By: Jeremy Hellstrom

Jeremy Hellstrom — Tue, 12 Mar 2024 21:01:47 +0000

In reply to topher. It was tongue in cheek! I thought I'd made it pretty clear it was because users are idiots?

By: topher

topher — Mon, 11 Mar 2024 15:00:47 +0000

In reply to psuedonymous. ^^ all that

By: psuedonymous

psuedonymous — Mon, 11 Mar 2024 14:35:04 +0000

This hack had nothing whatsoever to do with the Flipper, any device able to generate a WiFi hotspot would work, as the attack is a basic MITM attack.

The ‘hack’ was to create a fake charger station, and along with it create a fake WiFi hotspot with the expected Tesla hotspot name. Then, create a captive portal page that visually resembled the real Tesla one, and use that to snarf username, password, and 2FA token. Then use those details within the 2FA-valid window to register another phone with the Tesla app.

Mitigations have nothing to do with the car itself, but instead in user education (not to ignore the security warnings on the spoofed captive portal page), add notifications of another phone app being registered, and ideally change the captive portal authentication method to use an app-generated key rather than regular login credentials – however this last one again is vulnerable to users ignoring security warnings and entering valid credentials anyway.

Comments on: Poor Tesla Security Proves Us Wrong, The Flipper Zero And Other Devices Can Steal A Modern Car

By: Jeremy Hellstrom

By: topher

By: psuedonymous