Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Possible Supercharger Phishing Attack?

This site may earn commission on affiliate links.
#61
e-FTW said:
This is why one should not connect to WiFi networks that do not require a password (“open” networks). Think Starbucks and hotels and airplanes. And if you do, you must delete them from your known networks right away.

Also, be careful with “take over your phone” as this is not accurate depending on how you interpret it. I want to inform less technically savvy users and get them to have sane security practices. Fear also works, sure.
Click to expand...


OK sure, the statement is up for interpretation. My interpretation is it is super easy to have a user accept a "trusted profile" on their iPhone. With that installed, a bad actor can see what you type, insert their own commands directly into your keyboard, gather your passwords in clear text, reconstruct on their browser everything you see on yours, redirect you to bad sites when you think you are going to good ones, capture your session keys for LinkedIn and Facebook to open those pages as you without needing your password, etc. If you don't believe it is possible, here is a 3 minute YouTube video on how easy it is to fully take over an iPhone. User just needs join a free wifi and accept the profile which most do. My motives are not fear, but education. The risk is real and very easy to accomplish. But as others have said, use a VPN and don't accept certificates or profiles, even if it looks like it is from a trusted source.
 
  • Informative
Reactions: jkn and brkaus
#62
The home brew VPN ideas are great for the techies but may be worse than bad for the non-techies as they may open holes for bad actors from misconfiguration. I really recommend PIA as in my other post. Google Public Internet Access. You can use it on five devices at the same time, great for when you are on vacation with the family at a beach house using the local wifi, for example. You trust that wifi without a VPN? Not me, you betcha! $40 a year. Excellent deal.

If you want to home brew something, fine, but I'd rather spend my free time in my car (which is showing up in a few weeks!) :D
 
#63
So, I have been reading this thread with curiosity and interest.

After 62 postings, I have inferred that there is potential for nefarious acts on our cars. That is the extent of what I think that I understand. The rest of the discussion is foreign to me with all the acronyms, jargon and other technical bits and pieces.

Here is a good example: Some times at Superchargers I use my phone to do stupid stuff. I use whatever wireless service that is with AT&T. Usually it says LTE, sometimes it says 4/3G. I never do banking. I never access my brokerage accounts. I just screw around on FB or play some cards or look at the roads for my next leg. So, is my connection secure? Not secure? How do I know? Does it even matter?

If I could offer one small suggestion: Not everyone knows what you are talking about in matters like this. It would be wonderful if a topic like this had some sort of translation for the computer-impaired.
 
#64
cpa said:
So, I have been reading this thread with curiosity and interest.

After 62 postings, I have inferred that there is potential for nefarious acts on our cars. That is the extent of what I think that I understand. The rest of the discussion is foreign to me with all the acronyms, jargon and other technical bits and pieces.

Here is a good example: Some times at Superchargers I use my phone to do stupid stuff. I use whatever wireless service that is with AT&T. Usually it says LTE, sometimes it says 4/3G. I never do banking. I never access my brokerage accounts. I just screw around on FB or play some cards or look at the roads for my next leg. So, is my connection secure? Not secure? How do I know? Does it even matter?

If I could offer one small suggestion: Not everyone knows what you are talking about in matters like this. It would be wonderful if a topic like this had some sort of translation for the computer-impaired.
Click to expand...
This thread is talking about when you're on WiFi. Depending on your phone, you'll see an icon that looks something like this if you're connected:
Unknown.png
Generally speaking, you have to join at network at some time in order to have it join a network with the same name again. If you've joined a "free" network that is open and unencrypted, you are potentially at risk. If you do not make a habit of joining WiFi networks instead relying on your cellular network (as you indicate), then you're much safer.

When you're using the cellular data network (3G, 4G, LTE) their security is a topic separate from the issues in this thread.

I hope this helps.
 
  • Like
Reactions: brkaus, cpa and e-FTW
#65
Bumper said:
Basically your phone is constantly beaconing out every wifi you have ever successfully connected to, trying to see if it is available to re-connect. That is why you don't have to do anything when you get home to join, or when you get to Starbucks to join.
Click to expand...

I can't speak for Apple devices, but Windows doesn't do this.

Windows will only broadcast out hidden SSID's - which is required for hidden SSID's to work (and which is why hidden SSID's are a very very dumb idea - and has been from the start).

When you roam between home and Starbucks, it works because the WLAN service listens to which SSID's are broadcasted by the routers, and it will reconnect you to one or the other once it sees them. So for an attacker to get you to connect to them, it will have to know which SSIDs you are looking for up front - it can't just listen for a broadcast (again - apart from hidden SSID's).

