According to what seems like half the internet, the Flipper Zero is a nefarious tool that enables the villainous sorcery known as “hacking.” Most recently, articles have gone around claiming that the Flipper allows hackers to steal Teslas right out from under the noses of their good, hardworking, American owners — a crime worthy of trial at the Hague, surely.
Except, that’s not really true. While the “hack” is real — albeit not in the way you think — the Flipper is blameless in the situation. Not only does it not really aid malicious actors, it actually makes their lives more difficult than just doing the same thing on a laptop.
Part One: The Attack
First, let’s talk about the attack itself. Any first-year computing security major — like I once was — can tell you that the weakest part of any computer system is the bag of meat that uses it, and the smartest attacks exploit that weakness rather than any kind of code. This Tesla attack is one of those, called a phishng attack.
A phishing attack is one where an attacker asks a user for information, while pretending to someone who deserves an answer. When you get an email warning you about suspicious activity on your Gmail account, that then sends you to a fake login page in hopes that you’ll enter your real username and password, that’s phishing.
In this specific attack, malicious actors sit at a Tesla Supercharger location and open up a public WiFi network called “Tesla Guest.” When a Tesla owner connects, they’re directed to a login page asking for their Tesla app username and password. Once those are entered, the fake network asks for a two-factor authentication code, and all three pieces of info are handed over to the attacker.
The attacker must then enter that user’s login information into the genuine Tesla app before the two-factor passcode expires, granting access to the Tesla owner’s account — and all of its car-connected features. Those features include using a phone — like the one the attacker just logged in from — as a key, that could theoretically be used to unlock the Tesla and drive off. Easy as pie, if pie couldn’t sit in the oven for more than 30 seconds before burning to a crisp.
Part Two: The Flipper Zero
In the demo, this attack is carried out using a Flipper Zero to generate the fake WiFi network. This is functionality that the Flipper possesses, it can create a WiFi network without any actual Internet connectivity behind it, but so can plenty of wireless devices.
Raspberry Pis, laptops, cell phones, GoPro cameras, the home theater sound bar in my living room, all of these devices can make a WiFi network. True, many don’t offer much control over that network — though I’m sure custom software exists to crack a GoPro or a sound bar — but many do. A laptop could pull off this stunt as easy as any Flipper.
More easily, in fact, when you consider that laptops have WiFi built in from the factory. Flippers, for all their connectivity, don’t — a WiFi development board, with the necessary antenna, has to be purchased separately and added on before the device can actually do anything shown in the demo.
Part Three: None Of This Matters Anyway
And there’s that word again, demo. Like many freshly published exploits, this attack is all theoretical — it’s happened under controlled conditions by someone who sat on both sides of the attack, not out in the wild to unsuspecting victims. If an attack only exists in a YouTube video showing that it works, does it exist at all?
The researchers who discovered the vulnerability, Mysk, published it in order to get Tesla’s attention. They’re gray hats — sure, they published a vulnerability, but the goal is to get Tesla to fix it. Specifically, they want stronger protections within the Tesla app, to prevent malicious actors from easily creating new phone keys without the car owner’s knowledge.
This “hack” is not a hack, not in the way most people think of them. It’s not a person in a trench coat and sunglasses in a dark room, typing green text into a black terminal to gain access to a mainframe and do crimes. It’s social engineering — Mr. Eddie Vedder in Accounting calling Norm in Security after a power surge, to ask for the phone number on the modem to just get this project done. It’s theoretically possible, sure, but it’s unlikely that everything would line up just so for the attack to work out — and if it does, it’s certainly not the Flipper Zero’s fault.