A recently discovered vulnerability in the Tesla app allows hackers to access Tesla accounts using a simple phishing attack via a Flipper Zero.
There is no denying the success of Tesla electric vehicles. But the price of success can be painful for its owners for the benefit of hackers. Two security researchers recently demonstrated that a simple phishing attack could steal Tesla accounts and unlock and start cars from a Flipper Zero, via a Man-in-the-Principle phishing attack. -Middle.
This security flaw, although not recognized as such by Tesla, represents a real danger for users.
As simple as it is formidable
For their research, Bakry and Mysk used Flipper Zero, which Canada has banned due to the risk of vehicle theft, but they specify that the attack can be carried out from a computer, an Android phone or of a Raspberry Pi. They published their process in the video which you can see below.
According to Talal Haj Bakry and Tommy Mysk, two security researchers who shared their findings with Tesla, the security vulnerability lies in the process of pairing a new smartphone with a car. They managed to set up a deceptive Wi-Fi network and persuade Tesla owners to log in to a fake login page. Once they gain access to the account, they can locate the car in real time and, if nearby, generate a new digital key (Phone Key). This gives them the ability to unlock the car via Bluetooth and drive it.
The hackers pointed out that the owner does not receive any alert indicating that a new Phone Key has been generated, and that they were able to complete the entire procedure without the car being unlocked or the smartphone being present in the vehicle. They suggest that integrating Tesla’s physical key card into the registration process could improve security.
A known Tesla flaw
Mandatory possession of a physical Tesla Card key when adding a new phone key could increase security by introducing an additional authentication step for the new phone, researchers say.
In their report to Tesla, Tommy Mysk and Talal Haj Bakry explained that they were able to add a second phone key to a new iPhone without the Tesla app requiring them to use a key card to authenticate the session on the new iPhone. They simply had to log in on the new iPhone with their username and password, and as soon as they gave the app access to location services, the phone key was activated.
In response to this, Tesla said that their investigation concluded that this was the expected behavior and that the Tesla Model 3 owner’s manual does not state that a key card is required to add a phone key.
Source : Bleeping Computer
Pinball Zero
Game consoles
release date: not available
0