Tesla Model 3 Stolen Using a Smartphone and Social Engineering

[cageymaru]

Hot on the heels of the revelation that security researchers can steal a Tesla in less than 30 seconds with $600 in parts, a 21 year old has stolen a Tesla Model 3 using just a smartphone and his wits. The car in this case was a rental car that had been previously rented by the suspect. One of the "cool" features of Tesla ownership is being able to start the car with just smartphone authentication. Because the suspect in this case had previously rented the car, he was able to socially engineer the Tesla support agent into reinstating his smartphone authentication onto the vehicle. Then he disabled the GPS tracking on the vehicle and took a cross country trip in the stolen car. He was arrested 2 days later in Waco, TX after being tracked using the Tesla Supercharger stations in various states.

Computer forensics specialist Mark Lanterman commented on the case and said that he believes the suspected thief was able to make Tesla add the vehicle on his Tesla account: "What it sounds like this person may have done is convince Tesla to take the VIN number of that vehicle and add it to his Tesla account. By doing that, you can do that with a phone call. By doing that, you can now control the Tesla from an app on your phone." Tesla sometimes does that for Tesla owners with loaner vehicles to enable the features of the mobile app, like unlocking and starting the vehicle without the key.

 

[zkostik]

That's why I enjoy having an older gas powered car without all this "smart" bullshit. Surely a great example of where some of this tech features have no place to be!

 

[thenapalm]

That must have been a sweet joyride. Riding cross country... 250 miles at a time. Hope it was worth it.

 

[Mut1ny]

So I guess next is disabling the correct identifying info when charging.

 

[Lakados]

That's why I enjoy having an older gas powered car without all this "smart" bullshit. Surely a great example of where some of this tech features have no place to be!

I agree but I am pretty sure that a thief could steal either my dumb ass car or truck with little more than a screwdriver and a key saw, so like $20 in parts.... Ar least those smart features let them track the vehicle across state lines in 48 hours after the theft occurred. Most cars after 6 hours it’s considered a lost cause.

 

[NickJames]

That's why I enjoy having an older gas powered car without all this "smart" bullshit. Surely a great example of where some of this tech features have no place to be!

What he did was no different than socially engineering the valet to give you someone's car keys. People will always be the crutch in our high security generation.

 

[Vader1975]

Grand theft auto to drive to Texas? In a car that is so recognizable its ridiculous. Especially in Texas amongst all the F150's and Sierra 1500HD's?

 

[Wierdo]

A good reason to add a pin-code function and stick the key fob in a protective sleeve if this is a concern, as nothing is 100 percent secure.

On a positive note, at least on the US side of things so far, 117 out of 119 thefts have been recovered due to the car's tracking features, the highest recovery rate of all vehicles, with second place coming at around 57 percent iirc.

That's bound to change though as local burglars become as tech savvy as some in Europe - there are some reports of successful smuggling of vehicles across borders for parts there - so it's important to be defensive about such matters.

Better safe than sorry.

 

[Lakados]

What he did was no different than socially engineering the valet to give you someone's car keys. People will always be the crutch in our high security generation.

Exactly, for every one person trying to figure out how to keep your car from being stolen there are 10 people trying to steal it. There is no security system that can’t be bypassed and the human factor in all of them is the weakness. Just have to remember the good old “crowbar” algorithm, “there is no password that can be secured against a crowbar to the knee”.

 

[NickJames]

Exactly, for every one person trying to figure out how to keep your car from being stolen there are 10 people trying to steal it. There is no security system that can’t be bypassed and the human factor in all of them is the weakness. Just have to remember the good old “crowbar” algorithm, “there is no password that can be secured against a crowbar to the knee”.

Yep, also remember OnStar? There were reports of people breaking into cars and asking OnStar to turn it on cause it was an emergency. I don't remember there being as much outrage.

 

[Lakados]

Yep, also remember OnStar? There were reports of people breaking into cars and asking OnStar to turn it on cause it was an emergency. I don't remember there being as much outrage.

Well shit, I forgot about that one.

 

[EODetroit]

At first I thought he was a white hat but then it turned out he was just a horrible thief.

 

[cageymaru]

At first I thought he was a white hat but then it turned out he was just a horrible thief.

That's what I was hoping that a report would say.

 

[dyzophoria]

That's why I enjoy having an older gas powered car without all this "smart" bullshit. Surely a great example of where some of this tech features have no place to be!

I think I seem to understand your point, but I don't think old non-smart car vehicles are not that full-proof as well.

 

[zkostik]

What he did was no different than socially engineering the valet to give you someone's car keys. People will always be the crutch in our high security generation.

Sort of but my thing is more on when is having too much digital and "smart" in a car is too much? The way I see it right now is like smart home gadgets that lack even the most basic security. Biggest DDoS attacks in history were launched from these compromised IoT devices which says a lot and I'm not sure much is being done about it. At least if I'm in my dumb ass car, nobody can hijack it remotely so having said that, potential danger and fallout from this is far greater. I doubt someone will also physically social engineer and get a valet key, unless that person tries to make dumb criminal of the day video people go for the easiest and safest route to do their dark deeds and it happened to be the smart feature in Tesla. There should perhaps at least be some kind of standard and security for this stuff and given all the issues that make the news from different car makers, somehow I doubt there's any.