Security researchers have uncovered a critical vulnerability that could allow hackers to steal Tesla vehicles by hijacking Wi-Fi networks at the company’s charging stations. This glaring cybersecurity flaw, which requires only an inexpensive, off-the-shelf tool, exposes a significant risk for Tesla owners and raises concerns about the automaker’s security measures.

The vulnerability was discovered by Tommy Mysk and Talal Haj Bakry, security researchers at Mysk Inc., who demonstrated their findings in a recent YouTube video. According to Gizmodo, which first reported on the video, the researchers showed how hackers could use a simple $169 hacking tool called Flipper Zero, a Raspberry Pi, or even a laptop to exploit this vulnerability.

“This means with a leaked email and password, an owner could lose their Tesla vehicle,” Mysk told Gizmodo, highlighting the severity of the issue. “Phishing and social engineering attacks are very common today, especially with the rise of AI technologies, and responsible companies must factor in such risks in their threat models.”

The researchers’ approach is alarmingly straightforward. Using their chosen device, hackers can create a spoofed Wi-Fi network called “Tesla Guest,” mimicking the network that Tesla typically provides free of charge to customers waiting at charging stations.

If an unsuspecting victim attempts to connect to this fake network, they may be tricked into entering their login credentials on a duplicate site, inadvertently handing over their information to the hackers.

Once the hackers have acquired these stolen login details, they can bypass Tesla’s two-factor authentication and gain access to the victim’s Tesla smartphone app, effectively unlocking the vehicle without ever needing a physical key card.

The implications of this vulnerability are far-reaching. Not only can hackers unlock the vehicle, but they can also create a new “phone key,” enabling them to return to the car at a later time and drive away with it without arousing suspicion.

Disturbingly, Tesla does not currently notify users when a new phone key is created, a fact that Mysk and Bakry highlight in their video.

To validate their findings, Mysk tested the vulnerability on his own Tesla and found that he could easily create new phone keys without ever having access to the original physical key card. This directly contradicts Tesla’s claim in its owner’s manual that such an action is impossible.

When Mysk informed Tesla about his findings, the company downplayed the vulnerability, stating that it was an “intended behavior” – a response that Mysk called “preposterous” in his interview with Gizmodo.

“The design to pair a phone key is clearly made super easy at the expense of security,” he said, criticizing Tesla’s approach.

Mysk argues that Tesla could easily address this vulnerability by simply notifying users whenever a new phone key is created, allowing them to take immediate action if they suspect unauthorized access.

However, whether the automaker will heed this call remains to be seen, leaving Tesla owners potentially exposed to a significant security risk until a fix is implemented.