By Omar Yang (Senior Threat Researcher, Automotive) and Ling Cheng (Senior Product Marketing Manager)
Two security researchers from Mysk Inc., Talal Haj Bakry and Tommy Mysk, recently demonstrated how Tesla cars could be susceptible to theft through a man-in-the-middle (MITM) phishing attack. This attack could enable malicious actors to create and use new digital keys to unlock Tesla cars and access their systems.
The attack chain begins with a counterfeit Wi-Fi access point deployed by an attacker as an official-seeming Tesla guest network — ideally at a Tesla charging station or service center, where a Wi-Fi network called “Tesla Guest” is likely to appear. When a Tesla owner connects to the spoof network, they are presented with a login page that closely resembles Tesla’s official page but is, in fact, a bogus page designed to capture the owner’s credentials. Unknowingly, when the owner enters their email address and password to log in, the attacker simultaneously sniffs and uses these credentials to access the genuine Tesla service. The hacker also circumvents the multifactor authentication (MFA) security by displaying a fake prompt that mimics the legitimate one, deceiving the victim into providing their one-time passcode (OTP).
With access to the victim’s account, the attacker can now view information about the Tesla vehicle linked to it. More alarmingly, the attacker can create a digital key or “phone key” without needing any additional verification; the attacker needs only to be physically near the Tesla vehicle to activate the phone key. As pointed out by the Mysk Inc. researchers, “The flow doesn’t require the user to be inside the car or to use another physical factor for authentication, such as a Tesla key card or scanning a QR code that the Tesla’s touchscreen displays.” Nor does the owner get notified of the unauthorized creation of a phone key. With the activated phone key, the attacker can now unlock the Tesla car and drive away with it.
Figure 1. The potential attack chain
The Mysk Inc. researchers reached out to Tesla about the issue, and Tesla responded that the fact that a key card is not required to add a phone key is “the intended behavior.” Notably, social engineering or phishing attacks are deemed out of scope by Tesla for its bug bounty program.
The first part of the attack chain (the upper part in Figure 1) is in itself a phishing attack, specifically a credential phishing attack. Phishing attacks like this are unfortunately rampant and increasingly common. According to Trend Micro Cloud App Security data, about 6.7 million credential phishing attacks were detected and blocked in IT environments in 2023, a 2% increase from the previous year. We’re beginning to see credential phishing tactics gradually being employed in the automotive world as well.
Therefore, in addition to the common advice for countering such attacks, which often involves raising self-awareness and enabling MFA protection, we recommend that car manufacturers (OEMs) and owners consider installing additional cybersecurity solutions to help thwart these attacks. These include VicOne’s Smart Cockpit Protection solutions. By installing our Smart Cockpit Protection solutions in the OEM’s in-vehicle infotainment (IVI) system and the car owner’s mobile device, we can provide alerts for the first two steps leading to potential victimization:
- If the car owner attempts to connect to a suspicious Wi-Fi network, our Smart Cockpit Protection solutions will display an alert on the IVI system and the mobile device, based on location and Wi-Fi information retrieved from the access point. This precaution prevents inadvertent connection to potentially problematic networks.
- If the car owner proceeds to connect to the spoof network and is directed to a fake login page, our Smart Cockpit Protection solutions will display the actual URL in a pop-up to alert the car owner to the inauthenticity of the page. Additionally, our Smart Cockpit Protection solutions can detect malicious URLs, conduct regular browser vulnerability scans, and display alerts about these to car owners to prevent phishing and other attacks that could lead to unauthorized access to personal data or sensitive information.
To learn more about our Smart Cockpit Protections solutions, visit this page, download this solution brief, or request a demo.
To read more research on other possible attacks on connected vehicles and learn best security practices, visit our resource center and read our other blog entries.
