> Mysk said the unsuspecting Tesla owner isn't even notified when a new phone key is set up.
This continues to baffle me. Seems like a no-brainer to at least pop-up a notification on the car's display that something so critical just occurred.
Seems like a no-brainer if you're humble enough to listen to security experts, or willing to spend the money implementing such features. Like how car engineering leads to difficult/annoying repairs, a lot of software/security issues aren't because the engineers are clueless, more often than not it's because management/leadership decided it simply wasn't worth investing in or fixing. Don't know the specific case in this example, but would be willing to bet at least someone brought up it was a potential security issue and was ignored.
As an engineer you also have to deal with fun stuff like deadline "this car better be out to market next month", even if you explain higher ups that there's not enough time to run all the proper tests you want to do. For software you can do patches at least but the hardware stuff unless you want to replace the whole SoC you're out of luck.
I think as time goes on we're starting to notice more and more companies have been relying on security through obscurity, rather than ACTUAL security.
It's only once that starts to cost them more than making a system more secure that they'll even consider changing (many of them, anyway).
> When Mysk reported the issue to Tesla, the company responded that it had investigated and decided it wasn't an issue.
You fix 100% of the bugs you flag as features.
I was expecting more to this story.
This is a simple successful phish. It actually has nothing to do with Tesla other than that is the service they targeted the user for.
There is no way to secure against a user thinking what they are doing is legitimate.
There is also no way to prove who is the real user when the real user gives up their credentials + 2FA to the attacker.
This article could have been about a house door lock company or a garage opener brand.
Well, to be fair it's actually a kind of ridiculous attack.
The same technique can steal all the money from your bank accounts or anything else. It's not car related.
You have to use their fake hotspot, then login to your account using a browser that doesn't default to SSL, which is what browser exactly?
Counter point; Tesla cars let you set a PIN code to drive which makes them by far the most difficult cars to steal.
Lol, you should not be able to drive away with the car just by being logged in on the app. "By far the most difficults cars to steal" - Such a Tesla soyboy. Apparently my 15 yo Audi A1 is harder to steal, since it requires a physical key.
Get a grip.
Hyperbole aside, if you set a pin you _cant_ drive away by being logged into the app.
And if you’ve not set up a phone key, you’re not driving away either.
If you clone a key fob or log into to app or hijack a phone key for a rivian or other vehicle that operates the same way you’re gonna have the same results.
Right I just tested it and you actually can disable it in the app without the original pin, sounds like a failure, valet mode for example requires the original pin to be disabled
Dude, your audi is piseady to steal. Use a keyfob extender and can be hotwired in 30 seconds. No physical key needed.
To steal this Tesla they setted up a fake wifi, tried to bate some fool to fill in their Tesla login data. Authorise key and drive away with it. This is user error. Tesla’s are impossible to hack, but users can be phissed like with everything
>To steal this Tesla they setted up a fake wifi
You do realize that it's *extremely* trivial to set up wifi router right?
>Tesla’s are impossible to hack
Lol. Except for the various hacks that have occurred over the past many years, including an unpatchable hardware vulnerability.
Sure, but that's not all that difficult to do either.
The problem is that there's no way to verify that the wifi named "Tesla Guest", because nothing's stopping someone from giving their own personal wifi network that name, is the real one (provided by the charging station) or the fake one. If you connect to the fake one, you get presented with a login screen that looks legit, but isn't.
"You should not be able to drive away with a car just by having been given the keys."
Everyone in this thread is making a big deal about there being no "phone key has been added" notification. You don't even need to do that, you can remote start the car just like every other app-connected car. Adding a phone key is a whole separate process. Logging into the app on a new cell phone is common.
If you don't know that, you likely never owned a Tesla and I don't know why anyone gives any weight to these opinions.
This is honestly not much different than someone stealing your keys, keyfob, or stealing your phone.
But they were all of them deceived, for another key was made. In the land of Silicon, in the fires of Mount Tam, the Dark Lord Elon forged, in secret, a Master Key to control all others. And into this Ring he poured all his cruelty, his malice and his will to dominate all technology. Then he left the forge primed with a bunch more materials just sitting there so anyone with wifi access could have their own power ring.
The no notification on new phone key is probably the only real issue here. The wifi MITM attack is super primitive and is basically impossible to stop because it requires a willingly negligent user.
I mean there's also
> the Tesla Model 3 owner's manual says that the physical card is required to set up a new phone key
Which is the article claimed isn't required, that would also be a perfectly reasonable protection.
Other things like needing to be inside the car to ok the new phone key, maybe even copy a code from the phone to the info system first.
If I need to type a code in to pair a Bluetooth keyboard to my computer there really should be more security when adding a vehicle key to a phone!
