Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Possible Supercharger Phishing Attack?

This site may earn commission on affiliate links.
#41
rxlawdude said:
So let's see. No public presence on social media. Everyone that can fog a mirror knows that mother's maiden name is not a sufficient security question. I really don't think anyone (no matter how determined) could find the names of primary and secondary schools I went to back in the 1950s and 1960s.
Click to expand...
Sounds like you're likely to get passed over in favor of the next mark who wasn't as reserved! Being the harder target is a decent defense strategy in a herd (of potential Teslas to steal).

It feels like that old phrase "don't take any wooden nickels" should be updated to "don't use any public hotspots".
 
#42
rxlawdude said:
I'll tell you a secret: the "core" of my password schema (modified for each site) are the license plates from my first two cars. There's NFW anyone (except a time traveler) would know those, so I'm not worried about being hacked.
Click to expand...

I have a hard enough time remembering the licence plate numbers of my current vehicles, let alone my old ones, so I just go with the name of my first pet... ;)
 
#43
The second rule of infosec is make up your security question answers. How do you remember these random answers? Store them in the first rule, some sort of password manager for the random passwords.

Anyone using real answers to 'security' questions deserves what Sarah Palin got.
 
  • Like
Reactions: Max*
#45
tizio said:
Sounds like you're likely to get passed over in favor of the next mark who wasn't as reserved! Being the harder target is a decent defense strategy in a herd (of potential Teslas to steal).

It feels like that old phrase "don't take any wooden nickels" should be updated to "don't use any public hotspots".
Click to expand...
The insidiousness of this attack is if Tesla service centers use the same name for their SSID, "Tesla Guest," and people have connected to that before at a service center there's a good chance their phone will autoconnect to any wifi access point it encounters in the future with that same SSID, including an attacker's one.

What SSID does Tesla use for the guest wifi at Service Centers?
 
#46
Canuck said:
What about Google Chrome? Do you enter your passwords manually every time? If not, it remembers them all and I often go into Password Manager in Chrome to find my passwords when I forget them.
Click to expand...
Only for things I don't care about, like TMC ;)

Nothing real (no banks, no CCs, no email, no social media, etc.).

I'm paranoid. But I've been hacked before (PayPal account, which I haven't used in years, had a weak password. They didn't get away with it - and obviously couldn't use the password anywhere else)
 
#48
boaterva said:
The second rule of infosec is make up your security question answers. How do you remember these random answers? Store them in the first rule, some sort of password manager for the random passwords.

Anyone using real answers to 'security' questions deserves what Sarah Palin got.
Click to expand...
I've heard of this, and this is great advice.
 
#49
Add these 3 things together,

1. The state of computer security +
2. Our dependence on computers +
3. The incredible lack of computer expertise in users, decision makers, and developers

.. and we have an incredible cocktail for disaster. That is our state of computer security.

Think of this as an example.
All of you, yes ALL of you, have your SSN floating around on the darkweb.
Don't believe me? Download tor, and start searching onion sites for your name. You'll be scared out of your panties!
Yet, a basic thing like getting a credit card in your name, does not require 2 factor auth.

Here is another example of sheer incompetence. Until April last year, Experian was using 56bit SSL.
You can crack that with the processing power of an iPhone in < 2 minutes. And they were in no rush to fix this.
Of course it was never coverd in news, but did you hear about tmobile loosing 15 million customer's data?
Yep that was thanks to Experian! That is what got them to fix this.
 
#50
To the non-tech geeks around here, here is an non-exhaustive and imperfect list, but a good start:
  • Be careful.
  • Learn to notice what seems out of place and unexpected.
  • Never enter your credentials anywhere if you have a doubt. For example, if it is not in Tesla's app or tesla.com
  • Use a password manager and learn to use it: it will allow you to use long and complex passwords. I don't even know what my Tesla password is. I just know how to get to it. And change your passwords regularly. In the Apple world, iCloud has a built-in password manager, use it (or a third-party if you trust it).
  • Open WiFi networks (those without a little lock icon next to them in the list on your phone) should never be used. Like in airports. Even Tesla's own in their Service Centers. You have 3G and LTE, use that.
  • Be wary of your surroundings, as the situation highlighted by the OP would leave the door open (not a pun, I swear) to a bad actor stealing your Tesla credentials, and using them to unlock your car from their app and stealing it.
And again, Supercharger locations do not offer WiFi.
 
