MiTM phishing attack can let attackers unlock and steal a Tesla


Researchers demonstrated how they could conduct a Man-in-the-Middle (MiTM) phishing attack to compromise Tesla accounts, unlocking cars, and starting them. The attack works on the latest Tesla app, version 4.30.6, and Tesla software version 11.1 2024.2.7.

As part of this attack, security researchers Talal Haj Bakry and Tommy Mysk register a new ‘Phone key’ that could be used to access the Tesla.

The researchers reported their findings to Tesla saying that linking a car to a new phone lacks proper authentication security. However, the car maker determined the report to be out of scope.

While the researchers performed this phishing attack using a Flipper Zero, it could easily be done with other devices like a compuer, a Raspberry Pi, or an Android phones.

Read more…