This article originally appeared on Business Insider.
If you own a Tesla, you may want to be very careful when accessing WiFi networks at Tesla charging stations.
Security researchers Tommy Mysk and Talal Haj Bakry of Mysk Inc. posted a YouTube video on Thursday explaining how easy it can be for hackers to make off with your car using a clever social engineering trick.
Here’s how it works.
Many Tesla charging stations – of which there are over 50,000 worldwide – offer a WiFi network typically called “Tesla Guest” that Tesla owners can access and use while waiting for their car to charge, according to the Mysk video .
Using a device called Flipper Zero, a simple $169 hacking tool, the researchers created their own “Tesla Guest” WiFi network. When a victim attempts to log in to the network, they are taken to a fake Tesla login page created by hackers, who then steal their username, password, and two-factor authentication code directly from the duplicate site.
Although Mysk used a Flipper Zero to set up its WiFi network, this step of the process can also be done with almost any wireless device, such as a Raspberry Pi, laptop or mobile phone, Mysk said in the video.
Once hackers have stolen the owner’s Tesla account credentials, they can use them to log in to the real Tesla app, but they need to do so quickly before the 2FA code expires, Mysk explains in the video.
One of the unique features of Tesla vehicles is that owners can use their phones as a digital key to unlock their car without the need for a physical key card.
Once logged into the app with the owner’s credentials, the researchers set a new phone key while remaining a few meters from the parked car.
The hackers wouldn’t even need to steal the car at that time; they could track the Tesla’s location from the app and steal it later.
Mysk said the unsuspecting Tesla owner isn’t even notified when a new phone key is set. And, although the Tesla Model 3 user manual says the physical card is required to set up a new phone key, Mysk found that wasn’t the case, according to the video.
“This means that with a leaked email and password, an owner could lose their Tesla vehicle. This is crazy,” Tommy Mysk told Gizmodo. “Phishing and social engineering attacks are very common today, especially with the advent of artificial intelligence technologies, and responsible companies must factor these risks into their threat models.”
When Mysk reported the problem to Tesla, the company responded that it had investigated and determined it was not a problem, Mysk said in the video.
Tesla did not respond to Business Insider’s request for comment.
Tommy Mysk said he tested the method multiple times on his own vehicle and even used a restored iPhone that had never been paired with the vehicle, Gizmodo reported. Mysk said it worked every time.
Mysk said he conducted the experiment for research purposes only and that no one should steal cars (we agree).
At the end of the video, Mysk said the problem could be solved if Tesla made physical key authentication mandatory and notified owners when a new phone key is created.
This isn’t the first time that expert researchers have found relatively simple ways to hack Teslas.
In 2022, a 19-year-old reported hacking 25 Teslas worldwide (though the specific vulnerability has been fixed); That same year, a security company found another way to hack Teslas from hundreds of miles away.