I drove with a man in the middle
Flipper Zero has been in the news lately because the Canadian government decided it was a hacking tool that could help people steal cars, rather than a handy tool for understanding how the surrounding networks work. Unfortunately, Tesla decided to prove their point right by configuring an extremely unsecure WiFi network. Apparently, Tesla users are familiar with a network called Tesla Guest, which can be easily spoofed using a Raspberry Pi, Flipper Zero, or other device capable of broadcasting the SSID.
Since Tesla owners are familiar with this, they won’t feel guilty logging into their Tesla account when connected to this network. Unfortunately, this means that whoever broadcasts the hotspot will now have your login information, which can then be given to the actual Tesla Guest network to generate and capture a one-time key to bypass MFA protection on Tesla accounts. This will give them everything they need to generate a new phone key. No notification is sent to the owner when a new key is generated, so they have no idea that a complete stranger can now unlock their Tesla, start it and drive away.
Bleeping Computer says some very simple security requirements, such as the phone needing to be inside the Tesla to generate a new phone key and the physical Tesla card key needing to be present, could mitigate the problem.