Security News > 2024 > March > Flipper Zero WiFi attack can unlock and steal Tesla cars
An easy phishing attack using a Flipper Zero device can lead to compromising Tesla accounts, unlocking cars, and starting them.
The attack works on the latest Tesla app, version 4.30.6, and Tesla software version 11.1 2024.2.7.
An attacker at a Tesla supercharger station could deploy a WiFi network called"Tesla Guest," an SSID that is commonly found at Tesla service centers and car owners are familiar with it.
Once the victim connects to the spoofed network, they are served a fake Tesla login page asking to log in using their Tesla account credentials.
Tesla cars also use Card Keys, which are slim RFID cards that need to be placed on the center console's RFID reader to start the vehicle.
"I was able to add a second phone key on a new iPhone without the Tesla app prompting me to use a key card to authenticate the session on the new iPhone. I only signed in on the new iPhone with my username and password, and as soon as I granted the app access to the location services, it activated the phone key," Tommy Mysk and Talal Haj Bakry wrote in the report to Tesla.