This article originally appeared on Business Insider.
If you own a Tesla, you may want to be extremely careful when accessing WiFi networks at Tesla charging stations.
Security researchers Tommy Mysk and Talal Haj Bakry of Mysk Inc. released a video on YouTube on Thursday explaining how easy it can be for hackers to make off with your car using a clever social engineering trick.
Here's how it works.
Lots of Tesla charging stations – of which it has run out 50,000 in the world — offer a WiFi network commonly called “Tesla Guest” that Tesla owners can log into and use while waiting for their car to charge, according to Mysk's video.
Using a device called Flipper Zero — a simple hack tool $169 — Researchers created their own “Tesla Guest” WiFi network. When a victim tries to log in, they are taken to a fake Tesla login page created by hackers, who then steal their username, password and two-factor authentication code directly from the cloned page.
Although Mysk used a Flipper Zero to set up his WiFi network, this step of the process can also be done with almost any wireless device, such as a Raspberry Pi, a laptop or a mobile phone, Mysk said in the video.
Once hackers have stolen the credentials in a Tesla owner's account, they can use it to log into the real Tesla app, but they have to do it quickly before the 2FA code expires, Mysk explains in the video.
One of the unique features of Tesla vehicles is that owners can use their phones as a digital key to unlock their car without the need for a physical key card.
After logging into the app with the owner's credentials, the researchers inserted a new phone key while standing a few feet away from the parked car.
Hackers wouldn't even need to steal the car on the spot; they can track the Tesla's location from the app and go steal it later.
Musk said the unsuspecting Tesla owner isn't even notified when a new phone key is set up. And although the Tesla Model 3 owner's manual says a physical card is required to set up a new phone key, Mysk found that wasn't the case, according to the video.
“This means that with a leaked email and password, an owner can lose their Tesla vehicle. That's crazy,” Tommy Mysk said Gizmodo. “Phishing and social engineering attacks are very common today, especially with the rise of AI technologies, and responsible companies must consider such risks in their threat models.”
When Mysk reported the issue to Tesla, the company responded that it had investigated and determined it was not a problem, Mysk said in the video.
Tesla did not respond to Business Insider's request for comment.
Tommy Mysk said he tested the method on his vehicle several times and even used a restored iPhone that had never been paired with the vehicle before, Gizmodo reported. Musk claimed it worked every time.
Musk said that they conducted the experiment for research purposes only and said that no one should steal cars (we agree).
At the end of their video, Mysk said the problem could be solved if Tesla made physical key card authentication mandatory and notified owners when a new phone key was generated.
This isn't the first time that clever researchers have found relatively simple ways to hack Teslas.
In 2022, a The 19-year-old said he had hacked 25 Teslas worldwide (although the specific vulnerability has since been patched); later that year, a security company found another way to hack Teslas from hundreds of miles away.