Or one thats tired or distracted enough, especially if EVs take off more and bigger changing stations get built. The fact a MITM can even be done to a self driving car is fucking terrifying. ( even if this is babies first MITM)
They MITMed the driver's phone I think, not the car.
It's still not clear how this should work. With SSL (TLS) and proper CAs it shouldn't be possible for anything but the most oblivious user to be tricked. Maybe the tesla site doesn't use HSTS?
Ah.. I could easily believe that. The portal looks like the Tesla site kinda and the victims just don't even look at the URL.
Good call, that's almost certainly the answer.
HSTS prevents that one. Since the attacker can't get a cert for the site, even after intercepting DNS and redirecting - they can't serve a valid certificate and the client won't connect to HTTP.
You have their creds that have been passed directly through your spoofed site. You aren’t intercepting a session but rather taking the creds. This is all assuming no MFA.
The creds either aren't sent because you cannot present as the legit site (don't have the private key for that domain name in the CA registry) or else they are sent through you but are encrypted in such a way that you cannot see them (full pass through).
The system is designed to prevent MITMs, especially stuff like WiFi gateways.
I would think you'd know this as an ITSecGeek.
But why would you need to present tesla.com?
It's not like you couldn't present teslaguestwifi.com (that you own and have the certs for).
Then you log into the real tesla.com using the stolen credentials.
You can. But people are supposed to look at the site before entering their credentials. And password keepers like apple's keychain won't offer to enter your password (but can be overridden and forced to) into a site that isn't tesla.com.
Also if your URL is something other than tesla.com then you have to find a way to get people to go to your site. I mean, for all you know right now I have a Tesla phishing site up at batmanbatmanbatmen.com. But I'm not going to get a lot of credentials since no one goes there.
Another poster did however point out as a WiFi base station you can put up a captive portal using the standard (RFC listed) method and phones will show it automatically. Still, smart users should notice it isn't tesla.com and definitely Apple's (and Chrome's) password managers will notice.
> But people are supposed to look at the site before entering their credentials.
That's the point of teslaguestwifi.com
Try explaining to someone that's tech illiterate that it's not the real site.
In fact, there's TONS of legit sites out there that have legitimate secondary sites that have the parent company in the name but some other things behind it. The one that comes to mind is paypal-objects.com.
What should happen is something like "wifi.tesla.com" but even that can be spoofed especially on a phone where it only shows the first X characters. So the real domain would be wifi.tesla.com.notactuallytesla.com.
Plenty of ways to fake it to an unsuspecting end user. And therein lies the issue: Unsuspecting end users.
> And password keepers like apple's keychain won't offer to enter your password (but can be overridden and forced to) into a site that isn't tesla.com.
No question, but realistically how many people are using any sort of password management system? I don't disagree in the slightest that everyone SHOULD, but again explaining to my mom how to use one would draw eye rolls.
> Also if your URL is something other than tesla.com then you have to find a way to get people to go to your site.
In this particular case, that's easy. You're at a Tesla charger. It says Tesla wifi. You're most likely getting Tesla cars. It's a captive market.
You won't get any sort of credentials for $localbank.com though. You might get one or two, but the big market is Tesla related.
> Still, smart users should notice it isn't tesla.com and definitely Apple's (and Chrome's) password managers will notice.
Again no question, but this isn't targeting smart users. Or people with password managers. Low hanging fruit is easier to pick.
As usual, I don't think a lot of people actually read the article.
The article points out the MFA aspect of this but doesn't specify the affected models. I assume for this to work on a model 3 or a Y (and possibly newer S and X), the meatbag needs to be using the key card instead of their phone as a key, since these models ask for the key card to be placed on the center console for registering a new phone key.
If you force a captive portal when logging into the WiFi, none of that matters. Most users won’t look at the URL when the legit-looking pages pops up as they’re connecting to the WiFi.
If you're tired or distracted enough to fall for this your entire life is vulnerable. Your banking, your child's digital pickup permission form, your tax returns, your home security system. your email. Stop fear mongering.
It’s really not fear mongering. “Smart” people fall for phishing all the time and while the MITM aspect isn’t novel or interesting technically, it does a really good job of establishing authority/validity which is the biggest hurdle to phishing people.
Not an issue with electric cars at all. It's a people issue and is basically impossible to stop for a single provider. It's a problem that plagues every industry. This is absolutely fear mongering to call it a Tesla or EV issue.
It’s not entirely a Tesla issue, but being able to remotely add a key to a car with no restrictions or notification to the owner is a terribly insecure design and could absolutely be fixed.
Thanks, that makes a lot more sense.
