- This video is brought to you by NordVPN.
Lately I've been having an
issue with my Tesla account.
Maybe some of you clever
folks out there are trying
to hack my account, I don't know.
But I'm getting this
message that is saying
I need to reset my password
because there's been
too many login attempts and
it's weird because I've changed
my password so many times because of this
and I'm just kinda stuck.
But it got me thinking
and I think I discovered
a major security
vulnerability that effects
any of us Tesla owners, let's dive in.
(upbeat music)
The first time I heard
of a Tesla being stolen
is when I saw this video here
of some guys in the UK who
basically cloned the key fob
signal because it was made
with a really kind of poor
low level of encryption and
then were able to unlock
the car and drive away with
it, including disabling
the remote tracking, the mobile access
and so Tesla nor the person themselves
can actually track it.
Now maybe potentially they could track it
by the cell tower it's
pinging because they have
that built in connection
which you can't disable,
currently can't disable, but in any event,
the key fob was insecure so Tesla
added a feature called pin to drive.
This pin to drive feature allowed you
to basically setup another pin code
that you had to enter
in the vehicle itself
in order to drive it.
So no matter if you
had the key fob or what
or even the key card for
the Model 3 in the car,
you still had this pin to
drive feature where you had to
enter that otherwise you
couldn't go anywhere.
So you know it kinda solved that problem.
And then there were
these white hat hackers
in this contest called Pwn2Own,
these are the good guys,
that are trying to find
these vulnerabilities
so the rest of us can
you know be protected
from many issues there.
They were able to take control
of a Tesla Model 3 from a
vulnerability in the web browser.
Now I've complained about
the browser in the past
and this was just another example of that.
So in response Tesla is now
updating the web browser
to Chromium, which is the
chore that Google Chrome uses
and now Microsoft Edge is also using
to run kind of all the things
that a browser needs to do.
So it's exciting you know
to see a company like Tesla
who is as much a software company
as they are a hardware company,
when a bug or some kind
of security vulnerability gets
exposed, they fix it, right?
As the pin to drive feature
showed us with the key fob hack
and now the browser update in the Model 3
after you know that contest that happened.
So with all that said
the thing I discovered,
the thing I found was
that with the username
and password of someone, you
can essentially steal their car
and there's nothing they can do about it.
All you need is a username and password.
It doesn't matter pin to drive,
it doesn't matter any fingerprint
authentication in the app,
none of that stuff matters if you have
somebody's username and password.
Now this could all be fixed,
this could all be prevented
if they enabled two factor authentication.
Two factor authentication
or just 2FA as you'll see it
written a lot of places,
works by requiring a randomly
generated pin code when logging in
from a new location or device.
For example, if I go to my
bank website and try to login,
I'll enter my username and
password, then it will ask me
for a pin code which is randomly generated
using a separate app that I've authorized
to generate these codes.
So I have to go get that pin code
and enter it as a second
step for the login.
But on the Tesla app, this doesn't exist.
So if I had your username and
password, I could just simply
login to the app and find
out exactly where you are
and make sure it's the
perfect time to take the car,
then I could just drive away with it.
I could literally walk
up to it, unlock it,
enter keyless driving and it'd be mine.
So you may be thinking what
about that pin to drive feature?
I have to have the pin to enter it?
No.
Because from the app, you can disable this
and in the car itself when you're doing
the pin to drive, when it pops up,
it says don't remember your pin,
enter your Tesla credentials.
So you just need the
username and password.
The pin to drive feature
doesn't help protect
against this at all.
So then you might be
thinking well you know,
my Tesla account is secure, right?
I have a different username
and a different password,
it's totally unique, right, right?
Here is an experiment I did recently
to show just how easy it
is to get someone's Tesla
credentials using a very common technique
by penetration testing
in the hacker community.
Okay guys so I'm here at a supercharger
and I have this thing set
up called a WiFi Pineapple.
All it is a fake WiFi network
that makes it look like
you need to enter your Tesla credentials
in order to connect and so
the idea is could I actually
get someone to login with
their Tesla credentials
and take their car, because
that's all you need.
All right let's see if
anyone actually connects.
(upbeat music)
All right we've got one.
Okay so we've got someone,
I think they're gonna connect right now.
I think he just connected.
Oh man, oh man, here we go, here we go.
Okay okay he's gone.
Now let's see what happens, he connected.
All right I have his login.
Let's see if this works.
(laughing)
Oh!
Oh!
I am in.
Okay.
Well let's see if we can
just flash the lights.
Okay.
Let's go take it for a ride.
(upbeat music)
Okay.
All right so he's not here.
I need to drive it.
Okay keyless driving.
So again all I have to do
is enter the Tesla password.
Start.
Okay.
Bye.
- Where the hell's my Tesla?
