TMC is an independent, primarily volunteer organization that relies on ad revenue to cover its operating costs. Please consider whitelisting TMC on your ad blocker and becoming a Supporting Member. For more info: Support TMC
Start a Discussionhttps://teslamotorsclub.com/tmc/tags/

Possible Supercharger Phishing Attack?

Discussion in 'Model S' started by K-MTG, Aug 21, 2017.

Tags:
  1. K-MTG

    K-MTG Sunshade Captain of TMC

    Joined:
    Oct 24, 2015
    Messages:
    3,990
    Location:
    Irvine, CA
    One of my close friends, a Model S owner, was waiting in queue at the Fountain Valley Super Charger Station recently. As he waited in line, he took his laptop out and intended to tether his mobile connection when he saw an SSID "Tesla Guest". Once connected, he tried to enable his work VPN as he was on an insecure connection but that failed, and he was shortly presented with a login page similar to the MyTesla Login Page to input his credentials to connect to Wi-Fi. Since he works in cybersecurity he inputed false credentials and the system accepted and enabled internet access.

    He thinks this is a possible phishing scam and wants to know if its possible to enable 2 factor authentication for MyTesla?
     
    • Informative x 29
    • Like x 2
  2. boaterva

    boaterva Supporting Member

    Joined:
    Apr 2, 2016
    Messages:
    2,884
    Location:
    Northern Virginia, USA
    Never seen anything like that for My Tesla (now My Account from what I see...), but I think it's a good idea what with the creds being used for car access by various apps. (Yes, you can use tokens, but not that trivially...).

    I'd love to use two-factor for the Tesla website, but that does raise the question of how would the apps work.. Would a token still work? We would have to perhaps formalize that all the apps use tokens, and the doc for generating the same. Correct?


    As for the phishing, I've never heard of any 'Tesla Wifi', so that does sound, um, fishy, and a good scammy idea on someone's part!
     
  3. rypalmer

    rypalmer Member

    Joined:
    Aug 22, 2014
    Messages:
    647
    Location:
    Canada
    I've connected to "Tesla Guest" networks at many Tesla locations both in Fremont and in Toronto, all with the same password. The type of attack described is called an Evil Twin Attack and IMHO this is a pretty big risk for getting your credentials stolen.

    The key here is to make sure you're always communicating over HTTPS. If you're on the right domain name and on SSL, you should be able to avoid such attacks, or at least identify them.
     
    • Informative x 1
  4. Az_Rael

    Az_Rael Supporting Member

    Joined:
    Jan 26, 2016
    Messages:
    2,607
    Location:
    Palmdale, CA
    I would be very suspicious of any "Tesla" WiFi at a supercharger without a lounge or attached to a service center.
     
    • Like x 3
    • Helpful x 1
    • Informative x 1
  5. boaterva

    boaterva Supporting Member

    Joined:
    Apr 2, 2016
    Messages:
    2,884
    Location:
    Northern Virginia, USA
    Really, as someone that has some Infosec experience, I would never use any public wifi that needed any login credentials at all and would ALWAYS start a VPN immediately as soon as connected. Anything else is asking for trouble.
     
    • Like x 8
    • Informative x 2
  6. Lasttoy

    Lasttoy Member

    Joined:
    Mar 24, 2017
    Messages:
    175
    Location:
    St Augustine, Fl
    I have been in about 20 cities, never seen that on any device , ever.
     
    • Like x 1
  7. HankLloydRight

    HankLloydRight Fluxing

    Joined:
    Jan 18, 2014
    Messages:
    8,377
    Location:
    Connecticut
    I'd be very weary of any hotspot that needs credentials like that.

    I'm at the point that when traveling, I always just use my AT&T LTE iPhone tethering ("personal hotspot") over USB. Even when a local business or hotel wifi is available. LTE is pretty fast for what I need, including RD back to my home desktop.

    I just completed a 3-week 3600 mile road trip and the only time I needed to use a wifi connection was to download an Audible book to my iPhone. I used about 3GB of cellular bandwidth per week.
     
    • Like x 4
  8. Max*

    Max* Banned

    Joined:
    Apr 8, 2015
    Messages:
    6,400
    Location:
    NoVa
    It's unbelievably easy to steal some of your info over an unsecured wifi connection (sure lots of "important" sites are encrypted).

    I have a general rule to never log into public wifi's. And if I'm traveling somewhere where that's not an option (overseas), I change all my passwords for the trip, and change them again when I come back.
     
