A 21-year-old car-hacker has been arrested for allegedly driving away with a Tesla Model 3 without needing a key. According to reports, he was able to use an app on his smartphone to gain access to the car at a Mall of America in Minnesota and drive it away.
The car belonged to a local car rental company, Trevls, who specializes in electric vehicle rentals only based in Bloomington, Minnesota.
The thief was later arrested a few days later at a Supercharger station by police 1,000 miles (1609 km) away after the owner tracked it down despite the fact that the thief had disabled the car’s GPS.
There has been a spate of car thefts in Europe of late with thieves cloning the RFID signature of cars' remote key fobs. Tesla tried to stop this by implementing an optional PIN code on the Model S, 3 and X that owners can get before driving their cars.
If activated, once the car detects the fob and boots-up, a keypad appears on the center touchscreen. The drivers can either enter their pin to drive away or use their Tesla account credentials.
How did the car-hacker do it?
Computer forensics specialist Mark Lanterman, later told Fox 9 News how it might have been possible for the thief to pull off this trick. His investigations found that the car-hacker contacted Tesla's customer services and added the Tesla to his Tesla account using its VIN number.
“What it sounds like this person may have done is convince Tesla to take the VIN number of that vehicle and add it to his Tesla account,” Lanterman explained. “By doing that, you can do that with a phone call. By doing that, you can now control the Tesla from an app on your phone."
With it added to his account he was able to unlock it using his smartphone and drive away without a key.
The Tesla thief was a regular customer
According to an interview with Fox 9 News, the thief was a regular customer of the company. He had rented cars from them half a dozen times and often bragged about his knowledge of Tesla and its security systems.
“I don’t think it’s that easy,” John Marino, the owner of Trevls told. “I think this guy had a next level of information on how to do it."
Once the owner, John Marino, had noticed the car was missing he was unable to locate the car using GPS as the thief had disabled it. He needed to use some lateral thinking and was able to track the stolen Tesla from its Supercharger location in Waco, Texas.
The owner was able to do this as Tesla Supercharger stations log the car's location on the owner's online billing system. He promptly provided the information to local law enforcement who quickly located it and arrested the thief at the scene.
“Tesla is not the car to steal,” Marino told. “The amount of data Tesla collects is actually kind of creepy."