Stolen Model 3

[Shaggy]

Has this been posted?

Tesla Model 3 Stolen From Mall of America Using Only a Smartphone
Tesla Model 3 rental was stolen by reusing authentication key, thief caught days later in another state

With cars becoming more connected than ever, cybersecurity is a hot-button topic that extends past your computer screen and into your car. Using a bit of technology, an alleged car thief was able to get his hands on a Model 3 at the Mall of America and drive away without needing a key. The alleged crime was reportedly committed via smartphone.

A computer forensics specialist who commented on the happenings of the incident was able to narrow down just how the alleged stolen Tesla was taken with such reported ease. The person allegedly responsible for taking the car is believed to have reached out to Tesla's customer support to add the stolen Model 3 to his Tesla account by its vehicle identification number. Once the vehicle was accessible on a smartphone that was signed into this person’s account, he was reportedly able to unlock the car and drive away without ever needing a key.

Several days later, the alleged car thief was tracked down and arrested in the stolen car in Waco, Texas, more than 1,000 miles south of its starting point in Minnesota. Since this person disabled GPS tracking on the car, the owner had to utilize a different method of tracking down the alleged crook. The owner tracked the location of the car's Supercharging and provided it to local authorities where they promptly located the car and arrested the man behind the wheel.

 

[voip-ninja]

Tesla is offering a PIN code to drive security feature to combat this. Owners will want to set that up.

 

[Mike521]

I read the same article earlier. Really pissed me off - seems like he must have tricked a support rep into adding the car to his app. That support rep gave him the car.

 

[SoCalGuy]

Surely Tesla must have some phone security questions to verify that the VIN you provide them with is indeed a VIN you own. I feel like something is missing from the story.

 

[ebmcs03]

Oh time to cover my vin up from the windshield

 

[Shaggy]

Hopefully they add that you have to validate the password of the account it is on now or reply to a text from the phone of record... "Please put in the pin from the car now"... something.

 

[woodisgood]

Yeah seems there must be more to the story, eg an ex or roommate or something.

Doesn’t make sense that anyone could read off my VIN to a Tesla rep while it’s sitting in a parking lot and have it added to their account.

 

[TheLocNar]

He had previously rented that car. lol

 

[Rotarypower]

Doesn’t make sense that anyone could read off my VIN to a Tesla rep while it’s sitting in a parking lot and have it added to their account.

Well it’s called social engineering, and it can be a powerful technique to play off human psychological vulnerabilities.

If you have never read (or listened to as I did) Kevin Mitnick’s book, Ghost in the Wires, and you are a true geek or techie and love stuff like that, you’ve gotta read or listen to it. It’s eye opening what one can do with social engineering.

Ghost in the Wires

 

[Mike521]

Well it’s called social engineering, and it can be a powerful technique to play off human psychological vulnerabilities.

If you have never read (or listened to as I did) Kevin Mitnick’s book, Ghost in the Wires, and you are a true geek or techie and love stuff like that, you’ve gotta read or listen to it. It’s eye opening what one can do with social engineering.

Ghost in the Wires

I listened to that book as well and couldn't agree more. I would not be surprised at all if he simply tricked the phone rep into giving him the car.

 

[Az_Rael]

Surely Tesla must have some phone security questions to verify that the VIN you provide them with is indeed a VIN you own. I feel like something is missing from the story.

I have never been asked for any account verification info when calling Tesla support.

At least when I had an OnStar vehicle, I had an account PIN I had to use for phone remote unlocks, etc.

 

[RGloverii]

When you call Tesla support, your phone number comes up on their Caller ID. They already know who you are and your account.

 

[PoitNarf]

When you call Tesla support, your phone number comes up on their Caller ID. They already know who you are and your account.

Caller ID can be spoofed extremely easy. I must have had at least 4 spam calls yesterday alone that had the same first six digits as my own phone number.

They should have security questions that they ask you or send you a verification pin via text to the phone number already on the account.

 

[cpa]

When I called customer support to reset our password on our Tesla accounts, the agent asked me which location provided our most recent service appointment before sending me the reset information. This in and of itself is not much of a security feature in remote locations where there is only one service center for a large geographic area. It is a little stronger in urban areas that have several locations.

I honestly do not know how to implement a fool-proof method of confirming one's ownership in matters like this. Perhaps Tesla needs to take initiative by sending certain updates via email periodically that force us to reset information both in the auto and on our private Tesla page. Or perhaps sending a text message to the phone number of record that requires the recipient to confirm to Tesla over the phone by talking to an agent that they indeed initiated this request.

 

[NathanielHrnblwr]

The thief had previously rented the car. The owner set up the renter's phone with a phone key which was a poor choice. The phone key was revoked post rental, but thief was able to call Tesla and social engineer they key being restored on his phone. Since they key was previously on the caller's device, there was confidence that the caller was an authorized user of the car. This clearly needs to be tightened up on Tesla's end.

tl;dr Don't put your key on stranger's phones.

 

[AnarchyEOD]

There’s a lot wrong with this. Letting someone just transfer the car? I think this is easily solved with a phone password/code. Attach it to your account and it must be repeated before you can transfer a $50-$70k asset from one account to another. Whatever account the car is attached to receives a text verification code... there’s so many options... for now, I’m covering my VIN because F#€k that...

 

[Omniver]

It would be great if we can get some facts on how “easy” this is. Can someone create a new Tesla account (for a trusted partner/spouse/friend) and call Tesla and have them added and report back? I’d do it, but I’m still waiting for mine.

 

[mike123abc]

Caller ID can be spoofed extremely easy. I must have had at least 4 spam calls yesterday alone that had the same first six digits as my own phone number.

Toll free numbers like Tesla's number get the ANI, the ANI is very reliable. ANI cannot be blocked like Caller ID

Automatic number identification - Wikipedia

 

[MXWing]

The thief had previously rented the car. The owner set up the renter's phone with a phone key which was a poor choice. The phone key was revoked post rental, but thief was able to call Tesla and social engineer they key being restored on his phone. Since they key was previously on the caller's device, there was confidence that the caller was an authorized user of the car. This clearly needs to be tightened up on Tesla's end.

tl;dr Don't put your key on stranger's phones.

And don't tell your wife that the Tesla app that tracks your location!

Above sounds like what I believe happened.

You need 2 factor authentication for everything to reduce chances of this.

 

[voip-ninja]

Another thing Tesla could do that I just now thought of is to add an account notification anytime the app is logged into a new device so an owner is aware their car has been added to a new mobile device.

They could also turn on two factor authentication for new account sign ins which is actually a pretty trivial thing to do.