Source: Me - I was on the Windows XP SP2 WiFi team implementing this stuff initially. We identified this as a specific threat back in 2001 and mitigated against it from the start. And by "We identified it", I mean our resident black hat hacker that followed us around and made our life a living hell. (Actually it was a lot of fun seeing what insane scenarios he could come up with to hack these things.)
 
  • Like
Reactions: brkaus
#66
Max* said:
Of course.

But I don't do anything that will hurt too bad (email, facebook, etc.). I never log onto banking/trading/etc. sites. And I use different passwords for each.
Click to expand...

A very good practice to never re-use a password on different sites. However, a very bad thing to underestimate the possible harm that can come from hacking your email. A hacker with access to you email can reset most other passwords on you, including a number of banking sites (go to the site, click forgot my password, ask for email with reset link or on some badly designed sites they'll even email you your password). Consider this:

1. Hacker gets your email password
2. Hacker locks you our of your own account by changing the email password
3. Hacker changes you banking password, goes on to empty your bank account or use it to launder money
4. Hacker changes you ebay+paypal password, starts selling fake/non-existing products from your account, takes the money and runs
5. Hacker changes your Tesla password, takes over your account, can now track your car and steal it
6. You try to regain access to your email, say google or yahoo, but you cannot prove you are the rightfull owner - when you signed up, there was never any requirement to give them your driver's license or anything, once locked out, for most of the free email services you really cannot prove you own it, so you're pretty much screwed. The hacker controls your email and can continue to change other passwords on other sites on which you have not yet changed the password, or from which you are now locked out and cannot prove you own the account because you don't have the email.

Sounds like a made up worse case scenario? Well, it's not all that made up, all but #5 above actually happened to my friend's wife not long ago. It really wasn't fun for them to undo and recover (the most they managed to do is have the email provider disable the email address completely - and that took some doing too). This is also not the worse case scenario, there can be much worse.

I work in cyber-security, and trust me when I tell you this, secure your email as well as you would your banking account. Use TFA for important accounts, and if possible, not your cell phone as the second factor, since if someone has control of your cell phone (physically of virtually), they got control of both authentication factors.
 
Last edited:
  • Informative
  • Like
Reactions: Max*, boaterva, brkaus and 1 other person
#67
whitex said:
A very good practice to never re-use a password on different sites. However, a very bad thing to underestimate the possible harm that can come from hacking your email. A hacker with access to you email can reset most other passwords on you, including a number of banking sites (go to the site, click forgot my password, ask for email with reset link or on some badly designed sites they'll even email you your password). Consider this:

1. Hacker gets your email password
2. Hacker locks you our of your own account by changing the email password
3. Hacker changes you banking password, goes on to empty your bank account or use it to launder money
4. Hacker changes you ebay+paypal password, starts selling fake/non-existing products from your account, takes the money and runs
5. Hacker changes your Tesla password, takes over your account, can now track your car and steal it
6. You try to regain access to your email, say google or yahoo, but you cannot prove you are the rightfull owner - when you signed up, there was never any requirement to give them your driver's license or anything, once locked out, for most of the free email services you really cannot prove you own it, so you're pretty much screwed. The hacker controls your email and can continue to change other passwords on other sites on which you have not yet changed the password, or from which you are now locked out and cannot prove you own the account because you don't have the email.

Sounds like a made up worse case scenario? Well, it's not all that made up, all but #5 above actually happened to my friend's wife not long ago. It really wasn't fun for them to undo and recover (the most they managed to do is have the email provider disable the email address completely - and that took some doing too). This is also not the worse case scenario, there can be much worse.

I work in cyber-security, and trust me when I tell you this, secure your email as well as you would your banking account. Use TFA for important accounts, and if possible, not your cell phone as the second factor, since if someone has control of your cell phone (physically of virtually), they got control of both authentication factors.
Click to expand...
Definitely agree with this. If you use 1Password (or perhaps other password managers), it can also do TwoFactor time based codes itself and you don't need text messages (bad, uses phone) or a separate app (also need to rely on a separate app).

The original version of 1P is one type of password manager that doesn't rely on a password vault being on the company's servers.
 
#68
brkaus said:
Yes, good point, forgot about that.

But lots of people have iPhones with no Mac. Is there a way for those iPhone users to cleanup their list?
Click to expand...

Easiest way is if you have iCloud Keychain configured. If you do, your wi-fi settings are synced across devices. You can easily clean this data from a Mac, which will then get pushed to your iOS device(s).

If you you don't use iCloud Keychain, which you won't, since you don't have a Mac, it's a little more difficult. You can remove them one at a time, but only if the network is nearby. Go to the wi-fi settings, select the "i" next to the network you no longer want to connect to and then select "Forget this Network". Your device will no longer connect.

Unfortunately, I don't think you can view the list of all networks you are trying to use in the case of an iOS device that is not syncing password via iCloud.
 
