Researchers Find Super Simple Way to Hack Tesla Keys

Chris Teague
by Chris Teague

Security researchers have found numerous vulnerabilities in some of today’s most popular vehicles, including finding ways to access owner data, take control of vehicle systems, and more. Tesla’s vehicles aren’t immune, and a team of researchers recently showed how easy accessing one of the advanced EVs with a simple electronic device can be.

The crew at Mysk has found a way to clone Tesla owners’ keys by hacking into the wireless internet networks at the automaker’s Supercharger stations. They use a device called Flipper Zero, which can broadcast a fake Wi-Fi network with a name similar to the ones used at Superchargers.

Once the user is connected and has entered their Tesla account information, their data is captured by the Flipper Zero. Hackers then prompt the user for a multi-factor authentication code, which allows them to access a Tesla account using an app on their smartphones. The hackers can then gain access to the car, clone a key using the Flipper Zero, and other malicious actions.

Some companies pay bounties to hackers who come forward with information about a vulnerability or security issue, but Tesla’s response to Mysk was surprising. The automaker responded, “Thanks for the report. We have investigated and determined that this is the intended behavior. The ‘Phone Key’ section of the owner’s manual makes no mention of a key card being required to add a phone key.”

While there are a few steps involved in this hack, and the bad actors have to be somewhat nearby to commit the crime, it’s worth noting that this is one of the simpler vulnerabilities we’ve seen so far. Some hackers have outlined having to access deeply protected vendor accounts and other complicated pathways to gain user info, while this one appears to be pretty straightforward by comparison.

[Image: Shutterstock]

Become a TTAC insider. Get the latest news, features, TTAC takes, and everything else that gets to the truth about cars first by   subscribing to our newsletter.

Chris Teague
Chris Teague

Chris grew up in, under, and around cars, but took the long way around to becoming an automotive writer. After a career in technology consulting and a trip through business school, Chris began writing about the automotive industry as a way to reconnect with his passion and get behind the wheel of a new car every week. He focuses on taking complex industry stories and making them digestible by any reader. Just don’t expect him to stay away from high-mileage Porsches.

More by Chris Teague

Join the conversation
2 of 26 comments
  • User User on Mar 16, 2024

    I had fallen victim to a malicious scam exploited by a cunning fraudster friend, who lured me into a fake cryptocurrency investment scheme through a website called Sadly, i had lost a staggering $400,000 to this elaborate deception. Determined to seek justice and recovers my hard-earned money, It was during this desperate search that i came across Trustwizards Hackworld, a renowned cybersecurity and financial recovery agency. Trustwizards,(trustwizards(AT)G'MAIL) known for their expertise in handling complex scams and financial fraud cases, understood the gravity of the situation and quickly assembled a team of skilled professionals to assist me. As the investigation unfolded.

    Finally, Trustwizards had successfully traced the stolen funds. Through their relentless efforts, they recover my $400,000. It brought a sense of closure and relief to me, who had feared losing everything. Trustwizards not only helped me recover my funds but also provided me with guidance and education on how to protect myself from future scams. They shared valuable insights and best practices for online security and investment precautions, empowering me and others to make informed decisions in the digital realm. And so, with Trustwizards' expertise and unwavering dedication, my tale of loss and despair transformed into a story of resilience, justice, and hope in the face of adversity. I vowed to become an advocate for cybersecurity awareness, helping others avoid falling victim to similar scams, fighting against cybercrime and bringing hope to those who had lost everything. If you have similar experience you can contact: trustwizards AT G'mail Dot com. W/app: (+1) 3,8,6,- (3,8,7,)

    7,0,5,4. Telegram: trustwizards_hackworld

  • Joe Joe on Mar 19, 2024

    This is called a man in the middle attack and has been around for years. You can fall for this in a Starbucks as easily as when you’re charging your car. Nothing new here…

  • Jkross22 It very much depends on the dealer. Just bought a replacement for the CX9. A local dealer gave a $500 discount on a CPO car while another one gave a few thousand dollar discount but was out of the area and we had to drive 5 hours to get. The local dealer still seems to think it's 2022 and cars appreciate when sitting on the lot. I wish them luck.
  • Ajla "and the $34K price doesn't seem too steep." Respectfully disagree. This would be okay at $29K. $34k clangs into way too much.
  • FreedMike i puUut pUniZhR sTikKr oNn mY KoMMpAs aNd nOW i hEeR Eegle SkReem. (And no one knows it's made in Mexico.)
  • SCE to AUX What a farce.Besides, "patriotism" has been redefined a hundred different ways in the last 20+ years. Disagree with one of them, and you're a traitor.And for starters, Jeep is a Stellantis brand with its HQ in the Netherlands. If this persistent myth about patriotism is ever cracked, the brand is doomed.
  • MaintenanceCosts I'm definitely seeing more dealer-level discounts than I did a year ago, but not a lot of lower MSRPs.