23 March 2024 Security researchers used a $169 Flipper Zero device and a Wi-Fi development board to obtain a driver's credentials, break into a Tesla Model 3 and drive away. When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works. Cybersecurity researchers used a FlipperZero device to gain a driver's username, password and two-factor authentication code, then drive off with their vehicle. (Image credit: Alberto Garcia Guillen via Shutterstock) Digital keys have become a common and convenient way of unlocking electric vehicles (EVs) — but security researchers have demonstrated how criminals can take advantage of this. Cybersecurity researchers Tommy Mysk and Talal Haj Bakry, who work for tech firm Mysk, have discovered an exploit that lets cybercriminals access Tesla accounts to generate a "digital key" before unlocking a victim's car and driving away. They detailed their findings in a YouTube presentation on March 7. They achieved the hack — unlocking the door of a Tesla Model 3 — despite the account being protected by two-factor authentication (2FA). This is an extra layer of protection that asks for a code before logging in — which they bypassed. You may like They simply needed a small Flipper Zero device and a Wi-Fi development board — both of which can be bought online. The Flipper Zero device, which costs just $169, is akin to a "Swiss army knife" for security researchers. It lets them read, copy and emulate radio-frequency and near-field communication (NFC) tags, radio remotes, digital access keys and other signals. It's legal in the U.S. although Canada has just brought forward measures to ban it. The researchers used a Flipper Zero alongside the Wi-Fi development board to generate and broadcast a fake Tesla login page, before duping a victim into sharing their login credentials. How does the hack work? The researchers conducted this exploitation through a public Wi-Fi network named “Tesla Guest," just like the ones used at Tesla servicing centers. Sign up for the Live Science daily newsletter now Get the world’s most fascinating discoveries delivered straight to your inbox. Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over. They broadcast a fake version of this network via the Flipper Zero, meaning if somebody were to click on the captive network to access Wi-Fi, a spoofed Tesla login screen would appear. Broadcasting this fake Wi-Fi network at locations commonly visited by Tesla drivers, such as Tesla SuperChargers, would enable cybercriminals to steal the login details for Tesla accounts. If exploited in the real world, a hacker would only need to wait for an unsuspecting Tesla driver to connect to the fake Wi-Fi network and type their login details into the spoofed login portal. The user’s credentials, including their email address, password and 2FA code, would then appear on the Flipper Zero's screen. Then, after obtaining this information, the hacker can launch the Tesla app and access the victim’s account.