Видео

Firefox doesn't support the "marketplace-kit" URI scheme at the moment

So it’s good

I made that steps but when i click the button after accepting it in the settings i get an error code that the app could not be installed. Do you know what i could do?

@@paulklundt9365 *BOYCOTT Apple for assisting israel to attempt GENOCIDE!!!*

Open a new browser tab and start over. When you enter the same email address, it will recognize that you have a subscription and will show a link to download the app again without entering your credit card details.

Same any fix

Do it again in a new tab. It worked for me.

exactly, at least for now :-(

I can use it

No, you need to run all the steps on your iPhone.

I wish you were right… anyway, I only can try the PC Windows way now cos I closed that tab with the download button 😅 and I’m not willing to pay again. Good luck and let us know of youve managed it 👍

Got it, as you say on twitter, i was recognized after entering the email adress again and the download button responded this time 👌 tnx

@@michalsykora9875can you help me? I can’t download the damn thing 😅

@@loopthecrook it's a bug with their servers, I can't install it either, 3 payments made with 3 different emails and still no app. There are two things 1 or it's a scam 2 or it's a bug with their servers

The first screen is the fake captive portal. The code wasn't entered on a Tesla website. The attacker took it from the captive portal and entered it in the app. It was only used once.

OTPs have an expiry time. The attacker just has to use the code before it expires. They might not always be able to do it in time depending on the length of credentials and the time the expiry clock started on the code

Can you say the software version your Tesla is running?

same for me

@@hefwilliams5400 Can you say the version of the app and Tesla firmware?

Yes!

Since the captive portal is under full control of the attacker, the attacker can be creative here. But for the sake of this demo, we showed a static 2FA prompt right after the email/password prompt. If the victim's account doesn't have 2FA, the attacker already has the email/password. If not, the 2FA prompt will do the job.

@@mysk Thanks for the response. I meant, how does Tesla know to send the victim a 2FA code if the website is fake and doesn't actually communicate with Tesla services? Or does it rely on the victim using an authenticator app?

@@ThatOneSnake It relies on the victim providing the code. The attacker is asking you for your 2FA code in order to proceed to connect to the bogus Wi-Fi network. Once the victim provides the code the attacker can then use it to login to your Tesla account.

@@pinolero. I get that, but how does the *victim* receive a 2FA code to input? Does the impostor page forward the username and password to the real Tesla page, promoting Tesla to send the Tesla owner a code?

@@ThatOneSnake It should go like this: the victim enters email/password on the fake captive portal ➡️ The attacker gets the email/password from the captive portal and enters them in the real Tesla app. Then, the Tesla app prompts for a 2FA code, so the attacker triggers the fake portal to prompt for a 2FA code. The victim enters the 2FA code ➡️ The attacker gets it and enters it in the real app and signs in. If the 2FA code is not valid, the attacker can prompt for a 2FA code again.

Won't help. Check the pinned comment.

So what's the statusquo, allowed or not ?

@@HACKTIONREPLAY Yes, Apple backed away from disabling PWAs in the EU. So Yes it will be allowed after all!

Yes, this is what was meant by the recommendations. To make it mandatory to scan the key card for a new key to be added. The PIN to Drive is useless as you can bypass it in the app. Refer to the pinned comment.

This prompt appears when you try to remove an already added key. You have to place the key card on the reader for a key to be removed.

​@@mysk no. You need to tap a key card to add a phone.

@@eugenes7799 This is wrong. The demo above as well as the official response we got from Tesla confirm that a key card is not required to register a new phone key. It's only required if the GPS signal is too weak that both the smartphone and the Tesla vehicle cannot determine that they are physically close.

​@mysk Adding a new phone as a key also requires the key card to be tapped. This might not be true for "previously" authenticated phones which could be the flaw you may have discovered. Try with a new phone (never used as a key before) and let us know!

@@Exau89 We tested with devices that have never been paired with the vehicle at all. Perhaps the key card is required when an account creates a phone key for the very first time. But this won't prevent this attack. Anyhow, Tesla's response denies this requirement entirely.

30 seconds should be enough. A sophisticated attacker wouldn't type all that manually, they would copy the text and send it to the phone, then paste it. Plus, the fake portal can prompt the user to enter a new passcode and repeat until it works. Agreed, the PIN to Drive is useless here because you can bypass it in the app.

30 seconds is plenty. You can get it done in 10. The last 20 you can use to check Tesla stock price.

@@mysk if the hacker is sitting around at a supercharger waiting eagerly, and you happen to want to use tesla guest wifi, and you fall for it, and the hacker has a full 30 seconds left in the OTP rotation, and you don't notice a shady person near the car, and you join the wifi then decides instead of using wifi you want to walk away from the car, and the hacker stops charging the car and you don't notice the charging stopped notification, and the hacker manages to drive away quickly, they'll have succeeded in stealing your car just in time for you to call the police and give them the exact location of the car which the owner will still have.

They do. The 6-digit passcode expires in 30 seconds.

The password manager doesn't help here. Also, the captive portal doesn't show the URL. Your answer implies that you haven't used a captive portal before. One can easily be fooled and that doesn't mean that the person is an idiot. Some social engineering attacks are very sophisticated.

@@mysk On Android I have the option to open the site in a browser. And sure does a password manager help as it wouldn't offer you to fill in the data.

phishing is the number one attack vector... pretty much everywhere, and if your answer is "you're an idiot," then you're part of the problem and the reason why security people have such a hard time being taken seriously. Also, if you've never been fooled by a social engineering attack, you've just not gotten the right one yet.

on iOS too, you can close the window and a prompt will be displayed to you: use it without internet OR choose another network. Choose the first and open safari. I use to do that not for security but for checking if internet is working without logging in (or at least some protocols...) @@XxDragonSharKxX