Security researchers Tommy Mysk and Talal Haj Bakry of Mysk Inc. published a YouTube video explaining how easy it can be for hackers to run off with your car using a clever social engineering trick.
Here's how it works.
Many Tesla charging stations — of which there are over 50,000 in the world — offer a WiFi network typically called "Tesla Guest" that Tesla owners can log into and use while they wait for their car to charge, according to Mysk's video.
Using a device called a Flipper Zero — a simple $169 hacking tool — the researchers created their own "Tesla Guest" WiFi network. When a victim tries to access the network, they are taken to a fake Tesla login page created by the hackers, who then steal their username, password, and two-factor authentication code directly from the duplicate site.
Although Mysk used a Flipper Zero to set up their own WiFi network, this step of the process can also be done with nearly any wireless device, like a Raspberry Pi, a laptop, or a cell phone, Mysk said in the video.
Once the hackers have stolen the credentials to the owner's Tesla account, they can use it to log into the real Tesla app, but they have to do it quickly before the 2FA code expires, Mysk explains in the video.
One of Tesla vehicles' unique features is that owners can use their phones as a digital key to unlock their car without the need for a physical key card.
Once logged in to the app with the owner's credentials, the researchers set up a new phone key while staying a few feet away from the parked car.
The hackers wouldn't even need to steal the car right then and there; they could track the Tesla's location from the app and go steal it later.
Mysk said the unsuspecting Tesla owner isn't even notified when a new phone key is set up. And, though the Tesla Model 3 owner's manual says that the physical card is required to set up a new phone key, Mysk found that that wasn't the case, according to the video.
"This means with a leaked email and password, an owner could lose their Tesla vehicle. This is insane," Tommy Mysk told Gizmodo. "Phishing and social engineering attacks are very common today, especially with the rise of AI technologies, and responsible companies must factor in such risks in their threat models."
When Mysk reported the issue to Tesla, the company responded that it had investigated and decided it wasn't an issue, Mysk said in the video.
Tesla didn't respond to Business Insider's request for comment.
Tommy Mysk said he tested the method out on his own vehicle multiple times and even used a reset iPhone that had never before been paired to the vehicle, Gizmodo reported. Mysk claimed it worked every time.
Mysk said they conducted the experiment for research purposes only and said no one should steal cars.
At the end of their video, Mysk said the issue could be fixed if Tesla make physical key card authentication mandatory and notified owners when a new phone key is created.
Sources: Business Insider, Gizmodo