A recent demonstration by researchers has revealed a potential security vulnerability in Tesla vehicles that could allow hackers to compromise accounts and unlock cars using a Man-in-the-Middle (MiTM) phishing attack.
The attack, which was demonstrated using the latest Tesla app and software versions, involves creating a fake Tesla login page on a spoofed WiFi network. By using devices like the Flipper Zero, hackers can steal credentials, bypass two-factor authentication, track vehicle location in real-time, and even add a new ‘Phone Key’ without the need for physical authentication.
Despite researchers reporting their findings to Tesla, the company has dismissed the issue as being out of scope. In response, the researchers recommend adding an additional authentication layer to prevent such attacks.
However, Tesla has defended its position by stating that adding a new Phone Key without physical authentication is an intended behavior and is not mentioned in the owner’s manual.
When contacted for comment on security measures to prevent such attacks, Tesla has not responded to inquiries from BleepingComputer.
This revelation raises concerns about the security of Tesla vehicles and the potential risks associated with unauthorized access. As technology continues to advance, it is crucial for companies to prioritize the security of their products to protect customers from potential threats and vulnerabilities.
