'ZDNET Recommends': What exactly does it mean?
ZDNET's recommendations are based on many hours of testing, research, and comparison shopping. We gather data from the best available sources, including vendor and retailer listings as well as other relevant and independent reviews sites. And we pore over customer reviews to find out what matters to real people who already own and use the products and services we’re assessing.
When you click through from our site to a retailer and buy a product or service, we may earn affiliate commissions. This helps support our work, but does not affect what we cover or how, and it does not affect the price you pay. Neither ZDNET nor the author are compensated for these independent reviews. Indeed, we follow strict guidelines that ensure our editorial content is never influenced by advertisers.
ZDNET's editorial team writes on behalf of you, our reader. Our goal is to deliver the most accurate information and the most knowledgeable advice possible in order to help you make smarter buying decisions on tech gear and a wide array of products and services. Our editors thoroughly review and fact-check every article to ensure that our content meets the highest standards. If we have made an error or published misleading information, we will correct or clarify the article. If you see inaccuracies in our content, please report the mistake via this form.
Teslas vulnerable to Flipper Zero hack - here's how to protect yourself
While unlocking vehicles with smartphone apps rather than physical keys offers significant convenience benefits, it also significantly expands the attack surface.
Security researchers have discovered a method that uses a $169 Flipper Zero device to deceive Tesla owners into relinquishing control of their cars to a malicious third party, enabling the vehicle to be unlocked and even driven away.
Also: 7 hacking tools that look harmless but can do real damage
Researchers Tommy Mysk and Talal Haj Bakry of Mysk Inc have devised a method for fooling a Tesla owner into handing over their vehicle's login credentials: An attacker would use the Flipper Zero and a Wi-Fi development board to broadcast a fake Tesla guest Wi-Fi network login page -- "Tesla Guest" is the name given to Wi-Fi networks at service centers -- and then use those credentials to log into the owner's account and create new virtual "keys" to the car.
Everything that the owner enters into the fake login page -- username, password, and two-factor authentication code -- is captured and displayed on the Flipper Zero.
Here's a walkthrough of the process.
This attack also bypasses the two-factor authentication because the fake Tesla guest Wi-Fi network login page requests the two-factor authentication code that the attacker then uses to access the account. This does mean that the hacker has to work fast, and be able to request and then subsequently use that code rapidly to be able to access the account.
Will the physical keycard that Tesla supplied you protect you from this attack? According to the user manual, it should, because this "key card is used to 'authenticate' phone keys to work with Model 3 and to add or remove other keys." But, according to Mysk, this is not the case.
Also: The best mobile VPNs: Expert tested
Mysk said it approached Tesla for comment on this vulnerability and was told that the company had "investigated and determined that this is the intended behavior," which is worrying.
Mysk recommends that Tesla should make it mandatory to use the key card to create new keys in the app, and that owners should be notified when new keys are created.
While Mysk and Bakry are using a Flipper Zero here, there are plenty of other tools that could be used to carry out this attack, such as a Wi-Fi Pineapple or Wi-Fi Nugget.
ZDNET has asked Tesla for comment, and we'll update this article with their response.
Also: Cybersecurity 101: Everything on how to protect your privacy and stay safe online
How do you protect yourself from this type of attack? First, don't panic. This attack is unlikely to be widespread: The attacker would need to be close to your vehicle and carry out the login to your Tesla account in real-time.
Second, note that you do not need to enter your two-factor authentication code to be able to connect to Tesla's guest Wi-Fi account. If in doubt, avoid free Wi-Fi.