Hack and steal a Tesla in just a few steps

The video on Youtube, in which Talal Haj Bakry and Tommy Musk can unlock and start a Tesla Model 3, lasts just 6 minutes.

It is not theft. After all, the two outwit their own car. And yet the list of tools they use to get a standard Tesla to accept someone else's smartphone as a key remains manageable.

The car's software is not tampered with, nor are any direct vulnerabilities exploited. Instead, the procedure is called social engineering, whereby the human being, such as the driver, is identified as the weak point.

In Tesla's Superchargers, the Wi-Fi available there can typically be used. An identically named wireless network is created with the help of a computer with Wi-Fi, a smartphone, mini PC, etc.

Anyone waiting at the charging station and logging into the wrong network is presented with a classic phishing page in Tesla guise, where they reveal their login details and are prompted to identify themselves using two-factor authentication.

If the fraudsters are now quick enough, they can register a new smartphone to unlock the Tesla and confirm with the second factor. According to Tesla, an additional security step is required for this process, but this was not carried out in the video, so it is apparently not standard.

Instead, the Tesla Model 3 can ultimately be unlocked and started using a different smartphone. Because the fraudsters are also able to locate the car with the access data, it can be stolen at a later time and unseen.

Such blatant loopholes also affect other manufacturers with other systems. The German automobile club ADAC has been able to open and start almost 600! different car models with Keyless Go since 2016 - without a key or chip card and updated year after year.

It makes you wish for a return to this boring and apparently quite reliable method with a real key and simple remote control.