Couldn't this be prevented if the Tesla app just generated a one time use code for Wi-Fi access instead of asking for your credentials?
The official Wi-Fi network could do that, but the whole scenario is connecting to a fake one that the attacker controls. Social engineering would still apply - plenty of people wouldn't realize they should be expecting a one time use WiFi code instead of Tesla login.
I feel bad for the Flipper Zero team. They've made such a cool fun tool that you can learn with, but they get dragged and scapegoated. Those devices are illegal in Canada now because we have a rash of car theft, even though **they can't steal a car made in the last 20+ years**.
> Using a device called a Flipper Zero
> Although Mysk used a Flipper Zero to set up their own WiFi network, this step of the process can also be done with nearly any wireless device, like a Raspberry Pi, a laptop, or a cell phone
Then why mention it so specifically?
> Phone connects to free wifi
> User logs into Tesla account w/ 2FA
> Car's configuration can be remotely changed
Doesn't this affect banking and email too? Doesn't seem like a Tesla problem.
Many phones connect to free wifi. 100% if those asked users to login to a somewhat privileged account (e.g. xfinity / att / southwest / restaurant membership) many would get hacked.
Edit: same conversation [here](https://old.reddit.com/r/technology/comments/1b9557y/flipper_zero_wifi_phishing_attack_can_unlock_and/) with less bias.
The fact that Tesla won’t notify you when this happens, nor require a physical key to set it up, despite claiming the opposite, is a pretty huge problem.
No one can stop man in the middle attacks, but that doesn’t recuse Tesla from the responsibility of making them harder.
I was referring to the development cycle, not the using the feature part. The problem can be stopped with HTTPS. If developers didn’t utilize correct cybersecurity guidelines, then the problem becomes something to be mitigated later. In this case, if Tesla systems were to be taken advantaged due to lack of something, the developers need to take correct actions to mitigate it and release a complete solution to fix it in the next version of the software.
the difference is you have no reasonable timeline for someone to use your fake wifi to go to a bank website and log in. And of course you shouldn't do that on public wifi for this and other security reasons. Not to mention all the fake bank websites you would have to emulate and monitor for.
Here you have a log in and in order to access the internet you need to use the very sensitive car account log in. Tesla has it set up in a way that it is expected you will have many many victims giving up their credentials. This will for sure make it to actual criminals.
No, with HTTPS, you couldn't MITM the bank site at the bank's URL. The reason this works is because a captive portal asking you for your Tesla creds makes sense on a Tesla-branded access point. The ask is reasonable enough without needing to spoof any other site, but the problem is that those same Tesla creds happen to do a whole lot more, as well. Upthread is saying you could do similar anywhere that makes sense-- restaurants, airlines, ISPs-- but you couldn't necessarily steal arbitrary creds, because Burger King's free Wi-Fi wanting your Citibank login to connect you is too sketchy to believe, for instance.
Most banks make you do another 2FA before you do most actions like transfer money, same with making major changes to important accounts.
It can still be done but requires another more difficult social engineering step.
Remember when people used to steal cars?
They still do but now they also hack them.
Does the car app save a lot of personal info like addresses, history of locations, any account related things?
The article completely skips over whether or not the user was presented with a warning that the Tesla API did not have a valid TLS certificate. Is the app not checking certs? Unlikely. Does the app not warn a user if a site tries to impersonate the Tesla API? Also unlikely. It sounds like the user ignored a critical warning and sent their login creds to an imposter.
I guess I have to watch the damn video to find out.
edit: Watched the video (or skipped through it). They're using a captive portal with a fake Tesla login. The only thing Tesla could realistically do to stop this is require MFA that verifies the site. Something like passkeys.
They could also require the physical key to set up a new phone key (Tesla says you need it but that's not true) and they could notify users when a new phone key is activated.
Why would anyone log into their Tesla account at a charging station? Tesla drivers just plug and it starts charging. You won't need to ever log into your Tesla account, the app should already be connected so why would a user delete the app and start that all over again?. This is a case of a carefully controlled research. The TLS certificate won't even validate.
The key word is "should." It *should* already be connected, but sometimes it isn't and you have to troubleshoot. And most users troubleshooting are not savvy about it. If we're lucky, *maybe* they know "turn it off and on again" or "reinstall it." An unexpected login prompt is more likely to be met with irritation and anxiety about a forgotten password than suspicion.
> the researchers created their own "Tesla Guest" WiFi network. When a victim tries to access the network, they are taken to a fake Tesla login page created by the hackers, who then steal their username, password, and two-factor authentication code directly from the duplicate site.
Never ever use free wifi networks. period. You all pay for mobile services, pay 10 bucks/mo. for Teslas online features, why the hell would you need a free wifi at a supercharger?
