according to What feels like half the internetthe Flipper Zero he Evil tool That enables Vile magic known as “the pirateRecently, articles have been circulating claiming that the Flipper Allows hackers to steal Teslas Right under their noses Good, hardworking American owners – A crime that certainly deserves to be tried in The Hague.
Except that's not really true. Although the “hack” is real — albeit not in the way you think — Flipper bears no blame for the situation. Not only does it not really help malicious actors, it makes their lives much more difficult than just doing the same thing on a laptop.
Part One: Attack
First, let's talk about the attack itself. Any first-year computing security professional—like I once was—can tell you that The weakest part of any computer system is the meatbag that uses itThe smartest attacks exploit this weakness instead of any type of code. This Tesla attack is one of those attacks, and it is called a phishing attack.
A phishing attack is an attack in which the attacker asks the user for information, while pretending to be someone who deserves an answer. When you receive an email warning you about suspicious activity on your Gmail account, but it then sends you to a fake login page hoping you'll enter your real username and password, this is phishing.
In this specific attack, malicious actors sit on the Tesla Supercharger website and open a public WiFi network called “Tesla Guest.” When a Tesla owner connects, they are directed to a login page asking for their username and password for their Tesla app. Once entered, the fake network requests a two-factor authentication code, and all three pieces of information are handed over to the attacker.
The attacker must then enter that user's login information into the original Tesla app before the two-factor passcode expires, giving access to the Tesla owner's account — and all of its features connected to the car. These features include using a phone — such as the one the attacker has just logged in on — as a key that could theoretically be used to unlock a Tesla and drive away. Easy as pie, if the pie can't stay in the oven for more than 30 seconds before it burns and becomes crispy.
Part Two: Zero Fin
In the demo, this attack is performed using Flipper Zero to create a fake WiFi network. This is the function that Flipper has, as it can create a WiFi network without any actual internet connection behind it, but the same also applies to a lot of wireless devices.
Raspberry Pis, laptops, cell phones, GoPro cameras, home theater speakers in the living room, all of these devices can create a WiFi network. It's true that a lot of them don't provide a lot of control over that network – although I'm sure there are programs dedicated to hacking a GoPro or sound bar – but a lot of them Do. A laptop can accomplish this task as easily as any Flipper.
In fact, it's even easier when you consider that laptops have built-in WiFi from the factory. Fins, despite all their means of communication, do not – a WiFi development boardalong with the necessary antenna, must be purchased separately and added before the device can actually do anything shown in the demo.
Part Three: None of this matters anyway
And there's that word again, experimental. Like many recently published vulnerabilities, this attack is all theoretical — it occurred under controlled conditions by someone who sat on either side of the attack, rather than out in the wild for unexpected victims. If an attack only exists in a YouTube video demonstrating its success, does it exist at all?
The researchers who discovered the vulnerability, Misk, published it in order to get Tesla's attention. they Gray hats — Sure, they published a vulnerability, but the goal was to get Tesla to know about it Repair He. She. Specifically, they want stronger protections within the Tesla app, to prevent malicious actors from easily creating new phone keys without the car owner's knowledge.
This “hack” is not a hack, not in the way most people think about it. He's not someone who wears a coat and sunglasses in a dark room, typing green text into a black terminal to access a mainframe and do… Crimes. It's social engineering – Mr. Eddie Vedder in Accounting calls Norm in Security after a power surge to request the phone number on the modem to complete this project. This is theoretically possible, sure, but it's unlikely to go well Thus only For the attack to succeed – and if it does, it's almost certainly not Flipper Zero's fault.
“Alcohol maven. Evil bacon lover. Wannabe social media geek. Travel guru. Amateur introvert. Pop culture nerd.”