Beware of Guest Wifi: You May Lose Your Car

My car has a smart phone app which allows me to lock and unlock the car. I love it, especially if I ever lose my key.

But does this open up security issues? Security researchers (Tommy Mysk and Talal Haj Bakry of Mysk Inc) have now shown how a Flipper Zero device can be used to gain access to the car. This creates a wi-fi access point of “Tesla Guest”, — and which is the name that is used for wi-i networks at service centres. It mimics the normal login page for a Tesla. Once the owner is tricked into entering their credentials, the adversary can then create a new set of virtual keys and then gain access to the car:

The surprising thing is that it also bypasses two-factor authentication, and where the fake login page requests the two-factor authentication code that the user then accesses in their account. This needs to happen quickly for the adversary and then, the owner, to the entering of the code.