More and more modern vehicles use internet-facing and connected features in the name of convenience. The reality is that the convenience of these features can actually present a whole new attack surface for threat actors to exploit—that’s exactly what a team of security researchers at Mysk found in a new social engineering attack aimed at exposing a vulnerability in Tesla’s fleet of cars.

Security researchers at Mysk have found success in tricking users who utilize the free wireless internet broadcasted at many of Tesla’s Supercharging and Service stations. Rather than connect to the internet, the drivers are unknowingly providing the attackers with all of the details they need to create a key for their vehicle.

Get Fully Charged

Here’s how the attack chain works:

First, the researchers picked up a Flipper Zero. In case you aren’t familiar with these tiny tamagotchi-like devices, they serve as a penetration tester’s toolkit in a toy-like form factor for under $200. It’s the same device many script kiddies have used to spam iPhones with Bluetooth Low-Energy messages and open Tesla charging ports. With a simple daughter board, the Flipper can also broadcast a wifi hotspot which is the entire basis of Mysk’s attack.

The Flipper broadcasts the wireless network using the same name as the Supercharger wireless: “Tesla Guest.” An unsuspecting victim planning to use the wireless will then attempt to connect and is served up with a fake captive portal that looks like something officially from Tesla. But it isn’t.

Once the owners input their Tesla account details, the details are immediately pushed to the screen of the nearby Flipper Zero. If multi-factor is enabled on the owner’s account, the attacker then forces the user to be prompted for a multi-factor code. The code entered by the user is displayed on the Flipper and the attacker can log in as the user to the Tesla app on their cell phone.

The app will immediately see the location of the vehicle without authorizing their phone as a key. This could allow the attacker to get the location of where the car is parked and allow the attacker to return to the proximity of the vehicle to authorize their phone as a key when nobody else is around, or perhaps when the owner is sleeping.

Because this step doesn’t require an additional physical keycard authorization, the attacker is immediately granted access to the vehicle and can even bypass the PIN to drive function.

Mysk says that it reported this flaw to Tesla’s product team and received the following response:

Thanks for the report. We have investigated and determined that this is the intended behavior. The “Phone Key” section of the owner’s manual […] makes no mention of a key card being required to add a phone key.

The researchers recommend that Tesla re-visit this security vulnerability. Mysk specifically says that Tesla should consider making key card authentication mandatory when adding a new phone as a key and that it should notify owners when a new key is added.

In all, this is a pretty low-tech attack that simply requires proximity to the vehicle and a bit of social engineering to complete. I personally have never utilized Tesla’s wireless when Supercharging, but I’m sure there are plenty of people in more remote areas with low cellular coverage or those without unlimited data plans that might make use of it. That being said, it comes with a fairly heavy risk—losing your car. Fortunately, most stolen Teslas are recovered.