Researchers Use Rogue Wireless Access Points To Steal a Tesla

As automobile theft is on the rise across North America, attackers are proving themselves adept at finding new ways to circumvent technical access controls and drive away in stolen vehicles. As the value of a vehicle increases, one would expect that more sophisticated techniques would be used to secure access... but this is not always the case.  In fact, many law enforcement agencies are encouraging car owners to employ steering wheel locks such as "The Club" to deter car thieves, since car manufacturers are employing technologies that can't keep the bad guys out. 

In 2020, the Tesla Model X was hacked using the BlueTooth Body Control Module (BCM) and again in the 2023 Pwn2Own hacking competition full root access was gained via BlueTooth in a matter of seconds. The 2020 hack was possible due to a lack of cryptographic signature verification for keyfob firmware updates and the 2023 hack leveraged a time-of-check-to-time-of-use (TOCTTOU) vulnerability in Tesla's Model 3 Gateway energy management system (EMS).

However, the most recent techniques demonstrated by researchers to steal Tesla vehicles use another vector altogether - rogue wireless access points (APs). In this article, we will review what rogue APs are and uncover how thieves are using them to steal Teslas using a Flipper Zero: a device recently banned in Canada in an effort to combat auto theft. 

The Dangers of Rogue Access Points

Unauthorized access points, often referred to as "rogue" access points (APs), are typically set up by attackers to either mimic closeby legitimate wireless networks, or to entice users to connect for free Internet access.  Rogue access points represent a potent threat to network security, underscoring the importance of robust monitoring measures to detect their presence and mitigate their threat to enterprise networks.

In the case when a rogue AP is used to mimic an existing legitimate WiFi network, they are set up without the knowledge or consent of network administrators and attempt to be indistinguishable from the legitimate network by offering the same settings such as: 

• BSSID (Basic Service Set Identifier)

• SSID (Service Set Identifier)

• MAC Address

• Network encryption protocols such as WPA2, WPA3, etc.

Rogue access points serve as a vector for various cyber attacks, including phishing attacks and can be a gateway for malicious actors to infiltrate organizational networks or steal credentials for launching other types of attacks. Once rogue access points are configured, they are commonly used to direct users to spoofed login sites such as captive portals to steal sensitive credentials from the user directly and can also be used for man-in-the-middle attacks, where attackers intercept and manipulate communication between users and legitimate servers, or to launch denial-of-service (DoS) attacks, disrupting network operations and causing service outages.

How Were Rogue Wireless APs Used To Steal Teslas?

A significant flaw in the Tesla design requires only the owner's account email and password, and physical proximity to the vehicle, to activate a phone key - allowing the owner to unlock and start a Tesla via mobile app. This security weakness allows attackers to use stolen credentials to hijack a Tesla.

At many of the over 50,000 Tesla charging stations worldwide, a WiFi network named "Tesla Guest'' is available for Tesla owners to use while their vehicles charge. Researchers demonstrated an attack using a Flipper Zero, to create a spoofed "Tesla Guest" WiFi network near the charging stations. The victim, upon attempting to connect, is directed to a fake Tesla login page where the hackers extract their username, password, and two-factor authentication code. The attack also reportedly bypasses the requirement for a physical key card to set up a new phone key, contrary to Tesla's manual.

How the attack works:

1. Setting up a fake "Tesla Guest" WiFi network using Flipper Zero or other wireless devices.

2. Redirecting victims to a counterfeit Tesla login page to steal credentials.

3. Quickly logging into the real Tesla app with stolen credentials before the 2FA code expires.

4. Creating a new phone key from within the app, enabling access to the Tesla vehicle.

5. Exploiting the ability to track the Tesla's location from the app for potential future theft.

6. Exploiting the lack of notification to the owner when a new phone key is set up.

Despite reporting the issue to Tesla, the company dismissed it, prompting concerns about the security of Tesla vehicles and the vulnerability of owners' accounts to phishing attacks. Tesla owners are advised to review the company's extensive list of measures for preventing car theft and take action to mitigate attacks.

Conclusion

Recently demonstrated attacks that proved how easy it is to gain complete access to a Tesla enabling an attacker to effectively steal the vehicle. The research also points to the previously known technique of rogue APs as an active threat for stealing login credentials.

In reality, the Canadian government's recent restriction of Flipper Zero devices will do little to stop this type of attack since several other covert devices are fully capable of setting up rogue APs to mimic legitimate networks and steal user credentials. 

Looking for more cybersecurity updates and news? Sign up for our informational zero-spam newsletter.