Digital keys have become a common and convenient way of unlocking electric vehicles (EVs) — but security researchers have demonstrated how criminals can take advantage of this.
Cybersecurity researchers Tommy Mysk and Talal Haj Bakry, who work for tech firm Mysk, have discovered an exploit that lets cybercriminals access Tesla accounts to generate a "digital key" before unlocking a victim's car and driving away. They detailed their findings in a YouTube presentation on March 7.
They achieved the hack — unlocking the door of a Tesla Model 3 — despite the account being protected by two-factor authentication (2FA). This is an extra layer of protection that asks for a code before logging in — which they bypassed.
They simply needed a small Flipper Zero device and a Wi-Fi development board — both of which can be bought online.
The Flipper Zero device, which costs just $169, is akin to a "Swiss army knife" for security researchers. It lets them read, copy and emulate radio-frequency and near-field communication (NFC) tags, radio remotes, digital access keys and other signals. It's legal in the U.S. although Canada has just brought forward measures to ban it.
The researchers used a Flipper Zero alongside the Wi-Fi development board to generate and broadcast a fake Tesla login page, before duping a victim into sharing their login credentials.
How does the hack work?
The researchers conducted this exploitation through a public Wi-Fi network named “Tesla Guest," just like the ones used at Tesla servicing centers.
They broadcast a fake version of this network via the Flipper Zero, meaning if somebody were to click on the captive network to access Wi-Fi, a spoofed Tesla login screen would appear. Broadcasting this fake Wi-Fi network at locations commonly visited by Tesla drivers, such as Tesla SuperChargers, would enable cybercriminals to steal the login details for Tesla accounts.
If exploited in the real world, a hacker would only need to wait for an unsuspecting Tesla driver to connect to the fake Wi-Fi network and type their login details into the spoofed login portal. The user’s credentials, including their email address, password and 2FA code, would then appear on the Flipper Zero's screen. Then, after obtaining this information, the hacker can launch the Tesla app and access the victim’s account.
Related: Experimental wireless EV charger is just as fast as a superfast wired plug, scientists say
The app gives a live location of the car without the hacker needing to activate their digital key, which is on their phone, beforehand. By activating the key near the victim’s car, the hacker can control it remotely. Alarmingly, you can do this without being in the car — you just need to enable Bluetooth and activate location settings.
Because no alerts appear on the user’s app or their car’s built-in touchscreen to say a new device has been added to their account, they won’t know someone has compromised their account and is trying to control their car.
Demonstrating this exploit, the researcher successfully unlocked the door of a Tesla Model 3 and showed how to add the digital key without a notification appearing on the touchscreen. They were able to start the car and drive away.
The researchers were surprised to learn that you need a physical key card (which all Tesla drivers are provided with) to authenticate the removal of a digital key — and that a push notification is sent to the car's owner after a key is removed. This is despite the fact that no such notification is sent when a new key is added.
What does it mean for EV safety?
Despite the Tesla owner’s manual stating that the physical key card is needed to add and remove digital keys, the researchers proved that this is only the case for removing digital keys — not adding them. The Mysk team reported their findings to Tesla Product Security, which responded by calling this “intended behavior.”
“We showed how social engineering and phishing can be effective,” wrote the researchers in their presentation. “It even defeated multi-factor authentication.”
The security researchers believe that key card authentication should be compulsory and that Tesla owners should receive notifications if a new key is added to their account.
Jake Moore, global security advisor at cyber security company ESET, told Live Science that easily accessible devices like the Flipper Zero “can do a tremendous amount to assist threat actors in malicious activities.”
"Acting as yet another tool in the hacker’s toolkit, along with other social engineering techniques, these devices add a new dimension for victims to be aware of," he explained.
"With endless smart devices on the market and wireless technology built into devices that never before justified the use of it, we therefore need to be on guard more than ever.”