How to Steal a Tesla With Fake Supercharger Wi-Fi

By Sean Tucker 03/13/2024 9:29am

A row of four Tesla superchargers sits in the snow in front of a forest. They all sit unused.

Tesla provides free Wi-Fi at many of its public charging stations. Make sure you’re logged into the right one.

Security researchers from Mysk, Inc. showed late last week how they could use a false public Wi-Fi network to steal Tesla cars.

Related: Cars of the Future Will Likely Be More Vulnerable to Hacking

“The attack is as simple as swiping a Tesla owner’s login information, opening the Tesla app, and driving away,” Gizmodo reports.

https://www.youtube.com/embed/7IBg5uNB7is?enablejsapi=1&origin=https%3A%2F%2Fwww.kbb.com&widgetid=1

Hackers Set Up Fake Wi-Fi Network

The heart of the risk, says Researchers Tommy Mysk and Talal Haj Bakry, is that Tesla lets users set up their phone as a key to their car. That process can be done entirely through the Tesla website, and Tesla allows multiple keys for each car.

So, the researchers set up their own Wi-Fi network near a Supercharger. They named it Tesla Guest – the same name Tesla uses for its free Wi-Fi networks.

Their captive network used a fake login screen that looked identical to the Tesla login screen. When a user logged in with their credentials, the hackers captured them. “Even if the Tesla owner had two-factor identification set up on their account, the fake captive portal will prompt the victim to enter the one-time passcode, which is relayed in real-time to the attacker,” Mysk says.

They could then log in to the real Tesla site with those credentials and set up as many phones as they’d like to be keys to that car.

Related: Researchers Find Cars Serious Privacy Threat

With a Secret Second Phone Key, Thieves Could Take Their Time

They wouldn’t need to steal the car immediately. Gizmodo notes that, once you have the login credentials for a Tesla account, you can use the company’s own app to track the location of that car. “The Tesla owner could finish charging the car and drive off to go shopping or park outside their house. The thief would just watch the car’s location using the app, and then waltz up at an opportune moment and drive away.”

Tesla could solve the problem in a few simple ways, Mysk notes. It could require users to authenticate when they create a new phone key by starting the car with its actual key card. Even more simply, just notifying users when a new phone was added to their account could alert drivers to the hack.

The company could also require drivers to input a PIN to start the car after unlocking it with a phone. At the moment, Mysk notes, the phone key can bypass the PIN process. That could be fixed with a quick software update.

“Phishing and social engineering attacks are very common today, especially with the rise of AI technologies, and responsible companies must factor in such risks in their threat models,” Mysk says. The group hopes to bring attention to the problem and force Tesla to solve it.