Cybersecurity: Can a Tesla stop phishing and social engineering attacks?
HTML-код
- Опубликовано: 28 июн 2024
- Phishing and social engineering attacks are not uncommon. However, an attacker who gets a hold of leaked or stolen credentials shouldn't have it all. This video shows you that Tesla doesn't protect its users, or vehicles, against stolen credentials. Unfortunately, an attacker who somehow gets the credentials of a vehicle's Tesla account can take control of the car and drive away with it.
The major problem with the design is that Tesla only requires an account's email and password as well as being physically near the Tesla vehicle to activate a phone key. With an activated phone key a user, or an attacker, has full control of the vehicle. The flow doesn't require the user to be inside the car or to use another physical factor for authentication, such as a Tesla key card or scanning a QR code that the Tesla's touchscreen displays.
In this video, we showed how easy it is to obtain the credentials of a Tesla account. Tesla accounts can optionally enable multi-factor authentication, but as shown in the video, that can be easily defeated.
We contacted Tesla about this problem, and they determined that this is the intended behavior. Their response was no surprise, as they already state on their Bug Bounty program that phishing and social engineering attacks are out of scope. (bugcrowd.com/tesla)
Hopefully, this video will raise awareness about this topic. If you have found this video helpful, please like it and share it with friends, especially if they are Tesla owners. Also, consider subscribing to this channel for more content like this.
Full article: www.mysk.blog/2024/03/10/tesl...
For more content like this, you can find us here:
Twitter/X: x.com/@mysk_co
Mastodon: mastodon.social/@mysk
Threads: threads.net/@mysk_co
#privacy #cybersecurity #tesla #iOS #security #infosec #socialEngineering
Chapters:
00:00 Introduction
00:30 The Method
01:07 The Victim Enters Credentials
01:40 The Attacker Enters Stolen Credentials
04:01 The Attacker Inside the Car
04:49 Key Card Requirements
05:19 Tesla's Response
05:19 Final Thoughts
06:10 Technical Information Наука
Thanks a lot for watching and interacting with this video, a few remarks:
1️⃣ PIN to Drive won't prevent the attacker from driving away with the car: twitter.com/mysk_co/status/1766451258158682322
2️⃣ We used a Flipper Zero because it made recording the video much simpler. It has a nice compact display. Many other devices are capable of running a captive network, including laptops.
3️⃣ Two users reported in the comments that they received a push notification after adding a phone key. We weren't able to reproduce it. For the account and vehicle we have for testing, we never received a push notification after adding a new phone key.
Thanks a lot again. Subscribe to the channel and Follow us or more content like this. ✌️
So don't login to any Tesla public WiFi and you should be set. The bypassing PIN code had me a little shocked, I thought it was foolproof.
The owner does in fact get a push notification for both removal of the phone key as well as adding one. So this isn’t as traceless as it’s made to seem
Which device and version do you have? I only got a notification when removing a key. The main phone key is running Version 4.30.6 on an iPhone. Were you able to add the phone key without the key card?
@@mysk was able to add without a key card
iPhone 15 version v4.30.6-2531
Android (pixel 4a 5g) same app version
Both got a notification for adding and removing the phone key (done from the android)
@@mitpatterson Thank you for the detailed answer. I Just tested and I didn't receive a notification. 🤔
I tested again. I don't get a notification when I add a new key. I only get it when I remove a key.
@@myskI also tested with 3 phones that have notifications enabled. And no notification from Tesla app at all when adding a phone key
I have been having issues when my MYP automatically connects to the super charger's Wi-Fi network when supercharging. It interrupts my viewing session and as such I disable Wi-Fi on the vehicle to force it to use the cellular network instead.
Also, as a work-around if you have a hot spot option on your phone you could have the vehicle connect to your phone instead of a public network, thus avoiding this potential scenario.
even without the phone being a phone key you can just klick unlock and remote start in the app. the phone key is only the "keep the phone in your pocket" part
No, that wasn't the behavior that we observed during testing. You cannot unlock the car or perform any other control action until the phone key is activated in the app. However, you can still get live location and status updates about the vehicle without activating the phone key.
