Security researchers have recently demonstrated a concerning Man-in-the-Middle (MiTM) phishing attack that can compromise Tesla accounts. The attack has been proven to work on the latest Tesla app and software versions, raising serious security issues for Tesla owners.
In this attack, the researchers were able to register a new ‘Phone Key’ to access a Tesla vehicle, without the owner’s knowledge or authorization. This means that an attacker could potentially gain access to and control a Tesla vehicle remotely.
While Tesla has dismissed the report that linking a car to a new phone lacks proper security, the researchers have shown that the attack can be carried out using devices like Flipper Zero, Raspberry Pi, and Android phones. By creating a fake WiFi network to lure victims at Tesla supercharger stations, the attacker can then capture login credentials and one-time passwords to bypass two-factor authentication.
What’s even more concerning is that the attacker can track the victim’s vehicle location in real-time and add a new ‘Phone Key’ from close proximity without notifying the owner. This addition of a new Phone Key does not require authentication through a physical Tesla Card Key, further highlighting the security vulnerabilities in Tesla’s system.
The researchers have recommended authentication through a key card for added security, but Tesla has responded that adding a new Phone Key without a key card is actually intended behavior. Despite these concerns, BleepingComputer reached out to Tesla for a response and information on security measures to prevent such attacks, but has not received a response.
Overall, this MiTM phishing attack highlights the importance of robust security measures to protect Tesla owners from potential cyber threats. It is crucial for Tesla to address these vulnerabilities and ensure the safety and security of its customers.
