The article doesn't misconstrue, but it also fails to mention that the attack can be done with any computer with a wifi chip. Not that surprising for a rag like Gizmodo.
Edit: they do mention that at the very end of the article
>The issue isn’t “hacking” in the sense of breaking into software, it’s a social engineering attack that fools a user into handing over their information.
Accurate headline: "The credentials on a Tesla account are used to operate one's car. You can steal a car by tricking someone into giving you their credentials."
This is just a fake wifi hotspot + legit looking landing page to get someone to enter their credentials. One could do this anywhere -- Starbucks, library, transit.
Why include the Flipper Zero in the ‘hacking’ equation when the same task can be accomplished with an Alfa Wi-Fi adapter and a laptop, from a distance far from the Tesla (say inside your car in the parking lot near the charging station), unlike the Flipper? It seems to me that these researchers are merely seeking cheap publicity by riding on the coattails of the Flipper Zero controversy. A clueless government official -looking at you ISED- will see the title and will rush to ban the flipper when the real issue never been dealt with..
> Worse the Flipper Wi-Fi module isn't even standard
The range is poor too, for that attack to work, the flipper wifi should be stronger than the tesla so the client can connect to it instead, as it will prefer the stronger signal, so you will probably need to be standing next to tesla for it to work.
Tesla should just implement support for passkeys. Since WebAuthn credentials are bound to the domain they are created for, they are strongly phishing resistant.
If you could login to the Tesla app with a passkey instead of password + TOTP, then a fake phishing site (on a different domain) would be unable able to steal people's Tesla account credentials.