Last edited:
  • Like
  • Helpful
  • Informative
Reactions: tizio, jerry33, boaterva and 1 other person
#52
If you are not familiar with Wifi Pineapple attacks, you should turn off Wifi on your phone. Basically your phone is constantly beaconing out every wifi you have ever successfully connected to, trying to see if it is available to re-connect. That is why you don't have to do anything when you get home to join, or when you get to Starbucks to join.

For $99, anyone can buy a Wifi Pinneaple (WiFi Pineapple - Home) device and power it from a USB battery pack. This device has 3 wifi networks. One that the hacker joins to a legit public connection like a nearby Panera Bread. The other one is in listening mode for any device beaconing any SSID. It then offers that SSID up on the 3rd connection and becomes a router between you and the live internet connection. Your device already trusts the connection because it has connected before and you are getting Internet access just like you expect. However, the Pineapple is a "man in the middle" is logging everything you do to an internal memory card. It can even strip out HTTPS and other SSL traffic to capture your passwords and other information. To make it worse, 50% of mobile users will also see a message "You must click this box to accept terms of service" and blindly accept a certificate offered to them. This will install a profile on your device that allows the hacker to fully take over your phone, get your contacts, email, etc. even after you disconnect from the wifi.

Want to see how many of these are near where you live/shop? Go to Do you feel safe? and put in a location. I put in my nearest supercharger and see 3 devices trying to spoof the SSID of "attwifi" and "hhonors".
 
  • Like
Reactions: tizio
#53
Bumper said:
If you are not familiar with Wifi Pineapple attacks, you should turn off Wifi on your phone. Basically your phone is constantly beaconing out every wifi you have ever successfully connected to, trying to see if it is available to re-connect. That is why you don't have to do anything when you get home to join, or when you get to Starbucks to join.

For $99, anyone can buy a Wifi Pinneaple (WiFi Pineapple - Home) device and power it from a USB battery pack. This device has 3 wifi networks. One that the hacker joins to a legit public connection like a nearby Panera Bread. The other one is in listening mode for any device beaconing any SSID. It then offers that SSID up on the 3rd connection and becomes a router between you and the live internet connection. Your device already trusts the connection because it has connected before and you are getting Internet access just like you expect. However, the Pineapple is a "man in the middle" is logging everything you do to an internal memory card. It can even strip out HTTPS and other SSL traffic to capture your passwords and other information. To make it worse, 50% of mobile users will also see a message "You must click this box to accept terms of service" and blindly accept a certificate offered to them. This will install a profile on your device that allows the hacker to fully take over your phone, get your contacts, email, etc. even after you disconnect from the wifi.

Want to see how many of these are near where you live/shop? Go to Do you feel safe? and put in a location. I put in my nearest supercharger and see 3 devices trying to spoof the SSID of "attwifi" and "hhonors".
Click to expand...

Why does the phone have to beacon up a wifi SSID that is public/published? Just curious.

Definitely agree on the risk of the standard wifi names. Big problem with iOS that there is no way to see and prune the list of past SSID names unless you're in range of the network. I typically try to remember to delete thinks like hhonors before i leave. But if I forget, stuck.
 
Last edited:
#54
brkaus said:
Why does the phone have to beacon up a wifi SSID that is public/published? Just curious.

Definitely agree on the risk of the standard wifi names. Big problem with iOS that there is no way to see and prune the list of past SSID names unless you're in range of the network. I typically try to remember to delete thinks like hhonors before i leave. But if I forget, stuck.
Click to expand...
You can delete them after the fact. On a Mac, go to your networking, click on your wifi NIC and click advanced. The first tab is all the SSIDs your Mac (and your iPhone) will try to auto-connect to. You can find these on a PC too, but they are not synced from your phone so it is a different list.
 