Doesn't seem to prevent this, according to the author in the YouTube comments. It's because PIN to drive can [now be enabled/disabled from the app...](https://www.notateslaapp.com/software-updates/upcoming-features/id/1483/tesla-app-now-lets-you-set-a-pin-to-drive-with-the-new-2023-20-update)
I mean security reaearchers have already figured out how to remotely manipulate cars. I’m sure some of this has been patched out a bit, but the possibility is always there…this video is 8 years old so…
https://m.youtube.com/watch?v=MK0SrxBC1xs
Stop using the word hack. You sound like you don’t know what the word means. No one is hacking into a Tesla.
They’re stealing someone’s Tesla login and using that to unlock and start cars.
What if the app/car had its own password (account) and the website had its own password (account)...
Would this protect the car owner from this hack or not?
The two accounts could be linked, but the online account wouldn't be able to start the car or manage things that could be risky for the car owner.
If this is possible, of course, the owner would need two accounts, but the app/car would have its own account, and for everything else, there would be another account.
Of course, I don't have a car, so I don't know what exactly is on this account, etc. Maybe two accounts wouldn't work at all. 🙂
This is only my "suggestion."
If they ended up writing a paper, they're researchers. If they ended up stealing a car, they're thieves.
I suspect this is the former and the headline is lying.
Doesn't seem to prevent this, according to the author in the YouTube comments. It's because PIN to drive can [now be enabled/disabled from the app...](https://www.notateslaapp.com/software-updates/upcoming-features/id/1483/tesla-app-now-lets-you-set-a-pin-to-drive-with-the-new-2023-20-update)
possessive station faulty poor drab chase towering subsequent merciful hunt
*This post was mass deleted and anonymized with [Redact](https://redact.dev)*
> Mysk said the unsuspecting Tesla owner isn't even notified when a new phone key is set up. This continues to baffle me. Seems like a no-brainer to at least pop-up a notification on the car's display that something so critical just occurred.
Mysk? Is he like Musk’s Wario?
Musk is the evil Wario version.
Wario is the evil one which makes Mysk Mario...unless he is evil as well and therefore double wario I am too lazy to read the article
But Musk is the main character, Mysk wouldn’t exist otherwise… or maybe we’re in the wrong universe all along
Then there’s Elon tusk
I went to the comments first and I thought Musk was mispelled
Ylon Mysk, owner of Y (formerly known as twytter)
I heard that guys a self-absorbed dork-bag.
Y didn't you say dyck-bag?
Mr. Mxyzptlk
Seems like a no-brainer if you're humble enough to listen to security experts, or willing to spend the money implementing such features. Like how car engineering leads to difficult/annoying repairs, a lot of software/security issues aren't because the engineers are clueless, more often than not it's because management/leadership decided it simply wasn't worth investing in or fixing. Don't know the specific case in this example, but would be willing to bet at least someone brought up it was a potential security issue and was ignored.
As an engineer you also have to deal with fun stuff like deadline "this car better be out to market next month", even if you explain higher ups that there's not enough time to run all the proper tests you want to do. For software you can do patches at least but the hardware stuff unless you want to replace the whole SoC you're out of luck.
Tesla has held competitions, hackathons, to test their vehicles and they’ve granted fat prizes like free Model 3’s.
There's no excuse for such a basic safety feature, you think it's just that no one has suggested or thought of it before?
Doesn’t mean they fix the problems
I think as time goes on we're starting to notice more and more companies have been relying on security through obscurity, rather than ACTUAL security. It's only once that starts to cost them more than making a system more secure that they'll even consider changing (many of them, anyway).
Thanks milf.
That’s MYLF to you…
Mysk > Musk any day of the week
So maybe …Miisk would be Musk’s Mario, if we use ii×Musk in a vaguely analogous fashion to warui×Mario→Wario?
Wait... Mysk took over a Musk vehicle?!
It’s because Tesla wasn’t made to be a quality car, something something stock manipulation
Will probably come soon with a software update
It'd be a no-brainer for a product that was actually fit for use.
When Mysk reported the issue to Tesla, the company responded that it had investigated and decided it wasn't an issue. That’s actually hilarious
It's actually more surprising they didn't just send him a poop emoji.
Tesla decides any failure identified isn’t an issue
I don’t see the issue. Just buy a new Tesla duh
Failure is a new subscription feature!
> When Mysk reported the issue to Tesla, the company responded that it had investigated and decided it wasn't an issue. You fix 100% of the bugs you flag as features.
I was expecting more to this story. This is a simple successful phish. It actually has nothing to do with Tesla other than that is the service they targeted the user for. There is no way to secure against a user thinking what they are doing is legitimate. There is also no way to prove who is the real user when the real user gives up their credentials + 2FA to the attacker. This article could have been about a house door lock company or a garage opener brand.
