This article originally appeared on Business Insider.
If you own a Tesla, you may want to be extra careful when logging into your Tesla charging station's WiFi network.
Security researchers Tommy Mysk and Talal Haj Bakry of Mysk Inc. released a YouTube video Thursday showing how hackers can easily take away your car using clever social engineering tricks.
Here's how it works:
According to Maiske's video, many of Tesla's more than 50,000 charging stations around the world offer a WiFi network, commonly referred to as “Tesla Guest,” which allows Tesla owners to use the WiFi network while waiting to charge their car. It can be used by logging in.
Researchers created their own “Tesla Guest” WiFi network using a device called Flipper Zero, a simple $169 hacking tool. When the victim attempts to access the network, she is directed to a fake Tesla login page created by the hacker, who then steals her username, password, and two-factor authentication code directly from the cloned site.
Although Mysk used Flipper Zero to set up his own WiFi network, this step of the process can also be done on almost any wireless device, such as a Raspberry Pi, laptop, or cell phone, Mysk said in the video. Masu.
Once a hacker steals an owner's Tesla account credentials, they can use them to log into the real Tesla app, but they need to log in quickly before the 2FA code expires, Mysk said. is explained in the video.
One of the unique features of Tesla cars is that owners can use their mobile phone as a digital key to unlock the car without the need for a physical key card.
After logging into the app using the owner's credentials, the researchers set up a new phone key a few feet away from the parked car.
The hacker doesn't even have to steal the car on the spot. They can track the Tesla's location from the app and go steal it later.
Miske said unsuspecting Tesla owners will not be notified when a new phone key is set up. The Tesla Model 3's owner's manual also states that a physical card is required to set up a new phone key, but according to the video, Mysk found that this was not the case.
“This means owners could lose their Teslas if their emails and passwords are compromised. This is insane,” Tommy Miske told Gizmodo. “Today, phishing and social engineering attacks are so common, especially with the rise of AI technology, that responsible companies must factor such risks into their threat models.”
Maisk said in the video that he reported the issue to Tesla, which responded that it investigated and determined it was not an issue.
Tesla did not respond to Business Insider's request for comment.
Tommy Miske tested this method multiple times on his own car, even using a reset iPhone that had never been paired with a car, Gizmodo reported. Mysk claimed it worked every time.
Maisk said (and we agree) that the experiment was for research purposes only and that no one should steal the car.
Maisk said at the end of the video that the problem could be resolved if Tesla required physical keycard authentication and notified owners when a new phone key was created.
This isn't the first time savvy researchers have discovered a relatively easy way to hack into Tesla.
In 2022, a 19-year-old boy announced that he had hacked 25 Teslas around the world (although that particular vulnerability has since been fixed). Later that year, security companies discovered another way to hack into Teslas from hundreds of miles away.
