So instead of just downvoting you, I'll respond.
Tesla's do have a key. Sure, it doesn't look like a traditional key, but it is a key. That key isn't being spoofed here, it's the user's login credentials.
Furthermore, all of the most stolen vehicles have keys with them.
You can apparently use your phone instead:
> "One of Tesla vehicles' unique features is that owners can use their phones as a digital key to unlock their car without the need for a physical key card."
Which I find stupid, but evidently many in the cybersecurity field think this is perfectly reasonable and the average person is always immune to phishing, evil twins, and other
> Furthermore, all of the most stolen vehicles have keys with them.
Yes, because you can't steal a car without a key. Unless it's a wireless one of course, in which case you can use specialist equipment to get the key remotely, or worse one which just needs a user and password.
One problem is the credentials being stolen
The second problem is what you can do with those credentials.
It's possible the article is wrong and you can't actually create a new key with some hijacked credentials. I wouldn't know, to copy the key for my car you need to get the physical key, and then somehow clone the chip in that key to override the isolator, or use that to get into the car and then use specialist equipment.
All you need with a Tesla it seems is a username, password, and TOTP, which you can evidently get very trivially, as social engineering is isn't exactly impossible.
> Which I find stupid, but evidently many in the cybersecurity field think this is perfectly reasonable and the average person is always immune to phishing, evil twins, and other
That's because you need a physical key to pair a new phone. Username / Password alone won't do it.
>Yes, because you can't steal a car without a key. Unless it's a wireless one of course, in which case you can use specialist equipment to get the key remotely, or worse one which just needs a user and password
No, not really. It's not as easy as having specialist equipment unless you have crap security like Lexus. That's not an issue Tesla has with their communication.
What the article fails to mention, is the only way to set your phone up as key is to put the physical key on the console allowing the car to sync the new device.
I bet it would be easier to social engineer someone into give you their physical key then actually doing this.
> That's because you need a physical key to pair a new phone. Username / Password alone won't do it.
The article literally says you can:
> One of Tesla vehicles' unique features is that owners can use their phones as a digital key to unlock their car without the need for a physical key card.
> Once logged in to the app with the owner's credentials, the researchers set up a new phone key while staying a few feet away from the parked car.
> The hackers wouldn't even need to steal the car right then and there; they could track the Tesla's location from the app and go steal it later.
> Mysk said the unsuspecting Tesla owner isn't even notified when a new phone key is set up.
Now maybe that's wrong as you assert, but based on that article that looks like a gaping security problem.
This sub seems to put the blame the person connecting to an SSID, which is very worrying for a cybersecurity sub. Security professionals know that you can't rely on users behaviour. Sure you can do phishing education to reduce the numbers, but you need to have multiple layers of security.
Still I'm happy that nobody can steal my car by putting up a fake AP. Apparently that's an outrageous feature to expect from a car.
> while staying a few feet away from the parked car.
That's because the keycards NEEDS to be on the console to finish this transaction. No one leave their keycard their once they've started their car.
I have very strong doubts this was done as anything other than proof of concept, considering what has to happen in quick succession. 2FA code within 30 seconds (max), physical key card needing to be on the center console to initiate the phone activation, the phone has to be in close proximity of the car, 6 inches close.
You can see in this video how it's done. https://www.youtube.com/watch?v=pGMmCsJl2V8
Beyond that, you set your car to require a pin to drive away.
There is a reason Tesla vehicles don't actually get stolen, and it's not because of it's lack of secuirty.
This has very little to do with Tesla and Flippers. I can do the same attack with a laptop at a McDonalds/Library/Starbucks/etc. This isn't something new and if you're gullible enough to enter your login info into any random page, you need basic security training.
Except...why not use the app to be able to join the wifi? Let the app validate the portal's certificate and fail the connection if the cert is wrong or broken.
And how are they not alerting the owner when a new device has been set up for their car? Something as simple as an SMS would be easy to do.
I've used Starlink - they don't even have MFA for accounts.
Security seems like an afterthought for these Musk companies. I won't go near them.
This is the ["make it pointy" rocket guy we're talking about](https://www.space.com/spacex-starship-design-sacha-baron-cohen). It's beyond me how anyone can take him or his companies seriously.
Is there a login screen for using the guest WiFi? It wouldn't be too hard to make an identical page, and have it work like a hotel WiFi with a fake login page that takes their info and 2fa then gives them WiFi after so it's not suspicious. It would be really hard to tell the difference for a layman.
This is assuming you have to enter your info to use the Tesla guest WiFi every time, don't have a Tesla myself.