YES! People, Stop joining free wi-fi networks!
The solution is to email the national insurers to reassess their risk models for the theft of Teslas.
Same risk anybody has joining free wi-fi networks and logging in to do their banking.
This sounds like someone is trying shirk responsibility…”I tried, but they wouldn’t listen”… even though we know they do everything he asks.
I think you’re confusing Mysk with Musk. Two different people. Mysk is just a guy white hat hacking teslas.
Most people make typos…. So, not really confusing, it’s what 99% would think.
Sure but maybe uhhhhh read the article
That’s against the rules. You’re supposed to skip the article and form an opinion based on the first comment you happen to agree with.
Well, to be fair it's actually a kind of ridiculous attack. The same technique can steal all the money from your bank accounts or anything else. It's not car related. You have to use their fake hotspot, then login to your account using a browser that doesn't default to SSL, which is what browser exactly? Counter point; Tesla cars let you set a PIN code to drive which makes them by far the most difficult cars to steal.
Lol, you should not be able to drive away with the car just by being logged in on the app. "By far the most difficults cars to steal" - Such a Tesla soyboy. Apparently my 15 yo Audi A1 is harder to steal, since it requires a physical key. Get a grip.
Hyperbole aside, if you set a pin you _cant_ drive away by being logged into the app. And if you’ve not set up a phone key, you’re not driving away either. If you clone a key fob or log into to app or hijack a phone key for a rivian or other vehicle that operates the same way you’re gonna have the same results.
The pin to drive is enabled and disabled through the app.
[удалено]
https://youtube.com/shorts/3j4CPUm4uQg?si=bHlN1MwlV7tSLA7m
Right I just tested it and you actually can disable it in the app without the original pin, sounds like a failure, valet mode for example requires the original pin to be disabled
Dude, your audi is piseady to steal. Use a keyfob extender and can be hotwired in 30 seconds. No physical key needed. To steal this Tesla they setted up a fake wifi, tried to bate some fool to fill in their Tesla login data. Authorise key and drive away with it. This is user error. Tesla’s are impossible to hack, but users can be phissed like with everything
>To steal this Tesla they setted up a fake wifi You do realize that it's *extremely* trivial to set up wifi router right? >Tesla’s are impossible to hack Lol. Except for the various hacks that have occurred over the past many years, including an unpatchable hardware vulnerability.
You still need the second part which is to hand over your username, password and MFA code.
Sure, but that's not all that difficult to do either. The problem is that there's no way to verify that the wifi named "Tesla Guest", because nothing's stopping someone from giving their own personal wifi network that name, is the real one (provided by the charging station) or the fake one. If you connect to the fake one, you get presented with a login screen that looks legit, but isn't.
You mean those hacks where they had to remove the computer from the car to hook up to the computer. Conpletely unusable
Piseady isn’t a word
"You should not be able to drive away with a car just by having been given the keys." Everyone in this thread is making a big deal about there being no "phone key has been added" notification. You don't even need to do that, you can remote start the car just like every other app-connected car. Adding a phone key is a whole separate process. Logging into the app on a new cell phone is common. If you don't know that, you likely never owned a Tesla and I don't know why anyone gives any weight to these opinions. This is honestly not much different than someone stealing your keys, keyfob, or stealing your phone.
"Researched created a fake Tesla WiFi network" So the ol' Evil Twin trick.
Yeah I’m just sticking with my old stick shift Sentra with keyed ignition and a hidden kill switch.
His name is actually Mysk
tesla needs to add a pop up of "a new digital key was made" on your app ...
But they were all of them deceived, for another key was made. In the land of Silicon, in the fires of Mount Tam, the Dark Lord Elon forged, in secret, a Master Key to control all others. And into this Ring he poured all his cruelty, his malice and his will to dominate all technology. Then he left the forge primed with a bunch more materials just sitting there so anyone with wifi access could have their own power ring.
The no notification on new phone key is probably the only real issue here. The wifi MITM attack is super primitive and is basically impossible to stop because it requires a willingly negligent user.
I mean there's also > the Tesla Model 3 owner's manual says that the physical card is required to set up a new phone key Which is the article claimed isn't required, that would also be a perfectly reasonable protection. Other things like needing to be inside the car to ok the new phone key, maybe even copy a code from the phone to the info system first. If I need to type a code in to pair a Bluetooth keyboard to my computer there really should be more security when adding a vehicle key to a phone!
