• givesomefucks@lemmy.world
    link
    fedilink
    English
    arrow-up
    112
    arrow-down
    1
    ·
    edit-2
    9 months ago

    Once logged in, the hackers could even create a new “phone key,” allowing them to come back to the vehicle later and drive off with it without raising suspicion.

    That’s because Tesla doesn’t actually notify the user if a new key is created, as Mysk and Bakry point out in their video.

    Mysk tested out the vulnerability on his own Tesla and found that he was easily able to create new phone keys without ever having access to the original, physical key card. That’s despite Tesla promising that wasn’t possible in its owner’s manual.

    Once he told Tesla about his findings, the EV maker underplayed the vulnerability, telling him it was all by design and “intended behavior,” an assertion that Mysk called “preposterous” in his interview with Gizmodo.

    “The design to pair a phone key is clearly made super easy at the expense of security,” he said.

    Mysk argues it would be easy for the automaker to plug the vulnerability by simply notifying users if a new phone key is created.

    Weird the dudes name is so close to Musk, but it sounds like this would be something incredibly easy for Tesla to fix, they’re just not doing it and denying it’s a problem…

    • Albbi@lemmy.ca
      link
      fedilink
      English
      arrow-up
      34
      ·
      9 months ago

      I’m surprised Tesla hasn’t gotten to the point yet where it’s just replying with 💩, but I guess this response wasn’t too far off from that.

    • evergreen@lemmy.world
      link
      fedilink
      English
      arrow-up
      12
      ·
      9 months ago

      Same kind of dictator mentality I’d expect from Musk himself honestly. Doesn’t fix the problem because he’s insulted that someone else pointed it out. Cutting off his nose to spite his face. He’s good at that. I’m really surprised the board still tolerates his shit.

    • redditron_2000_4@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      ·
      9 months ago

      It’s something they “broke” recently. You used to require a physical card to pair a new phone key. I noticed when I replaced my phone that it was no longer needed. They should be able to fix it easily, but I’m sure they won’t.

      You can enable pin to drive to reduce the risk, but if you have the creds and there is no 2FA on the account then you can use the app to bypass it.

      • AA5B@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        Really, crap, when I brought my Tesla home I promptly put the keycards somewhere secret even to me, expecting to never need them again

        • redditron_2000_4@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          9 months ago

          You can get two more for $10 from teslas site… but I believe you need one to program them. My wife and I keep ours in our wallets, just in case phone keys don’t work or get stolen.

    • noobface@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      9 months ago

      Easy to fix moving forward, but a really public admission of “oops” to all current phone key users who will have to reauth their phones.

    • BakerBagel@midwest.social
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      1
      ·
      9 months ago

      Announcing and oarch security flaws might cause stock prices to dip. And Daddy Musk wint have that

    • Lucidlethargy@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      9 months ago

      That’s because everything Musk touches turns to fucking shit. Everyone is aware of this in 2024.

      STOP USING AND BUYING THIS GUYS BULLSHIT, YOU FUCKING IDIOTS.