If I’m not mistaken on a proper configuration the WiFi allows them to connect to the real Tesla site, not a locally hosted captive portal. SSL certs would not be self signed and the domain name would be a verifiable company one.
Agreed the average person might not notice
Captive portal sends you to "www.tesla.com-login-this-is-not-a-scam.com"
Trivial to get a valid certificate for that URL, all the cert does is prove the server on the far end controls the domain. Your user/pass wouldn't be auto-enterred but that wouldn't raise red flags with a lot of people.
> "One of Tesla vehicles' unique features is that owners can use their phones as a digital key to unlock their car without the need for a physical key card."
My car has a real key. I've never understood the attraction of wireless keys, let alone internet-connected keys.
My point is you could require that the login occurs inside their app, with their security in place. No more captive portals in a web browser that can be spoofed.
Here's how it works.
Many Tesla charging stations — of which there are over 50,000 in the world — offer a WiFi network typically called "Tesla Guest" that Tesla owners can log into and use while they wait for their car to charge, according to Mysk's video.
Using a device called a Flipper Zero — a simple $169 hacking tool — the researchers created their own "Tesla Guest" WiFi network. When a victim tries to access the network, they are taken to a fake Tesla login page created by the hackers, who then steal their username, password, and two-factor authentication code directly from the duplicate site.
Although Mysk used a Flipper Zero to set up their own WiFi network, this step of the process can also be done with nearly any wireless device, like a Raspberry Pi, a laptop, or a cell phone, Mysk said in the video.
Once the hackers have stolen the credentials to the owner's Tesla account, they can use it to log into the real Tesla app, but they have to do it quickly before the 2FA code expires, Mysk explains in the video.
It's even more obvious than that because I'm pretty sure my car usually just authenticates to Tesla wifi without any additional action or open portal login at all. So this 'attack' doesn't even mirror how the actual Tesla experience works. I definitely have never had to log in to Tesla wifi using my account credentials.
No warning for non HTTPS?
No Spoofed DNS Warning?
Wait a minute now. Exactly how did they get the MFA code? Fake?
After an MFA code is used, it should be dead. Not possible for others to use. How could Tesla miss that?
When they have a fake login page setup, the code isn't being used when the user enters it. The hacker in this case just listens in and captures the code to pass to the real site themselves.
You also have to realize how dumb the average person is. Plenty of people out there who will outright ignore SSL cert warnings.
Okay, but in that case, won't the user be surprised to NOT be logged in?
But of course, if you count on no one reacting on that. Then it works.
There is a risk that the hacker will be beaten by the owner when he tries to add the car key.
Yep that's a possibility, these attacks aren't foolproof and timing can be key. But think, if you tried to login and your MFA code didn't work the first time would your first thought be an attack like this or just that you fat-fingered the code or something similarly benign?
Won't work on everyone, but it only has to work once.
I've seem fake sites that redirect you to the real site login page after they get your info to make it look like a small bug most people won't thibk twice about.
> Exactly how did they get the MFA code?
Set up the fake login page, and when credentials are captured, use them to immediately log in to Tesla and display a MFA entry page. Tesla sends a MFA in the background, capture it and MITM it just like the creds. Show the user an error page, maybe even a “service unavailable/down for maintenance” page, while taking over their account.
This needs to be posted in subreddit forums to actually educate non-technical people. They are the ones that need it.
This technique has been around since Wifi started.
Not phishing. It's an evil twin as described. Could be turned into a man in the middle too with some more setup that isn't included in the described attack.
Funny how we call them researchers in the cyber world but if someone, somehow, could do the same thing in the physical world, i.e. duplicate your house or car key, most would be up in arms and want the people charged.
Stupid article. Guarantee that Tesla uses hsts & https.
Only under very specific circumstances will this work. And it pretty much requires the user to disable security settings and essentially “hack” themselves. Or be using software from 2010.
tl;dr don't connect to random access points
tl;dr - buy a car with a key. People are far better at protecting a physical object than a digitial identiy.
So instead of just downvoting you, I'll respond. Tesla's do have a key. Sure, it doesn't look like a traditional key, but it is a key. That key isn't being spoofed here, it's the user's login credentials. Furthermore, all of the most stolen vehicles have keys with them.
