker has to move before the OTP expires and log into the Tesla app using the stolen credentials. Once in the account, the threat actor can track the vehicle’s location in real time.
To read more, click on Bleeping Computers
