Researchers Demonstrate Tesla Theft Using Flipper Zero
Cybersecurity experts Talal Haj Bakry and Tommy Mysk have demonstrated a simple phishing attack using the Flipper Zero device that can compromise a Tesla account, unlock the car, and even steal it. The attack works even with the latest version of the Tesla app (4.30.6) and firmware version 11.1 2024.2.7.
The researchers reported the vulnerability to Tesla engineers, explaining that there is a lack of proper authentication when linking a car to a new mobile device. However, Tesla did not consider their report significant.
How the Attack Works
The attack developed by Bakry and Mysk is straightforward and was successfully tested on their own Tesla Model 3. An attacker can set up a Wi-Fi network named “Tesla Guest” at a Tesla charging station. This SSID is commonly seen at Tesla service centers and is familiar to Tesla owners.
Mysk used a Flipper Zero to broadcast the Wi-Fi network, though he notes that the same can be done with a Raspberry Pi or any device capable of creating a Wi-Fi hotspot.
Once the victim connects to the fake network, they are presented with a counterfeit Tesla login page, prompting them to enter their Tesla account credentials. Everything the victim enters on the phishing page is visible to the attacker in real time on the Flipper Zero.
Bypassing Two-Factor Authentication
After obtaining the credentials, the phishing page asks for a one-time password (OTP) for the account, allowing the attacker to bypass two-factor authentication. The attacker must log into the Tesla app using the stolen credentials before the OTP expires. Once inside the account, the hacker can track the car’s real-time location.
Adding a New Phone Key
The main issue is that access to the victim’s Tesla account allows the attacker to add a new Phone Key. To do this, the attacker must be physically close to the car—within a few meters.
The Phone Key feature uses the Tesla mobile app and the owner’s smartphone to automatically lock and unlock the car via a secure Bluetooth channel.
Tesla vehicles also use Card Keys—small RFID cards that must be held up to an RFID reader inside the car to start it. While these are more secure, Tesla treats them as a backup in case the Phone Key is unavailable or the phone’s battery is dead.
Mysk points out that adding a new Phone Key through the app does not require unlocking the car or having the smartphone inside, which significantly increases the risk. Moreover, after adding a new Phone Key, the Tesla owner does not receive any notification in the app, nor is anything displayed on the car’s screen.
With a new Phone Key, the attacker can unlock the car and activate any of its systems, allowing them to drive away in someone else’s Tesla.
Attack Limitations and Recommendations
There are some conditions for the attack to work. The compromised Tesla account must belong to the car’s primary driver, and the vehicle must already be linked to a Phone Key. Additionally, the owner’s phone with the Phone Key must be turned off or out of range of the car.
The researchers believe that adding a new Phone Key should require the physical Tesla Card Key, which would improve security and add another layer of authentication for new devices.
“I was able to add a second Phone Key to a new iPhone, and the Tesla app did not prompt me to use the Card Key to authenticate the session on this iPhone. I logged in on the new iPhone, and as soon as I allowed the app to access location services, it activated the Phone Key,” the researchers wrote in their report.
However, Tesla informed Mysk and Bakry that the company investigated and determined that this behavior is normal, and the Tesla Model 3 user manual does not state that a Card Key is required to add a new Phone Key.