Researchers Duplicate Tesla Car Key Using Fake Wi-Fi at Supercharger

A pair of security researchers has shown how social engineering can be used to theoretically duplicate a Tesla car’s app-based key and steal it, using nothing but a fake Wi-Fi log in page. The duo, Talal Haj Bakry and Tommy Mysk from iOS app development outfit Mysk, have published a blog post detailing how they carried out a proof of concept. Although they do note that the attack can only be carried out if very specific conditions are met, they describe their idea as “not far-fetched”. 

More interestingly, the duo says they did contact Tesla to warn it about this potential weakness, but received a response stating that everything was functioning as intended, which means Tesla doesn’t consider this a vulnerability or a significant enough threat to address. Tesla also does not count social engineering vulnerabilities as bugs.

The idea for the exploit came about when the researchers realised that anyone with a Tesla owner’s account username and password can enter and drive away with their car using the app as a key, even if two-factor authentication is enabled. Thus, all one has to do is steal the owner’s credentials. They managed to do this by creating a fake Wi-Fi login page which asks for their username and password, and then even asks for the user’s two-factor authentication code.

A malicious actor would have to be stationed near the Tesla vehicle they intend to steal, so the researchers came up with the idea of staging their attack at a Tesla Supercharging station where it would not be uncommon for multiple owners to be in proximity to each other for some time. 

Using the innocuous name Tesla Guest as the Wi-Fi SSID, the pair suggest that users will not doubt that it is a legitimate, official Wi-Fi access point. The company uses the same name for customers to connect to at its service centres. The fake sign-in screen was designed to resemble the one users might already be familiar with seeing when waiting for their cars to be inspected or repaired.

Also read: Tesla Recalls More Than 2 Million Cars Over Faulty Autopilot System

Of course, the credentials that a user types into the fake portal will be delivered immediately to the attacker. The process is time-sensitive because a two-factor code also needs to be captured and used by the attacker within 30 seconds. The Mysk blog post shows screenshots of Tesla’s official service centre sign-in page and the fake one that they created.

Mysk’s blog post notes that Tesla owners don’t receive an immediate notification that someone else has signed in to their account. The attacker can sign in to the app, see real-time telemetry from the car, and even change the owner’s credentials. In order to steal the car, they must be physically close to it and activate a key in the Tesla app, but this also turned out to be simple enough to do at a Supercharger. They can then follow the owner or wait for an opportune moment to use their key and make off with the car.

Also read: India Close To $2 Billion Investment With Tesla For Local EV Production

While the researchers did control all aspects of their experiment, including the “victim” car, they suggest that the proof-of-concept could actually be used in the wild. They also highlight  that Tesla dismissed their concerns despite the owners’ manual stating that a physical keycard is needed to authenticate phone keys, which would have mitigated their strategy. Not only that, but a phone key can override the car’s PIN security requirement. The researchers’ post has now gone viral online, across social media and multiple discussion forums, so it remains to be seen whether Tesla will take it more seriously.