The victim would have no idea they lost their $40,000 vehicle.
Mysk said the exploit takes minutes, and to prove it all works, he stole his own car.
The process is simple.
Photo: NurPhoto / Contributor (Getty Images)
The victim connects to the WiFi data pipe and enters their username and password on the fake Tesla website.
The victim enters that code into the fake website, and the thief gains access to their account.
From there, the car is yours.
it’s possible for you to see Mysks demonstration of the attack in the video below.
The Tesla owner could finish charging the car and drive off to go shopping or park outside their house.
This means with a leaked email and password, an owner could lose their Tesla vehicle.
This is insane, Tommy Mysk said.
When you buy a Tesla, the company provides you with a physical keycard for the car.
However, when Mysk tried this exploit, it seemed that wasnt true.
He shared a copy of the exchange with Gizmodo.
We have investigated and determined that this is the intended behavior, Tesla said in the email.
Tesla, which typically ignores questions from the media, did not immediately respond to a request for comment.
Tesla Product Security teams confirmation that this is the intended behavior is preposterous, Mysk said.
The design to pair a phone key is clearly made super easy at the expense of security.
If a victim is tricked to expose their credentials, they shouldnt lose it all.
They shouldnt lose their car.
TheFlipper Zerois a controversial equipment thats designed for hobbyists, hackers, and people who want to stop them.
It wouldnt be hard for Tesla to solve this problem.
But without action from the company, Tesla owners may be sitting ducks.
But when your car key is a bunch of ones and zeros, things can get messy.
News from the future, delivered to your present.