    • Helpful x 1
  9. HankLloydRight

    HankLloydRight Fluxing

    Joined:
    Jan 18, 2014
    Messages:
    8,377
    Location:
    Connecticut
    Just curious -- if someone intercepts your password(s) while on vacation, wouldn't they still be able to exploit your accounts before you get back to change them back?

    This is a good time for a PSA for Two Factor Auth everywhere it's offered. But be sure that if you're traveling overseas, you can get text messages or have an alternate method like an Google Authenticator.
     
    • Informative x 1
    • Like x 1
  10. boaterva

    boaterva Supporting Member

    Joined:
    Apr 2, 2016
    Messages:
    2,884
    Location:
    Northern Virginia, USA
    Yes, they would. TFA is the answer, but a lot of sites don't have it (some don't even have SSL/https, sigh.... ).

    A VPN is really needed when using anything that isn't your phone's native signal (3G/LTE/4G, etc.) when you aren't at home or work, or maybe even when you are! :D
     
  11. boaterva

    boaterva Supporting Member

    Joined:
    Apr 2, 2016
    Messages:
    2,884
    Location:
    Northern Virginia, USA
    And, if you are dumb enough to reuse passwords, this is when you are really screwed, because they have access to other accounts! Another plug for password managers, and long random passwords for everything! :)
     
    • Helpful x 1
    • Informative x 1
  12. Max*

    Max* Banned

    Joined:
    Apr 8, 2015
    Messages:
    6,400
    Location:
    NoVa
    Of course.

    But I don't do anything that will hurt too bad (email, facebook, etc.). I never log onto banking/trading/etc. sites. And I use different passwords for each.

    The main thought there is that it's not necessarily instantaneous. If they steal my password, it's always possible they wont use it right away. So I could still have a chance to get home and change it back.

    Let's call it an extra step in my crazy routine.

    Agree 100%. Though not everything has 2 stage authentication.
     
  13. Max*

    Max* Banned

    Joined:
    Apr 8, 2015
    Messages:
    6,400
    Location:
    NoVa
    I don't trust any password managers. All it takes is someone to hack that ONE account, and now they have ALL your passwords.

    Plus, I'm still waiting for the first password manager "company" to get hacked. Sure they all have good security (from what I read), but it's inevitable.
     
    • Like x 1
  14. boaterva

    boaterva Supporting Member

    Joined:
    Apr 2, 2016
    Messages:
    2,884
    Location:
    Northern Virginia, USA
    If you use one that doesn't store the vault in the cloud, it's a lot safer. Agree with you about ones that just live 'out there' for anyone to play with!
     
  15. MarcusMaximus

    MarcusMaximus Member

    Joined:
    Jan 2, 2017
    Messages:
    561
    Location:
    San Jose
    • Informative x 1
  16. HankLloydRight

    HankLloydRight Fluxing

    Joined:
    Jan 18, 2014
    Messages:
    8,377
    Location:
    Connecticut
    Right, but only user information was hacked... they didn't have access to the encrypted user data (passwords, etc).

     
    • Informative x 1
    • Disagree x 1
  17. Pezpunk

    Pezpunk Member

    Joined:
    Aug 12, 2016
    Messages:
    242
    Location:
    Bristow, VA
    if you are sending credentials over http (as opposed to https) then public wifi is the least of your problems.
     
    • Like x 2
    • Funny x 2
  18. K-MTG

    K-MTG Sunshade Captain of TMC

    Joined:
    Oct 24, 2015
    Messages:
    3,990
    Location:
    Irvine, CA
    As long as someone doesn't hack into my TMC account...I will live!

    I recommend Umbrella OpenDNS VPN...it's $20 a year for unlimited bandwidth from a reputable company OpenDNS. But you can even get a Raspberry Pi and host your own VPN server at home.
     
    • Helpful x 1
  19. boaterva

    boaterva Supporting Member

    Joined:
    Apr 2, 2016
    Messages:
    2,884
    Location:
    Northern Virginia, USA
    Use PIA (Private Internet Access) myself, but anything by OpenDNS is good, also!
     
  20. boaterva

    boaterva Supporting Member

    Joined:
    Apr 2, 2016
    Messages:
    2,884
    Location:
    Northern Virginia, USA
    TMC does have two-factor, which is good, with the top secret stuff we talk about here! :D

    I wish Tesla did, but as we discussed somewhere, not sure how the apps that talk to the cars would work with that...
     

Share This Page