Security experts Tommy Mysk and Talal Haj Bakry have unveiled a significant vulnerability in Tesla's security system, allowing for an alarmingly simple car theft. Utilizing a $169 device, the Flipper Zero, the duo demonstrated how Tesla vehicles could be compromised through a social engineering attack, exploiting the simplicity of creating a 'phone key' via the Tesla app.

Advertisment

Understanding the Exploit

By setting up a malicious WiFi network mimicking Tesla's own and crafting a fake Tesla login page, Mysk and Bakry were able to deceive victims into surrendering their Tesla account credentials. Once in possession of these details, including the two-factor authentication code unwittingly provided by the victim, attackers could gain full access to the Tesla app. This access enables them to remotely unlock and start the vehicle, effectively allowing them to steal the car without the owner's knowledge. Mysk's self-conducted experiment, using his vehicle, underscored the exploit's efficacy and the alarming ease with which it could be executed.

The Response from Tesla

Despite Mysk's outreach to Tesla, highlighting the vulnerability through the company's vulnerability reporting program, the response was dismissively regarding the issue as 'intended behavior.' This stance raises significant concerns about Tesla's commitment to user security and the potential for future exploitation. Tesla's current system does not require the physical key card to authenticate the addition of a new phone key, a loophole that Mysk argues should be closed to protect vehicle owners.