The discovery has been made by the security researchers Tommy Musk and Talal Hi Bakry at Musk Inc.
Musk has posted a video on YouTube explaining how the fraud works.
The method they have found is really clever, and falls under the category of social manipulation.
Imitating Tesla’s own wifi network
At many of Tesla’s charging stations, of which there are over 50,000 worldwide, there is a Wi-Fi network called Tesla Guest.
When the hackers’ victims try to connect to the network, they are sent to a fake Tesla login page.
When they try to log into the site, the hackers seize their username, password and two-factor authentication code.
Tesla Model Y is now available as a transport vehicle – for tax reasons
Easy as pie
The hardware you need to create such a network is neither expensive nor difficult to get hold of, but pretty much all wireless devices can be used.
Once the hackers have seized the credentials, they can log into the Tesla app on one of their own phones.
However, they need to do this quickly, before the two-factor authentication code expires, Mysk explains in the video.
Car drivers are sentenced: Sleep on the E4 with autopilot on
Can create own key in no time
Once the fraudsters log into the app, the victim’s car is vulnerable, as Tesla offers the feature of using the mobile phone as a key to both unlock and drive the car.
The researchers were able to install a new mobile key standing a few meters from the car without any problems, even though according to Tesla you need to have access to the car’s physical key card to do this.
This opened up the possibility of wirelessly tracking and stealing the car.
The breaking point: Electric cars will soon be cheaper than fossil cars
Not a problem, says Tesla
According to Mysk, the owner of the car is not notified when a new mobile key is created.
– This means that with leaked email and password information, an owner can get rid of his Tesla. This is crazy, Mysk tells Gizmodo.
When Mysk informed Tesla of what he had found, he was told that the company had investigated the matter and concluded that it was not a problem.
However, Musk has tried to hack his own car in the same way with several different phones, and it has worked every time.
At the end of the video, Mysk says that Tesla could solve the problem if it introduced a requirement to authenticate a new mobile key with the physical key card, as well as send a notification to the car’s owner when a new key is created.
The color of the car reveals about your personality