#55
Sir Guacamolaf said:
End of SMS-based 2-Factor Authentication; Yes, It's Insecure!
Click to expand...
From the NIST publication re SMS hijacks:
An out of band secret sent via SMS is received by an attacker who has convinced the mobile operator to redirect the victim’s mobile phone to the attacker.

In other words, the attacker must know your mobile network and enough identifying information to convince the mobile operator that he/she is you.

I'm not that worried. The hacked user would, of course, notice their mobile device no longer works.
 
  • Informative
Reactions: Sir Guacamolaf
#56
Bumper said:
If you are not familiar with Wifi Pineapple attacks, you should turn off Wifi on your phone. Basically your phone is constantly beaconing out every wifi you have ever successfully connected to, trying to see if it is available to re-connect. That is why you don't have to do anything when you get home to join, or when you get to Starbucks to join.

For $99, anyone can buy a Wifi Pinneaple (WiFi Pineapple - Home) device and power it from a USB battery pack. This device has 3 wifi networks. One that the hacker joins to a legit public connection like a nearby Panera Bread. The other one is in listening mode for any device beaconing any SSID. It then offers that SSID up on the 3rd connection and becomes a router between you and the live internet connection. Your device already trusts the connection because it has connected before and you are getting Internet access just like you expect. However, the Pineapple is a "man in the middle" is logging everything you do to an internal memory card. It can even strip out HTTPS and other SSL traffic to capture your passwords and other information. To make it worse, 50% of mobile users will also see a message "You must click this box to accept terms of service" and blindly accept a certificate offered to them. This will install a profile on your device that allows the hacker to fully take over your phone, get your contacts, email, etc. even after you disconnect from the wifi.

Want to see how many of these are near where you live/shop? Go to Do you feel safe? and put in a location. I put in my nearest supercharger and see 3 devices trying to spoof the SSID of "attwifi" and "hhonors".
Click to expand...
This is why one should not connect to WiFi networks that do not require a password (“open” networks). Think Starbucks and hotels and airplanes. And if you do, you must delete them from your known networks right away.

Also, be careful with “take over your phone” as this is not accurate depending on how you interpret it. I want to inform less technically savvy users and get them to have sane security practices. Fear also works, sure.
 
  • Like
Reactions: tizio
#57
Bumper said:
You can delete them after the fact. On a Mac, go to your networking, click on your wifi NIC and click advanced. The first tab is all the SSIDs your Mac (and your iPhone) will try to auto-connect to. You can find these on a PC too, but they are not synced from your phone so it is a different list.
Click to expand...
Yes, good point, forgot about that.

But lots of people have iPhones with no Mac. Is there a way for those iPhone users to cleanup their list?
 
#60
ohmman said:
As far as another option for VPN, OS X Server offers a VPN solution. I have a couple of servers running at the house and run my own VPN, which I always use when I'm using WiFi out of the house.
Click to expand...

Yup, I have mine running on my Mac Mini Server. And I got a gigabit upload/download connection so using a VPN doesn't have much of an adverse effect with internet speed for me!
 
You must log in or register to reply here.

Similar threads

4SUPER9
12V Access: Model S 2021 Refresh
Replies
384
Views
68K
Model S
myblubu
myblubu
G
3 Unintended Acceleration events when parking my Tesla S P in my garage.
Replies
68
Views
17K
Model S: Driving Dynamics
DerbyDave
DerbyDave
N
  • Poll
Tesla Mobile Home Research
Replies
2
Views
2K
Tesla, Inc.
robby
robby
Jean-Claude
Vendor Blackvue dashcam installations on Model S and Model X in Atlanta
Replies
0
Views
3K
Southeast
Jean-Claude
Jean-Claude
Pluto
A deep dive into the direct sales legalization debate
Replies
1
Views
2K
Tesla, Inc.
Sprandt23
Sprandt23
Top
Back
Blog
New
Forum list
Marketplace
Menu