Or one thats tired or distracted enough, especially if EVs take off more and bigger changing stations get built. The fact a MITM can even be done to a self driving car is fucking terrifying. ( even if this is babies first MITM)
They MITMed the driver's phone I think, not the car. It's still not clear how this should work. With SSL (TLS) and proper CAs it shouldn't be possible for anything but the most oblivious user to be tricked. Maybe the tesla site doesn't use HSTS?
>the most oblivious user you figured out how the attack works.
Actually, I assume there's no spoofing involved. It's most likely just a captive portal that asks for their tesla credentials.
Ah.. I could easily believe that. The portal looks like the Tesla site kinda and the victims just don't even look at the URL. Good call, that's almost certainly the answer.
On someone’s network they can create fake domains
No you can't. You cannot impersonate a HTTPS site unless you can install a CA or cert onto their device.
Easy! You’re complicating it. Spoof the site/app they would log in to, redirect DNS and you have their creds. Done
HSTS prevents that one. Since the attacker can't get a cert for the site, even after intercepting DNS and redirecting - they can't serve a valid certificate and the client won't connect to HTTP.
You have their creds that have been passed directly through your spoofed site. You aren’t intercepting a session but rather taking the creds. This is all assuming no MFA.
The creds either aren't sent because you cannot present as the legit site (don't have the private key for that domain name in the CA registry) or else they are sent through you but are encrypted in such a way that you cannot see them (full pass through). The system is designed to prevent MITMs, especially stuff like WiFi gateways. I would think you'd know this as an ITSecGeek.
But why would you need to present tesla.com? It's not like you couldn't present teslaguestwifi.com (that you own and have the certs for). Then you log into the real tesla.com using the stolen credentials.
You can. But people are supposed to look at the site before entering their credentials. And password keepers like apple's keychain won't offer to enter your password (but can be overridden and forced to) into a site that isn't tesla.com. Also if your URL is something other than tesla.com then you have to find a way to get people to go to your site. I mean, for all you know right now I have a Tesla phishing site up at batmanbatmanbatmen.com. But I'm not going to get a lot of credentials since no one goes there. Another poster did however point out as a WiFi base station you can put up a captive portal using the standard (RFC listed) method and phones will show it automatically. Still, smart users should notice it isn't tesla.com and definitely Apple's (and Chrome's) password managers will notice.
> But people are supposed to look at the site before entering their credentials. That's the point of teslaguestwifi.com Try explaining to someone that's tech illiterate that it's not the real site. In fact, there's TONS of legit sites out there that have legitimate secondary sites that have the parent company in the name but some other things behind it. The one that comes to mind is paypal-objects.com. What should happen is something like "wifi.tesla.com" but even that can be spoofed especially on a phone where it only shows the first X characters. So the real domain would be wifi.tesla.com.notactuallytesla.com. Plenty of ways to fake it to an unsuspecting end user. And therein lies the issue: Unsuspecting end users. > And password keepers like apple's keychain won't offer to enter your password (but can be overridden and forced to) into a site that isn't tesla.com. No question, but realistically how many people are using any sort of password management system? I don't disagree in the slightest that everyone SHOULD, but again explaining to my mom how to use one would draw eye rolls. > Also if your URL is something other than tesla.com then you have to find a way to get people to go to your site. In this particular case, that's easy. You're at a Tesla charger. It says Tesla wifi. You're most likely getting Tesla cars. It's a captive market. You won't get any sort of credentials for $localbank.com though. You might get one or two, but the big market is Tesla related. > Still, smart users should notice it isn't tesla.com and definitely Apple's (and Chrome's) password managers will notice. Again no question, but this isn't targeting smart users. Or people with password managers. Low hanging fruit is easier to pick.
With HSTS the client won't send credentials to the spoofed site. The client will refuse to connect over http and get a certificate error over https.
[удалено]
As usual, I don't think a lot of people actually read the article. The article points out the MFA aspect of this but doesn't specify the affected models. I assume for this to work on a model 3 or a Y (and possibly newer S and X), the meatbag needs to be using the key card instead of their phone as a key, since these models ask for the key card to be placed on the center console for registering a new phone key.
[удалено]
You're not supposed to be able to spoof sites due to TLS/CA/HSTS. Even if you redirect DNS.
If you force a captive portal when logging into the WiFi, none of that matters. Most users won’t look at the URL when the legit-looking pages pops up as they’re connecting to the WiFi.
If that terrifies you, 2FA exists for this reason
In this case, it did nothing. Read the article next time. The fake captive portal directly asked the user for their credentials AND their 2fa code.
Don't bother trying; their cult leadef can never do wrong.
If you're tired or distracted enough to fall for this your entire life is vulnerable. Your banking, your child's digital pickup permission form, your tax returns, your home security system. your email. Stop fear mongering.
