A popular news story last week asserted that a man stole a Tesla Model 3 with only a smartphone.
News outlets like Fox 9 News claimed, “Man uses smart phone app to steal Tesla”, while IFL Science sought to enlighten readers as to “How someone stole a brand new Tesla using only a phone”.
From headlines alone, one would assume Tesla has a huge security flaw. If a simple thief was able to steal one of their cars, why couldn’t any Tesla be stolen with just a phone?
Because that simply wasn’t the case.
To be fair, yes—a Tesla Model 3 was stolen, and yes, a phone was used in the heist. However, the thief had a deep understanding of the Tesla security system, in addition to social engineering.
To get the complete story of how this happened, one must first understand the basics of Tesla’s vehicle-tracking and security application. The Tesla application allows the owner to lock and unlock their car from anywhere as long as they are logged in to the app, and the car is mapped to their account. To map a car to an account, one must have proof of purchase and the car’s vehicle identification number (VIN), or permission from the current owner.
The specific car that was stolen was owned by rental company Trevls, which specializes in electric cars. The perpetrator legally rented the Model 3 from Trevls in the past. During this time, his Tesla account was temporarily matched to the car. Upon returning the rental, Trevls removed his access to the car.
Weeks later, the former renter returned to the parking garage at the Mall of America, where the vehicle was stored. He called Tesla’s support center and claimed his car had suddenly been unmatched from his account and that he was stranded at the mall. Tesla support requested the VIN to grant access to the car. The thief read the VIN right off the car’s dashboard and was given full access.
The only reason this happened is because the individual was previously associated with the vehicle and his story seemed to check out.
Soon, the car was mapped to his account, the GPS was disabled, and the Model 3 was driven away. After some time, law enforcement managed to track down and arrest the suspect by following the locations at which the car has been charged at a Tesla supercharging station. The authorities managed to do this by checking Tesla’s online Supercharger billing system.
Multiple publications have approached Tesla with questions about the incident; all have been shut down.
It is worth noting that Tesla currently holds the record for the highest percentage of stolen cars returned. There have been 115 reported cases of stolen Teslas, and 112 of them have been returned.