While unlocking vehicles with smartphone apps rather than physical keys offers significant convenience benefits, it also significantly expands the attack surface.
Security researchers have discovered a method that uses a $169 Flipper Zero device to deceive Tesla owners into relinquishing control of their cars to a malicious third party, enabling the vehicle to be unlocked and even driven away.
Researchers Tommy Mysk and Talal Haj Bakry of Mysk Inc have devised a method for fooling a Tesla owner into handing over their vehicle’s login credentials: An attacker would use the Flipper Zero and a Wi-Fi development board to broadcast a fake Tesla guest Wi-Fi network login page – “Tesla Guest” is the name given to Wi-Fi networks at service centers – and then use those credentials to log into the owner’s account and create new virtual “keys” to the car.
Everything that the owner enters into the fake login page – username, password, and two-factor authentication code – is captured and displayed on the Flipper Zero.
Here’s a walkthrough of the process.
https://yewtu.be/watch?v=7IBg5uNB7is
This attack also bypasses the two-factor authentication because the fake Tesla guest Wi-Fi network login page requests the two-factor authentication code that the attacker then uses to access the account. This does mean that the hacker has to work fast, and be able to request and then subsequently use that code rapidly to be able to access the account.
Will the physical keycard that Tesla supplied you protect you from this attack? According to the user manual, it should, because this “key card is used to ‘authenticate’ phone keys to work with Model 3 and to add or remove other keys.” But, according to Mysk, this is not the case.
Mysk said it approached Tesla for comment on this vulnerability and was told that the company had “investigated and determined that this is the intended behavior,” which is worrying.
Mysk recommends that Tesla should make it mandatory to use the key card to create new keys in the app, and that owners should be notified when new keys are created.
While Mysk and Bakry are using a Flipper Zero here, there are plenty of other tools that could be used to carry out this attack, such as a Wi-Fi Pineapple or Wi-Fi Nugget.
I think writing that the flipper Zero hacked the car instead of a vulnerability is a misrepresentation. It is the manufacturers responsibility to fix such vulnerabilities and not the vendors of an SDR, to limit the capability’s of its product.