I'm wondering if physical mfa token implementation would help for Tesla token "key" reassignment. Im avoiding terms like passkey and key purposely to avoid confusion. If registered wouldn't it be more difficult to pull off this mitm? Of course then you can't lose your physical mfa token. Really a problem lol.
The One time code (OTP) should not work once the user has used it the first time, it should be exactly that - a one time code...
The first screen is the fake captive portal. The code wasn't entered on a Tesla website. The attacker took it from the captive portal and entered it in the app. It was only used once.
OTPs have an expiry time. The attacker just has to use the code before it expires. They might not always be able to do it in time depending on the length of credentials and the time the expiry clock started on the code
It can be easier to improve, add option when you turning of PIN in app to prowodyr PIN before it can be done, and it’s hard to believe that this is not added, it lien basic
I have unlimited 5G UW so I don’t use public WiFi now. Great reason not to.
Interesting attack vector. Would be interested to see if you could also either spoof the communication with the app to force a logout and intercept the credentials directly from the app. I feared this could become a reality since Tesla added the option to register a new phone key directly from the app without confirmation in the car. It will always be a trade-off between security and convenience. I guess pin to drive would still prevent the car from being driven away at first but being able to enter the car would make it easier to tow it quickly. I wonder if one could even bypass pin to drive by calling Tesla from inside the car and saying you forgot the pin while having access to the app where you can create a service request to "authenticate" yourself.
You can disable pin to drive from the app so as long as you have app access you can disable it and drive off.
@@n2rj oh that's right, this is more serious that I initially thought then!
they dont put the expiration on the MFA code?
They do. The 6-digit passcode expires in 30 seconds.
ULTRA WIDE BAND on phone
Tried adding a device yesterday. The car asked for my original key before the new device could be added
Can you say the software version your Tesla is running?
same for me
@@hefwilliams5400 Can you say the version of the app and Tesla firmware?
So, what about the part where the vehicle prompts you to tap the key card on the console to complete the phone key setup?
This prompt appears when you try to remove an already added key. You have to place the key card on the reader for a key to be removed.
@@mysk no. You need to tap a key card to add a phone.
@@eugenes7799 This is wrong. The demo above as well as the official response we got from Tesla confirm that a key card is not required to register a new phone key. It's only required if the GPS signal is too weak that both the smartphone and the Tesla vehicle cannot determine that they are physically close.
@mysk Adding a new phone as a key also requires the key card to be tapped.
This might not be true for "previously" authenticated phones which could be the flaw you may have discovered.
Try with a new phone (never used as a key before) and let us know!
@@Exau89 We tested with devices that have never been paired with the vehicle at all. Perhaps the key card is required when an account creates a phone key for the very first time. But this won't prevent this attack. Anyhow, Tesla's response denies this requirement entirely.
If SMS were used as the method of receiving OTP codes this attack would not work. Also, if the logged in Tesla app was generating the codes by alerting/offering code to the account holder when a login attempt was detected instead of an authenticator app would further close this loophole.
I don't get the recommendation that tesla must make it mandatory to use the key card.... This is obviously a social engineering hack. You could just configure to use a pin code to start the tesla, that is built in already and then this attack won't work to drive the tesla. Also I get I notify when a card changes.
Maybe it's a better recommendation to use a key card to add a new phone?
Yes, this is what was meant by the recommendations. To make it mandatory to scan the key card for a new key to be added. The PIN to Drive is useless as you can bypass it in the app. Refer to the pinned comment.
where's the 2fa code coming from?
From the fake captive portal page.
It just means that the attacker has a couple of seconds (depending on how fast 2FA key is rotated)
It‘s a time-based one time password: TOTP
TOTP are regenerating every 30 seconds. Not much time to login twice, but possible.
There's only one real login, the first one is a fake login screen. As per this hypothetical scenario, the attacker is doing it live right after the victim pushes the submit button. 30 seconds are more than enough. Plus, not every user has two-factor authentication enabled.