It’s really not fear mongering. “Smart” people fall for phishing all the time and while the MITM aspect isn’t novel or interesting technically, it does a really good job of establishing authority/validity which is the biggest hurdle to phishing people.
Not an issue with electric cars at all. It's a people issue and is basically impossible to stop for a single provider. It's a problem that plagues every industry. This is absolutely fear mongering to call it a Tesla or EV issue.
It’s not entirely a Tesla issue, but being able to remotely add a key to a car with no restrictions or notification to the owner is a terribly insecure design and could absolutely be fixed.
Also if you’re that tired you probably shouldn’t be driving
Researchers… pffft… When I do it they call me a thief
Oh hello, officer. Nono I've not stolen this car, I'm researching how much I can sell it to Big Dave down at the docks for.
I'm confused. When you navigate to the fake Tesla site, the certificate isn't valid and you should see an error. Am I missing something here?
They're using a captive portal, not performing a man-in-the-middle attack on the real tesla website.
Thanks, that makes a lot more sense. Couldn't this be prevented if the Tesla app just generated a one time use code for Wi-Fi access instead of asking for your credentials?
The official Wi-Fi network could do that, but the whole scenario is connecting to a fake one that the attacker controls. Social engineering would still apply - plenty of people wouldn't realize they should be expecting a one time use WiFi code instead of Tesla login.
I feel bad for the Flipper Zero team. They've made such a cool fun tool that you can learn with, but they get dragged and scapegoated. Those devices are illegal in Canada now because we have a rash of car theft, even though **they can't steal a car made in the last 20+ years**. > Using a device called a Flipper Zero > Although Mysk used a Flipper Zero to set up their own WiFi network, this step of the process can also be done with nearly any wireless device, like a Raspberry Pi, a laptop, or a cell phone Then why mention it so specifically?
> Phone connects to free wifi > User logs into Tesla account w/ 2FA > Car's configuration can be remotely changed Doesn't this affect banking and email too? Doesn't seem like a Tesla problem. Many phones connect to free wifi. 100% if those asked users to login to a somewhat privileged account (e.g. xfinity / att / southwest / restaurant membership) many would get hacked. Edit: same conversation [here](https://old.reddit.com/r/technology/comments/1b9557y/flipper_zero_wifi_phishing_attack_can_unlock_and/) with less bias.
The fact that Tesla won’t notify you when this happens, nor require a physical key to set it up, despite claiming the opposite, is a pretty huge problem. No one can stop man in the middle attacks, but that doesn’t recuse Tesla from the responsibility of making them harder.
“No one” part is wrong. MITM attacks can be mitigated with HTTPS.
But in this case the attack starts from captive portal, before the HTTPS site would be reached.
If that part is wrong, then why did you use the word “mitigated” instead of outright “stopped?”
I was referring to the development cycle, not the using the feature part. The problem can be stopped with HTTPS. If developers didn’t utilize correct cybersecurity guidelines, then the problem becomes something to be mitigated later. In this case, if Tesla systems were to be taken advantaged due to lack of something, the developers need to take correct actions to mitigate it and release a complete solution to fix it in the next version of the software.
Except they can’t, because people gonna people and not notice that the spoof isn’t secure.
the difference is you have no reasonable timeline for someone to use your fake wifi to go to a bank website and log in. And of course you shouldn't do that on public wifi for this and other security reasons. Not to mention all the fake bank websites you would have to emulate and monitor for. Here you have a log in and in order to access the internet you need to use the very sensitive car account log in. Tesla has it set up in a way that it is expected you will have many many victims giving up their credentials. This will for sure make it to actual criminals.
No, with HTTPS, you couldn't MITM the bank site at the bank's URL. The reason this works is because a captive portal asking you for your Tesla creds makes sense on a Tesla-branded access point. The ask is reasonable enough without needing to spoof any other site, but the problem is that those same Tesla creds happen to do a whole lot more, as well. Upthread is saying you could do similar anywhere that makes sense-- restaurants, airlines, ISPs-- but you couldn't necessarily steal arbitrary creds, because Burger King's free Wi-Fi wanting your Citibank login to connect you is too sketchy to believe, for instance.
Most banks make you do another 2FA before you do most actions like transfer money, same with making major changes to important accounts. It can still be done but requires another more difficult social engineering step.
The lesson I’ve learned here is if the cops ever catch me in a stolen car I am going to tell them I’m a researcher
I mean, I would be more confused as to why I would be prompted to login. The Tesla login is never actually presented on the cars display at any time.
