Despite their popularity, Tesla cars are notoriously hackable, and a new video shows how a skilled cybercriminal could hope to break into your car’s system and steal it in no time. By exploiting a bug allegedly introduced by an update released by Tesla last year to make it easier to launch its electric cars, Martin Herfurt, an Austrian cybersecurity researcher, managed to open and take control of a Tesla in just 130 seconds. That feature makes it possible to turn on a Tesla by simply opening the car door using an NFC-type key card.
As he explains in the video that accompanies his discovery, Herfurt believes that this error was created by Tesla itself. And to understand what he’s saying, you need to understand how a Tesla opens. The NFC key card (near-field communication) is one of three ways to unlock a Tesla, the other two are the key chip and the phone app. Although the app is the brand’s preferred solution, it continues to bring new features to the NFC card option. Tesla explains that the latter has the advantage of being unique to each car and a guarantee of safety.
Last year, Tesla released an update that made it easier to start up its vehicles after unlocking them with their NFC card. A trivial feature at first glance, but which turned out to be a real big security flaw. For years, motorists who used their key card to unlock their car had to place the NFC card on the center console to boot. After the update, they could use their car immediately after unlocking it with the card. Unlocking the door triggers a period of 130 seconds in which the car starts by itself.
This allows the driver to have the car driving as soon as he has his buttocks on the seat. Once you have placed the card on the reader located on the door, you have approximately 2 minutes to identify yourself, otherwise the car will not start. But according to Herfut, this time period would be more than enough to create new maps and thus be able to use this bias in Tesla’s system. He explains that during the 130 seconds between the initial approval and the new locking of the car, the latter accepts all the new Tesla cards and recognizes them as authentic when they are not at all.
The approval given in the 130 second interval is too general. It’s not just for driving. This timer was introduced by Tesla to make it more convenient to use the NFC card as the primary means of using the car. What needs to happen is that the car can be started and driven without the user having to use the key card a second time. The problem: for the 130 second period, it is not only allowed to drive the car, but also[inscription] a new key, ”Herfurt said in an online interview.
Tesla’s official phone app does not allow keys to be stored unless they are logged into the owner’s account, but despite this, the researcher found that the vehicle happily exchanges messages with any Bluetooth Low Energy (BLE) device located nearby. Herfurt has therefore created its own application, called “Teslakee”, which communicates on “VCSec”, the same language as that used by the official Tesla application to communicate with its electric cars. The researcher then used the Teslakee app to change messages to VCSec with the car to register the new key.
All you have to do is be within range of the car for the crucial 130 second period when unlocked with an NFC card. If the vehicle owner normally uses the phone app to unlock the car (the most common unlocking method for Teslas), an attacker could force the use of the NFC card by using a signal jammer to block the BLE frequency used by Tesla’s phone-as-a- key “application. When the driver enters the car after unlocking it with an NFC card, the thief begins exchanging messages between the armed Teslakee app and the car.
Herfurt said that even before the driver leaves, the messages write a key to the thief’s choice in the car. From then on, the thief can use the key to unlock, start and turn off the car. According to the researcher, the vehicle’s screen or the legitimate Tesla app do not indicate that something is wrong. Herfurt successfully used this attack on a Tesla Model 3 and a Tesla Model Y. The researcher has not tested the method on the new Model S and X from 2021 and later, but he assumes that they are also vulnerable because they use the same native key phone support with BLE.
There is not much that the Tesla owners involved can do about this attack at the moment. A countermeasure is to configure Pin2Drive to prevent thieves using this method from starting a vehicle, but this does not prevent the thief from getting into the car when it is locked. Another protection is to regularly check the list of authorized keys to unlock and start the car through a process that Tesla calls “whitelist”. Tesla owners may want to perform this check after giving an NFC card to a mechanic or officer who is not trusted.
Herfurt believes Tesla is aware of the security breach, but the company has done nothing to rectify it. My impression was that they still knew it already and did not really want to change things. This time, it’s impossible for Tesla not to be aware of this poor implementation. So for me, it made no sense to talk about Tesla before, he said. Tesla does not have a press department and therefore could not be contacted for comment on the vulnerability.
Source: Teslakee app
What is your opinion on the subject?
What do you think about the vulnerability that Herfurt discovered?
What do you think about the safety of Tesla cars in general?
Tesla vehicle with Smart Summon-enabled crashes into $ 3.5 million private jets
Tesla tells regulators that fully self-driving cars may not be available by the end of the year, contradicting indications from Elon Musk
19-year-old hacker finds faults that allow him to control more than 25 Teslas remotely, but exploited faults could not be in Tesla’s infrastructure