Tesla Accounts Compromised in Man-in-the-Middle Phishing Attack
Security researchers have demonstrated a concerning vulnerability that could potentially compromise Tesla accounts, allowing attackers to unlock cars and start them remotely. This attack, known as a Man-in-the-Middle (MiTM) phishing attack, takes advantage of flaws in the latest Tesla app and software versions.
Security researchers have demonstrated a concerning vulnerability that could potentially compromise Tesla accounts, allowing attackers to unlock cars and start them remotely. This attack, known as a Man-in-the-Middle (MiTM) phishing attack, takes advantage of flaws in the latest Tesla app and software versions.
How the Attack Works
During the demonstration, researchers Talal Haj Bakry and Tommy Mysk were able to register a new 'Phone Key' that granted them access to a Tesla vehicle. By creating a fake Tesla login page on a spoofed WiFi network, they were able to trick victims into entering their account credentials, including a one-time password for two-factor authentication.
Once the attacker gains access to the victim's Tesla account, they can add a new 'Phone Key' to the account without the owner's knowledge. This key allows the attacker to unlock the car and activate its systems, essentially giving them full control over the vehicle.
Vulnerabilities in Tesla's Security
One of the key issues highlighted by the researchers is the lack of proper authentication security when linking a new phone key to a Tesla account. This oversight allows attackers to exploit the system and gain unauthorized access to vehicles.
Additionally, the process of adding a new Phone Key through the Tesla app does not require any additional authentication steps, such as using a physical Tesla Card Key. This lack of verification makes it easier for attackers to add malicious keys to a victim's account without detection.
Tesla's Response
Despite the researchers' findings and recommendations for improving security measures, Tesla dismissed the report as being out of scope. The company claimed that the behavior observed during the attack was intentional and not a security flaw.
However, concerns remain about the potential for widespread attacks targeting Tesla vehicles and the need for stronger authentication protocols to prevent unauthorized access.
As the researchers continue to advocate for enhanced security measures, Tesla owners are advised to remain vigilant and monitor their accounts for any suspicious activity. With the growing threat of cyber attacks targeting connected vehicles, it is crucial for manufacturers to prioritize the security of their systems to protect both users and their vehicles.
Hey, I'm Saadat Qureshi, your guide through the exciting worlds of education and technology. Originally from Karachi and a proud alum of the University of Birmingham, I'm now back in Karachi, Pakistan, exploring the intersection of learning and tech. Stick around for my fresh takes on the digital revolution! Connect With Me