Two cybersecurity researchers have exposed a flaw in Tesla’s security framework, revealing how Tesla cars could be at risk of theft through simple phishing and social engineering tactics. Their research illustrates how owners can be easily tricked into giving up their Tesla account details, including the vital two-factor authentication code.
The vulnerability was demonstrated by Talal Haj Bakry and Tommy Mysk, of Mysk Inc. The pair’s experiment focused on the Tesla app’s reliance on an email and password for authentication, alongside physical proximity to the vehicle to establish a phone key.
Tesla used to require a physical key card to add a phone key, but removed this requirement in a software update last year. Now all that is required to add a phone key is proximity to the vehicle in question, making it much more convenient for owners to add a phone key than before.
Here’s how to setup phone key using @Tesla app version 4.20.69…
— Ethan (@EZebroni) April 20, 2023
If you’re within Bluetooth range, you will no longer need to scan the key card.
You also have the option to pair manually using the key card. pic.twitter.com/r4JGUORAiC
However, this convenience also brings with it a security risk and a potential oversight in Tesla’s programming – the lack of notifications to owners upon a new device accessing their vehicle’s data or controls.
When a new phone key is added, the owners receives no notification, either in their own mobile app, or in the vehicle. Ironically, notifications are sent when a phone key or key card is removed. This gap in Tesla’s security protocol essentially leaves a window open for attackers to gain access to the account and steal the vehicle.
The attack concept proposed by Bakry and Mysk is both sophisticated and simple at the same time. By emulating a legitimate Tesla Wi-Fi network at a Supercharger station, attackers can deploy a portal that mirrors Tesla’s official login page. Unsuspecting owners, believing they are accessing a genuine Tesla service, might input their credentials, including their two-factor authentication code, unknowingly handing over complete control of their vehicle to the attacker in the process.
The two-factor authentication code is only valid for 30 seconds, but according to the researchers that is more than enough time to carry out the attack.
With the credentials in hand, the attacker can log in to the account and add their own mobile device as a phone key, since all that is required is proximity to the victim’s vehicle (and this is easily accomplished by carrying the attack out at a Supercharger station).
Even PIN to Drive, a safety feature that is strongly recommended to prevent someone from stealing your car, wouldn’t have prevented this scenario as the feature can simply be turned off within the mobile app.
Bakry and Mysk have reached out to Tesla’s Product Security team, but since phishing attacks are out of scope of the company’s Bug Bounty program, the pair have not been able to get Tesla to address the issue. In fact, the company has maintained that the behavior described is as designed.
“Thanks for the report. We have investigated and determined that this is the intended behavior. The “Phone Key” section of the owner’s manual page you linked to makes no mention of a key card being required to add a phone key,” Tesla’s Product Security Team wrote in an email.
According to Bakry and Mysk, Tesla could patch the vulnerability by bringing back the requirement of a physical key card to add a phone key, and sending notifications to owners when a new key is added, not just removed.
Without these in place, the best way to prevent being a victim in an attack like this is to ensure you are logging in to the authentic Tesla website before inputting your credentials.
You can watch a video demonstrating the vulnerability below.
