Security Researchers Use a Flipper Zero to "Steal" a Tesla Model 3, Fanning the Flames of Ban Plans

Security researchers Tommy Mysk and Talal Haj Bakry have thrown oil on the troubled waters of the Government of Canada's attack on the Flipper Zero multi-tool gadget with a video proving it can, indeed, be used to steal a Tesla Model 3 car — albeit in an attack that would also work using any other Wi-Fi-enabled device capable of hosting a web page and acting as a wireless access point.

"Phishing and social engineering attacks are not uncommon. However, an attacker who gets a hold of leaked or stolen credentials shouldn't have it all," Mysk and Bakry write. "[Our research] shows you that Tesla doesn't protect its users, or vehicles, against stolen credentials. Unfortunately, an attacker who somehow gets the credentials of a vehicle's Tesla account can take control of the car and drive away with it."

Like many modern vehicles, Teslas are designed around a keyless entry and start system: while each vehicle is supplied with card-like keys, once purchased the owner is encouraged to register their phone instead — allowing the car to be unlocked and started without having to carry anything else. The trouble comes, Mysk and Bakry explain, when your credentials for the Tesla app are leaked.

"The major problem with the design is that Tesla only requires an account's email and password as well as being physically near the Tesla vehicle to activate a phone key," the pair write. "With an activated phone key a user, or an attacker, has full control of the vehicle. The flow doesn't require the user to be inside the car or to use another physical factor for authentication, such as a Tesla card key or scanning a QR code that the Tesla's touchscreen displays."

It does, however, require that the attacker knows the user's username and password for the Tesla app — which is where the Flipper Zero comes in. Using an optional Wi-Fi add-on board, the researchers show how the Flipper Zero can be used to broadcast a malicious wireless access point and send users to a faked Tesla log in page. When the credentials are entered, they're displayed on the Flipper Zero's screen and used to request a one-time code — after which the attacker can set up their own phone as a Tesla key without further victim interaction.

The attack demonstration, which Mysk and Bakry say has been dismissed as "intended behavior" by Tesla, comes on the back of the Government of Canada announcing plans to ban the Flipper Zero and similar devices to stem a spate of car thefts across the nation — none of which, Flipper Devices pointed out at the time, are known to have involved a Flipper Zero. While this attack does, it's not using anything specific to the Flipper Zero's capabilities: any device that can broadcast a Wi-Fi hotspot and host a web page would be capable of carrying out the same attack.

The full attack is demonstrated in the video embedded above and on Mysk's YouTube channel; Tesla has not publicly commented on the apparent vulnerability of its vehicles.

Main article image courtesy of Mysk Co.