Where the hell's my Tesla?
Where'd it go?
Where'd it go?
- Okay so yes of course that
was just a dramatization.
That was me and my friend Pat doing this
kind of as a way to show
how that would work.
But what I showed there
is a very real technique
that black hat hackers use,
those are the bad guys,
to steal people's credentials.
A common thing they'll do is
they'll go to a public space,
like Starbucks let's say,
and pop this little thing
out there and then anybody in the area
will connect to it, it'll
ask you for your username
and password and boom
if that happens to be
the same password you
used for something else,
like your Tesla account, they've got it.
They've got everything
they need to take your car
and there is nothing
you can do to stop it.
Plus if you're like one
of the over 70% of people
that report using the same
password for different logins,
it might not even matter if
someone steals it currently.
They may already have it.
And even if you do use different passwords
for almost everything,
there have been over 3,200
data breaches in the past three years,
exposing nearly everyone on the internet
at some point or another.
Seriously, anyone that's
online has likely had
their info leaked from
one company or another.
If you wanna go check, look
at my friend Troy's website
called have I been pwned and
you can just pop your email
in there and it'll tell
you if you've been included
in any of these 3,200 data breaches
that is something over
seven billion user accounts
in the past three years that
they've been collecting.
Go ahead and do it, I'll wait.
Right here.
Scary right?
Now all of this could be totally solved
if Tesla enabled two factor authentication
and when I asked Tesla about this,
unfortunately they didn't
have a great answer.
They just simply stated
they do not support
multi-point or two factor
authentication at this time.
I hope that that changes
because for a lot of us
these cars are not just cars.
They're something that you
know now they're being built
to last a million miles and
could be revenue generating
with the Tesla network
and the fully autonomous
option in the future.
So this isn't just something
you know that is disposable
like your cellphone or
some of these other things
that we're used to upgrading
every couple years.
These things are made to last
and can become investments for us.
And so I think and I hope they agree,
I hope we all agree that
adding as a reasonable amount
of security to this
system, to help us protect
our investments, makes sense.
And I hope it's one that
they'll find this video
and they'll act upon.
And if you'd like to help,
check out in the description,
I have a tweet that I'm
hoping everyone will send
to them to kind of draw
their attention to this video
because this is scary,
this is not something
that I ever intended to make a video on
but I just feel so compelled to do it
because everyone cares about this stuff
and I hope you agree that
this is worth caring about.
But what can you do?
Well there's kind of two things.
One is to use a custom username
and password just for this account.
So that means creating
probably a new email address
or an alias of an email
address or whatever
so that way it's not something
that is commonly used
and you know if your
account was compromised,
if you check have I been
pwned you probably know,
so it's not something else out there,
it's totally unique for this
and using a really complex
password that is generated
from some sort of generator.
So you know figure that out,
there's lots of tools and ways.
I'm not gonna go into those details here.
But the other thing is
to use a VPN service
when you're browsing the web.
This is where today's sponsor,
NordVPN comes in to play.
NordVPN offers secure and
private access to the internet.
It's like having your own protected bubble
when you're out there so
other people trying to steal
your information can't get it.
It allows you to protect all your devices,
your Windows devices, your
Mac, your Linux devices,
Android, and iOS all
across the same connection
and you're able to do that
for just 2.99 a month.
Now one of the problems with
most VPNs is that they're slow
because essentially what you're doing
is routing your traffic
through a separate location.
But NordVPN has over 5,200
servers in 60 countries
and offer the fastest VPN
experience in the world.
So go check out NordVPN
at nordvpn.com/teslanomics
and get 75% off a three year plan,
making it just 2.99 a month.
And when you enter code
TESLANOMICS at checkout,
you get an extra month for free.
And let me know what you think.
I hope this helps, I hope
you guys are inspired
to contact Tesla and ask about this.
I hope this inspires Tesla to
actually enable this for us
because it's not really that hard
and can really go a long way to protecting
these investments that we all have.
Leave me a comment down below
and let me know what you think.
And don't forget, when you free the data,
your mind will follow.
See you guys back in the next one.
(upbeat music)
- This is my friend Pat Flynn.
- What's up.
- Who has an awesome YouTube channel
helping people learn
about, what's the tagline?
I love it now, it's help people...
- Help people make more
money, save more time,
and help more people.
- So go check him out.
I used his advice many years ago
from his podcast and it's super helpful
if you're looking to get into YouTube
or grow an online business
or really just become an
entrepreneur in any regard.
So thanks Pat for coming out.
Thanks for letting
- Yeah I hope this
- me steal your car.
- video helps you
do what you want to do
and I don't want anybody
to steal my Tesla for real.
So hopefully they'll listen and fix this.
- Yeah they gotta do something.
(upbeat music)