#69
whitex said:
A very good practice to never re-use a password on different sites. However, a very bad thing to underestimate the possible harm that can come from hacking your email. A hacker with access to you email can reset most other passwords on you, including a number of banking sites (go to the site, click forgot my password, ask for email with reset link or on some badly designed sites they'll even email you your password). Consider this:

1. Hacker gets your email password
2. Hacker locks you our of your own account by changing the email password
3. Hacker changes you banking password, goes on to empty your bank account or use it to launder money
4. Hacker changes you ebay+paypal password, starts selling fake/non-existing products from your account, takes the money and runs
5. Hacker changes your Tesla password, takes over your account, can now track your car and steal it
6. You try to regain access to your email, say google or yahoo, but you cannot prove you are the rightfull owner - when you signed up, there was never any requirement to give them your driver's license or anything, once locked out, for most of the free email services you really cannot prove you own it, so you're pretty much screwed. The hacker controls your email and can continue to change other passwords on other sites on which you have not yet changed the password, or from which you are now locked out and cannot prove you own the account because you don't have the email.

Sounds like a made up worse case scenario? Well, it's not all that made up, all but #5 above actually happened to my friend's wife not long ago. It really wasn't fun for them to undo and recover (the most they managed to do is have the email provider disable the email address completely - and that took some doing too). This is also not the worse case scenario, there can be much worse.

I work in cyber-security, and trust me when I tell you this, secure your email as well as you would your banking account. Use TFA for important accounts, and if possible, not your cell phone as the second factor, since if someone has control of your cell phone (physically of virtually), they got control of both authentication factors.
Click to expand...

You forgot the worst possible scenario....if a hacker hacks your TMC account!!!!
 
  • Funny
Reactions: boaterva and Max*
#70
whitex said:
A very good practice to never re-use a password on different sites. However, a very bad thing to underestimate the possible harm that can come from hacking your email. A hacker with access to you email can reset most other passwords on you, including a number of banking sites (go to the site, click forgot my password, ask for email with reset link or on some badly designed sites they'll even email you your password). Consider this:

1. Hacker gets your email password
2. Hacker locks you our of your own account by changing the email password
3. Hacker changes you banking password, goes on to empty your bank account or use it to launder money
4. Hacker changes you ebay+paypal password, starts selling fake/non-existing products from your account, takes the money and runs
5. Hacker changes your Tesla password, takes over your account, can now track your car and steal it
6. You try to regain access to your email, say google or yahoo, but you cannot prove you are the rightfull owner - when you signed up, there was never any requirement to give them your driver's license or anything, once locked out, for most of the free email services you really cannot prove you own it, so you're pretty much screwed. The hacker controls your email and can continue to change other passwords on other sites on which you have not yet changed the password, or from which you are now locked out and cannot prove you own the account because you don't have the email.

Sounds like a made up worse case scenario? Well, it's not all that made up, all but #5 above actually happened to my friend's wife not long ago. It really wasn't fun for them to undo and recover (the most they managed to do is have the email provider disable the email address completely - and that took some doing too). This is also not the worse case scenario, there can be much worse.

I work in cyber-security, and trust me when I tell you this, secure your email as well as you would your banking account. Use TFA for important accounts, and if possible, not your cell phone as the second factor, since if someone has control of your cell phone (physically of virtually), they got control of both authentication factors.
Click to expand...
That's actually a very good point I didn't think about, thanks.

I do have TFA on email and any place that lets me set it up.
 
#71
Max* said:
That's actually a very good point I didn't think about, thanks.

I do have TFA on email and any place that lets me set it up.
Click to expand...
Make sure whatever way you access your email is secure (at least https or some protocol over TLS). Even if the hacker cannot change your email due to TFA, just being able to access your email opens the door to a lot of the aforementioned exploits.
 
You must log in or register to reply here.

Similar threads

4SUPER9
12V Access: Model S 2021 Refresh
Replies
383
Views
67K
Model S
n2mb_racing
n2mb_racing
G
3 Unintended Acceleration events when parking my Tesla S P in my garage.
Replies
68
Views
17K
Model S: Driving Dynamics
DerbyDave
DerbyDave
N
  • Poll
Tesla Mobile Home Research
Replies
2
Views
2K
Tesla, Inc.
robby
robby
Jean-Claude
Vendor Blackvue dashcam installations on Model S and Model X in Atlanta
Replies
0
Views
3K
Southeast
Jean-Claude
Jean-Claude
Pluto
A deep dive into the direct sales legalization debate
Replies
1
Views
2K
Tesla, Inc.
Sprandt23
Sprandt23
Top
Back
Blog
New
Forum list
Marketplace
Menu