This seems like a big security hole, but it puts a giant arrow on the thief that lets them be caught easily. It's a trap for dumb thieves. Basically only good for going for a joyride.
Tesla definitely needs to harden their support desk however, because that's just embarrassingly bad.
I suspect that the service desk could see that the phone was previously authenticated with that car. My theory is that between that and the VIN, the thief was able to social engineer the service desk into re-authenticating.
As currently realized, service desks can't be hardened against people with inside information, unless bad customer experiences for innocent customers are tolerated. This isn't just Tesla. Any company with customer service is probably like this. Either they're pushovers with decent customer service, or customers think they're a pain.
Whatever gets you access.
>"with a smartphone"
The smartphone was both used to talk to the agent and also, once authorized, to unlock and turn on the car. See below:
"The person allegedly responsible for taking the car is believed to have reached out to Tesla's customer support to add the stolen Model 3 to his Tesla account by its vehicle identification number. Once the vehicle was accessible on a smartphone that was signed into this person’s account, he was reportedly able to unlock the car and drive away without ever needing a key."
> Whatever gets you access.
Well, if you stole the car, and now everyone is aware this is a way to track them...
Why not? Plenty of folks with electric vehicles charge at home and such.
I agree it's usually to chop or sell - in this kid's case though, he was probably planning on keeping it.
I don't own a Tesla, but this implies it's possible to turn the GPS off.
Auto recovery has a terrible success rate. The goal is to get them chopped or into containers for overseas consumption. You will eventually be caught if you keep driving it around.
I strongly encourage anyone with a Tesla (I have a Model 3) to enable Pin to Drive:
Controls > Safety and Security > PIN to Drive
That's disingenuous and the author knows it. Just prior they state that the thief had to call in to Tesla to get authorized.
He didn't do some fancy hack of the car as if he could walk up to any Tesla anywhere and steal it.
Punching out an ignition column with a screwdriver and jumping wires is no more having a key than calling customer service and fooling them into transferring remote control to you. In all cases, you don't have what is commonly understood to be "a key," yet you leave with what you came for.
The common vernacular has an accepted definition of what it means to require a key to do something. Given that this is a criminal matter, you'd have a hard time convincing a jury of yokels to share your understanding.
As far as the car is concerned, he used a proper key.
I'm not sure what your comment about a jury of yokel's refers to. I clearly do not mean that he didn't actually steal the car. It doesn't matter if that was with a key or not.
"without a key" is clearly meant to imply that he walked right up. But what he actually did is the equivalent of copying an existing key. IOW, he had a "key" made.
He walked right up, made a phone call and Tesla support literally handed him the car. What encrypted bits got shuffled around to make this happen are secondary to the fact that he did steal the car (and yes, had Tesla fabricate an ethereal key) using nothing but his phone.
That makes this all the more concerning. You can't social engineer technical support to give you a new keyfob in a time that would be practical enough to steal a car.
And in fact, if he could socially engineer his way into one car, he can do it to all of them.
Imagine the inconvenience of having to pull out the key like if it was the 20th century. This is idiotic as now you have the added problem that your car will be stolen for using "password" as a password.
Sure, if you do it at the dealer.
Find someone with a programmer and they can add a key without having the other keys - I've done it myself on my own vehicle.