In the United States, cybersecurity researchers demonstrated a disturbing capability: they could unlock, start, and drive a Tesla Model 3 using a modest $169 hobbyist device called Flipper Zero. This pocket gadget, paired with a Wi-Fi card, allowed the replication of a car key signal and bypassed two factor authentication in the process. The researchers spoke about their experiments in a video linked to the Mysk company channel. Cited by security observers, these demonstrations show how convenience devices can become tools for unauthorized access when misused.
The team utilized Flipper Zero together with a Wi-Fi card to fabricate a counterfeit Tesla login page, then employed social engineering to coax the vehicle owner into sharing credentials. The setup aimed to capture user tokens from a fake network, while the Flipper Zero displayed the needed password and the two factor code on its screen. This combination of credential harvesting and real-time code display is what enabled unauthorized access to the account. Security experts note that the attacker could potentially log into the victim’s Tesla account and locate the vehicle through the official app. It is also observed that Tesla’s mobile app at times does not alert users when a new device appears on an account, creating a window of opportunity for such intrusions.
Armed with the collected details, the researchers claimed they could control the car remotely, including unlocking the doors. They reportedly located the vehicle via the app and proceeded to demonstrate how the attack path could unfold. The incident underscores gaps in notification systems for new devices and sessions within connected car ecosystems. Researchers have called on manufacturers to tighten device onboarding alerts and to implement anomaly monitoring for unusual login patterns and new device connections.
The Flipper Zero itself is a compact device with a small monochrome display. It is designed to interact with a range of wireless protocols, including Bluetooth, Wi-Fi, NFC, infrared, and conventional radio signals. The device was created by Russian developer Pavel Zhovner and has attracted attention for both educational use and potential misuse. Industry analysts point out that the portability and affordability of such tools present a double-edged sword: they can empower enthusiasts and testers, but also enable well-funded or opportunistic attackers when combined with social engineering.
In a broader regional context, Canadian authorities previously restricted the import and distribution of Flipper Zero within the country because of a rise in vehicle-related thefts and other security concerns. This illustrates a tension between open, accessible tools for learning and the need to guard against their exploitation in real-world crime. Security professionals emphasize responsible handling of hardware research and the importance of safeguarding personal data, credentials, and connected devices against unauthorized access. The discussion around Flipper Zero continues to highlight the ongoing challenge of securing modern vehicles that rely on cloud-linked accounts, mobile apps, and diverse wireless interfaces.