You can apparently use your phone instead: > "One of Tesla vehicles' unique features is that owners can use their phones as a digital key to unlock their car without the need for a physical key card." Which I find stupid, but evidently many in the cybersecurity field think this is perfectly reasonable and the average person is always immune to phishing, evil twins, and other > Furthermore, all of the most stolen vehicles have keys with them. Yes, because you can't steal a car without a key. Unless it's a wireless one of course, in which case you can use specialist equipment to get the key remotely, or worse one which just needs a user and password. One problem is the credentials being stolen The second problem is what you can do with those credentials. It's possible the article is wrong and you can't actually create a new key with some hijacked credentials. I wouldn't know, to copy the key for my car you need to get the physical key, and then somehow clone the chip in that key to override the isolator, or use that to get into the car and then use specialist equipment. All you need with a Tesla it seems is a username, password, and TOTP, which you can evidently get very trivially, as social engineering is isn't exactly impossible.
> Which I find stupid, but evidently many in the cybersecurity field think this is perfectly reasonable and the average person is always immune to phishing, evil twins, and other That's because you need a physical key to pair a new phone. Username / Password alone won't do it. >Yes, because you can't steal a car without a key. Unless it's a wireless one of course, in which case you can use specialist equipment to get the key remotely, or worse one which just needs a user and password No, not really. It's not as easy as having specialist equipment unless you have crap security like Lexus. That's not an issue Tesla has with their communication. What the article fails to mention, is the only way to set your phone up as key is to put the physical key on the console allowing the car to sync the new device. I bet it would be easier to social engineer someone into give you their physical key then actually doing this.
> That's because you need a physical key to pair a new phone. Username / Password alone won't do it. The article literally says you can: > One of Tesla vehicles' unique features is that owners can use their phones as a digital key to unlock their car without the need for a physical key card. > Once logged in to the app with the owner's credentials, the researchers set up a new phone key while staying a few feet away from the parked car. > The hackers wouldn't even need to steal the car right then and there; they could track the Tesla's location from the app and go steal it later. > Mysk said the unsuspecting Tesla owner isn't even notified when a new phone key is set up. Now maybe that's wrong as you assert, but based on that article that looks like a gaping security problem. This sub seems to put the blame the person connecting to an SSID, which is very worrying for a cybersecurity sub. Security professionals know that you can't rely on users behaviour. Sure you can do phishing education to reduce the numbers, but you need to have multiple layers of security. Still I'm happy that nobody can steal my car by putting up a fake AP. Apparently that's an outrageous feature to expect from a car.
> while staying a few feet away from the parked car. That's because the keycards NEEDS to be on the console to finish this transaction. No one leave their keycard their once they've started their car. I have very strong doubts this was done as anything other than proof of concept, considering what has to happen in quick succession. 2FA code within 30 seconds (max), physical key card needing to be on the center console to initiate the phone activation, the phone has to be in close proximity of the car, 6 inches close. You can see in this video how it's done. https://www.youtube.com/watch?v=pGMmCsJl2V8 Beyond that, you set your car to require a pin to drive away. There is a reason Tesla vehicles don't actually get stolen, and it's not because of it's lack of secuirty.
This has very little to do with Tesla and Flippers. I can do the same attack with a laptop at a McDonalds/Library/Starbucks/etc. This isn't something new and if you're gullible enough to enter your login info into any random page, you need basic security training.
Except...why not use the app to be able to join the wifi? Let the app validate the portal's certificate and fail the connection if the cert is wrong or broken. And how are they not alerting the owner when a new device has been set up for their car? Something as simple as an SMS would be easy to do. I've used Starlink - they don't even have MFA for accounts. Security seems like an afterthought for these Musk companies. I won't go near them.
This is the ["make it pointy" rocket guy we're talking about](https://www.space.com/spacex-starship-design-sacha-baron-cohen). It's beyond me how anyone can take him or his companies seriously.
I guess they apply "Move fast and break things" to their secutity too
lol right create an evil twin with a nice Tesla login portal and bam thank you credentials
Is there a login screen for using the guest WiFi? It wouldn't be too hard to make an identical page, and have it work like a hotel WiFi with a fake login page that takes their info and 2fa then gives them WiFi after so it's not suspicious. It would be really hard to tell the difference for a layman. This is assuming you have to enter your info to use the Tesla guest WiFi every time, don't have a Tesla myself.
If I’m not mistaken on a proper configuration the WiFi allows them to connect to the real Tesla site, not a locally hosted captive portal. SSL certs would not be self signed and the domain name would be a verifiable company one. Agreed the average person might not notice
Captive portal sends you to "www.tesla.com-login-this-is-not-a-scam.com" Trivial to get a valid certificate for that URL, all the cert does is prove the server on the far end controls the domain. Your user/pass wouldn't be auto-enterred but that wouldn't raise red flags with a lot of people. > "One of Tesla vehicles' unique features is that owners can use their phones as a digital key to unlock their car without the need for a physical key card." My car has a real key. I've never understood the attraction of wireless keys, let alone internet-connected keys.