@@eggersberger usually the next and the last TOTP is considered valid to have a little more buffer in case the clocks are slightly out of sync or the user copies the code right at the end.
what about the 2FA Expiration? The code expires after 30 seconds afaik. So the owner AND attacker have to be VERY fast and the owner hast to use a new generated 2FA code which lasts for 30 seconds. It's unlikely to be this fast. But it shows how important 2FA is. Maybe it is a good Idea to enable Pin to Drive, but of course this can be disabled if the hacker disables it via app. This function should be more secured in the app. So the user has to enter the pin before he can disable it.
30 seconds should be enough. A sophisticated attacker wouldn't type all that manually, they would copy the text and send it to the phone, then paste it. Plus, the fake portal can prompt the user to enter a new passcode and repeat until it works. Agreed, the PIN to Drive is useless here because you can bypass it in the app.
30 seconds is plenty. You can get it done in 10. The last 20 you can use to check Tesla stock price.
@@mysk if the hacker is sitting around at a supercharger waiting eagerly, and you happen to want to use tesla guest wifi, and you fall for it, and the hacker has a full 30 seconds left in the OTP rotation, and you don't notice a shady person near the car, and you join the wifi then decides instead of using wifi you want to walk away from the car, and the hacker stops charging the car and you don't notice the charging stopped notification, and the hacker manages to drive away quickly, they'll have succeeded in stealing your car just in time for you to call the police and give them the exact location of the car which the owner will still have.
Ahora ya todos los saben. 😢😏🙄😅
How does the evil twin network prompt Tesla to send the victim an MFA code?
Since the captive portal is under full control of the attacker, the attacker can be creative here. But for the sake of this demo, we showed a static 2FA prompt right after the email/password prompt. If the victim's account doesn't have 2FA, the attacker already has the email/password. If not, the 2FA prompt will do the job.
@@mysk Thanks for the response. I meant, how does Tesla know to send the victim a 2FA code if the website is fake and doesn't actually communicate with Tesla services? Or does it rely on the victim using an authenticator app?
@@ThatOneSnake It relies on the victim providing the code. The attacker is asking you for your 2FA code in order to proceed to connect to the bogus Wi-Fi network. Once the victim provides the code the attacker can then use it to login to your Tesla account.
@@pinolero. I get that, but how does the *victim* receive a 2FA code to input? Does the impostor page forward the username and password to the real Tesla page, promoting Tesla to send the Tesla owner a code?
@@ThatOneSnake It should go like this: the victim enters email/password on the fake captive portal ➡️ The attacker gets the email/password from the captive portal and enters them in the real Tesla app. Then, the Tesla app prompts for a 2FA code, so the attacker triggers the fake portal to prompt for a 2FA code. The victim enters the 2FA code ➡️ The attacker gets it and enters it in the real app and signs in. If the 2FA code is not valid, the attacker can prompt for a 2FA code again.
PIN TO DRIVE
Won't help. Check the pinned comment.
Finally get to use my flipper
Well, it's a great tool for flipping Teslas.
Use a password manager and then you have no issue besides you're an idiot when you put your passwords everywhere without checking the site.
Another thing is that you could still track the vehicle the whole time, so the risk for stealing it is way too high
The password manager doesn't help here. Also, the captive portal doesn't show the URL. Your answer implies that you haven't used a captive portal before. One can easily be fooled and that doesn't mean that the person is an idiot. Some social engineering attacks are very sophisticated.
@@mysk On Android I have the option to open the site in a browser. And sure does a password manager help as it wouldn't offer you to fill in the data.
phishing is the number one attack vector... pretty much everywhere, and if your answer is "you're an idiot," then you're part of the problem and the reason why security people have such a hard time being taken seriously. Also, if you've never been fooled by a social engineering attack, you've just not gotten the right one yet.
on iOS too, you can close the window and a prompt will be displayed to you: use it without internet OR choose another network. Choose the first and open safari. I use to do that not for security but for checking if internet is working without logging in (or at least some protocols...) @@XxDragonSharKxX