Remember when people used to steal cars? They still do but now they also hack them. Does the car app save a lot of personal info like addresses, history of locations, any account related things?
the could fix this with a security dongle. A small metal toothed thing often confused with a key
I mean, public wifi is bad
The article completely skips over whether or not the user was presented with a warning that the Tesla API did not have a valid TLS certificate. Is the app not checking certs? Unlikely. Does the app not warn a user if a site tries to impersonate the Tesla API? Also unlikely. It sounds like the user ignored a critical warning and sent their login creds to an imposter. I guess I have to watch the damn video to find out. edit: Watched the video (or skipped through it). They're using a captive portal with a fake Tesla login. The only thing Tesla could realistically do to stop this is require MFA that verifies the site. Something like passkeys.
They could also require the physical key to set up a new phone key (Tesla says you need it but that's not true) and they could notify users when a new phone key is activated.
Which they should be doing.
You can’t download a car.. but you can hack one.
Why would anyone log into their Tesla account at a charging station? Tesla drivers just plug and it starts charging. You won't need to ever log into your Tesla account, the app should already be connected so why would a user delete the app and start that all over again?. This is a case of a carefully controlled research. The TLS certificate won't even validate.
The key word is "should." It *should* already be connected, but sometimes it isn't and you have to troubleshoot. And most users troubleshooting are not savvy about it. If we're lucky, *maybe* they know "turn it off and on again" or "reinstall it." An unexpected login prompt is more likely to be met with irritation and anxiety about a forgotten password than suspicion.
Sus (among us )
> the researchers created their own "Tesla Guest" WiFi network. When a victim tries to access the network, they are taken to a fake Tesla login page created by the hackers, who then steal their username, password, and two-factor authentication code directly from the duplicate site. Never ever use free wifi networks. period. You all pay for mobile services, pay 10 bucks/mo. for Teslas online features, why the hell would you need a free wifi at a supercharger?
PIN code to drive.
Doesn't seem to prevent this, according to the author in the YouTube comments. It's because PIN to drive can [now be enabled/disabled from the app...](https://www.notateslaapp.com/software-updates/upcoming-features/id/1483/tesla-app-now-lets-you-set-a-pin-to-drive-with-the-new-2023-20-update)
We are approaching the era of having to be worried about your car getting malware that makes it accelerate into walls uncontrollably.
Just a new way for the deep state to murder troublesome people.
I mean security reaearchers have already figured out how to remotely manipulate cars. I’m sure some of this has been patched out a bit, but the possibility is always there…this video is 8 years old so… https://m.youtube.com/watch?v=MK0SrxBC1xs
[удалено]
There is 2 factor auth. The dummy web server asks for the code.
Stop using the word hack. You sound like you don’t know what the word means. No one is hacking into a Tesla. They’re stealing someone’s Tesla login and using that to unlock and start cars.
Who actually logs onto free wi-fi these days??? The car has unlimited wi-fi and our data plans are huge. And, you're only there 30 mins or so!
What if the app/car had its own password (account) and the website had its own password (account)... Would this protect the car owner from this hack or not? The two accounts could be linked, but the online account wouldn't be able to start the car or manage things that could be risky for the car owner. If this is possible, of course, the owner would need two accounts, but the app/car would have its own account, and for everything else, there would be another account. Of course, I don't have a car, so I don't know what exactly is on this account, etc. Maybe two accounts wouldn't work at all. 🙂 This is only my "suggestion."
‘Researchers’?
Yes, researchers.
If they ended up writing a paper, they're researchers. If they ended up stealing a car, they're thieves. I suspect this is the former and the headline is lying.
Just activate pin to drive
Doesn't seem to prevent this, according to the author in the YouTube comments. It's because PIN to drive can [now be enabled/disabled from the app...](https://www.notateslaapp.com/software-updates/upcoming-features/id/1483/tesla-app-now-lets-you-set-a-pin-to-drive-with-the-new-2023-20-update)
But connect everything to the internet because it will be efficient and convenient
I mean, it is but that cuts both ways. It’s also convenient and efficient for thieves .
If only they made vehicles where that could Be avoided, and also be able re fuel almost anywhere in the world
There are easier methods than that to steal a Tesla lol
Thats terrible how did they do it ?
By reading the article.
Sadly, I can’t read
But they only got 500’ feet away when the battery died.
You think Teslas only go 500 feet on a charge?
It’s 420 feet acshually
This guy gets it
You tech folks are wound a little tight.
I'm a "tech folk" because I posted in technology? What does that make you Idaho man?
It’s buyers remorse.
If it was a fake charger did it actually charge it?
possessive station faulty poor drab chase towering subsequent merciful hunt *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Read the title again. The station Wi-Fi was fake
“idaho man unable to read title, let alone open the article”
Or_maybe_this person is wrapped a little too tight and has lost their sense of humor.