According to what seems like half the internetTHE Pinball Zero is a harmful tool which allows the villainous witchcraft known as “piracy.” More recently, articles have circulated claiming that Pinball allows hackers to steal Teslas directly under the noses of their good hardworking American owners – a crime that certainly deserves to be tried in The Hague.
Except that’s not really true. Although the “hack” is real – just not in the way you think – Flipper is flawless in the situation. Not only does this not really help bad actors, but it actually makes their lives more difficult than just doing the same thing on a laptop.
Part one: the attack
First, let’s talk about the attack itself. Any first-year computer security student – like I once was – can tell you that the weakest part of any computer system is the meatbag that uses it, and the smartest attacks exploit this weakness rather than any type of code. This Tesla attack is one of them, called phishing attack.
A phishing attack is one in which an attacker requests information from a user, while pretending to be someone who deserves a response. When you receive an email warning you of suspicious activity on your Gmail account, it then sends you to a fake login page in the hope that you enter your real username and password, this is phishing.
In this specific attack, malicious actors set up shop in a Tesla Supercharger location and open a public WiFi network called “Tesla Guest.” When a Tesla owner logs in, they are taken to a login page asking for their username and password for the Tesla app. Once these are entered, the fake network requests a two-factor authentication code, and all three pieces of information are transmitted to the attacker.
The attacker must then enter that user’s login information into the real Tesla app before the two-factor code expires, granting access to the Tesla owner’s account and all of its features connected to the car. These features include using a phone – like the one the attacker just logged in from – as a key, which could theoretically be used to unlock the Tesla and drive away. It’s as easy as pie, if the pie couldn’t stay in the oven for more than 30 seconds before becoming crispy.
Part two: Pinball Zero
In the demo, this attack is carried out using a Flipper Zero to generate the fake WiFi network. This is a feature that Flipper has, it can create a WiFi network without any real internet connectivity, just like many wireless devices.
Raspberry Pi, laptops, cell phones, GoPro cameras, home theater soundbar in my living room, all of these devices can create a WiFi network. Granted, many don’t offer much control over this network – although I’m sure there is custom software to hack a GoPro or soundbar – but many TO DO. A laptop could pull off this stunt as easily as any Pinball machine.
Easier, in fact, when you consider that laptops come with factory-built-in WiFi. Fins, for all their connectivity, do not – a WiFi development boardwith the necessary antenna, must be purchased separately and added before the device can actually do everything shown in the demo.
Part Three: None of This Matters Anyway
And there is still this word, demo. Like many recently published exploits, this attack is entirely theoretical: it took place under controlled conditions by someone who was sitting on both sides of the attack, not in the wild facing unsuspecting victims. If an attack only exists in a YouTube video showing it working, does it really exist?
The researchers who discovered the vulnerability, Mysk, published it in order to get Tesla’s attention. They are gray hats — sure, they released a vulnerability, but the goal is to get Tesla to fix he. Specifically, they want stronger protections within the Tesla app, to prevent bad actors from easily creating new phone keys without the car owner’s knowledge.
This “hack” is not a hack, not in the sense that most people think. This isn’t a person in a trench coat and sunglasses in a dark room, typing green text on a black terminal to get onto a mainframe and do it. crimes. It’s social engineering… Mr. Eddie Vedder from Accounting calls Norm from Security after a power surge, asking for the phone number on the modem to complete this project.. It’s theoretically possible, of course, but it’s unlikely everything will line up just like that for the attack to work – and if it does, it’s certainly not Flipper Zero’s fault.
News Source : jalopnik.com
Gn tech