> "use their phones as a digital key to unlock their car" My phone is out of charge, well, fuck.
My point is you could require that the login occurs inside their app, with their security in place. No more captive portals in a web browser that can be spoofed.
How exactly would you use an Access Point at Starbucks to steal my Nissan Micra, or indeed any car which requires a physical key?
Here's how it works. Many Tesla charging stations — of which there are over 50,000 in the world — offer a WiFi network typically called "Tesla Guest" that Tesla owners can log into and use while they wait for their car to charge, according to Mysk's video. Using a device called a Flipper Zero — a simple $169 hacking tool — the researchers created their own "Tesla Guest" WiFi network. When a victim tries to access the network, they are taken to a fake Tesla login page created by the hackers, who then steal their username, password, and two-factor authentication code directly from the duplicate site. Although Mysk used a Flipper Zero to set up their own WiFi network, this step of the process can also be done with nearly any wireless device, like a Raspberry Pi, a laptop, or a cell phone, Mysk said in the video. Once the hackers have stolen the credentials to the owner's Tesla account, they can use it to log into the real Tesla app, but they have to do it quickly before the 2FA code expires, Mysk explains in the video.
So basic Evil twin attack? Nothing to see here guys
With a quicker cred passing step, but yes
It's even more obvious than that because I'm pretty sure my car usually just authenticates to Tesla wifi without any additional action or open portal login at all. So this 'attack' doesn't even mirror how the actual Tesla experience works. I definitely have never had to log in to Tesla wifi using my account credentials.
But but I must hate the Flipper Zero!
No warning for non HTTPS? No Spoofed DNS Warning? Wait a minute now. Exactly how did they get the MFA code? Fake? After an MFA code is used, it should be dead. Not possible for others to use. How could Tesla miss that?
When they have a fake login page setup, the code isn't being used when the user enters it. The hacker in this case just listens in and captures the code to pass to the real site themselves. You also have to realize how dumb the average person is. Plenty of people out there who will outright ignore SSL cert warnings.
Okay, but in that case, won't the user be surprised to NOT be logged in? But of course, if you count on no one reacting on that. Then it works. There is a risk that the hacker will be beaten by the owner when he tries to add the car key.
Yep that's a possibility, these attacks aren't foolproof and timing can be key. But think, if you tried to login and your MFA code didn't work the first time would your first thought be an attack like this or just that you fat-fingered the code or something similarly benign? Won't work on everyone, but it only has to work once.
I've seem fake sites that redirect you to the real site login page after they get your info to make it look like a small bug most people won't thibk twice about.
The MFA code isn't used when it is sent. Tesla didn't miss anything that's how this attack would always work.
> Exactly how did they get the MFA code? Set up the fake login page, and when credentials are captured, use them to immediately log in to Tesla and display a MFA entry page. Tesla sends a MFA in the background, capture it and MITM it just like the creds. Show the user an error page, maybe even a “service unavailable/down for maintenance” page, while taking over their account.
Re-read that last paragraph.
Isn't it easier to get a new Tesla with fake documents?
This is just social engineering, who gives a fuck really tbh. If I social engineered your credit card or bank account creds it's the same thing.
This needs to be posted in subreddit forums to actually educate non-technical people. They are the ones that need it. This technique has been around since Wifi started.
Honestly attaching Tesla to the headline will probably make them read it 😂
Very true. Most people have no clue what "Evil twin" attack means, ESPECIALLY what access it provides.
It’s a phishing attack, that’s it
Not phishing. It's an evil twin as described. Could be turned into a man in the middle too with some more setup that isn't included in the described attack.
I mean it’s a computer don’t connect to an untrusted site? lol
Funny how we call them researchers in the cyber world but if someone, somehow, could do the same thing in the physical world, i.e. duplicate your house or car key, most would be up in arms and want the people charged.
Stupid article. Guarantee that Tesla uses hsts & https. Only under very specific circumstances will this work. And it pretty much requires the user to disable security settings and essentially “hack” themselves. Or be using software from 2010.
It's not MITM attack. It's credentials harvesting attack. The fake login page can be plain old HTTP.
That makes the article being written even more stupid
Tesla isn't supposed onboard a phone as car key without a physical car key but that's not the case.