A researcher has demonstrated how a key card feature introduced by Tesla last year can be abused to add an unauthorized key that allows an attacker to unlock and start a vehicle.
The research was conducted by Martin Herfurt, an Austria-based member of the Trifinite research group, which focuses on Bluetooth security.
from Herfurt analysis pointed to a change made by Tesla in August 2021 to key card access, removing the requirement that users place the key card in the center console after using it to unlock the vehicle.
The researcher found that when a Tesla is unlocked using the key card via NFC, there is a 130-second window when an attacker who is within Bluetooth range of the target vehicle can add their own key, which they can then use to unlock and ride. Car.
The attack involves abusing Tesla’s VCSEC protocol, which handles communications between the car, the phone app, and the key fob. During such an attack, the infotainment system does not notify the victim in any way that a new key has been added.
Herfurt has made a video to show how this “authorization timer attack” works:
The investigator told him safety week who tested the attack against Tesla Model 3 and Model Y, but believes it should work against the newer Model S and Model X as well.
An exploit targeting Tesla’s infotainment system earned researchers $75,000 in the recent Pwn2Own 2022 hacking competition. Herfurt also wanted to demonstrate his attack at Pwn2Own, but the relay attacks were not accepted. In fact, he said that he discovered the authorization timer attack vector in September 2021, but was saving it for Pwn2Own before discovering that it was not in range.
The investigator said he did not tell Tesla about his latest investigation before disclosing it because he believed the automaker had to know about the problem. Following his disclosure, he got confirmation that Tesla knew about the vulnerability from others who reported a very similar issue to the company months ago.
According to the researcher, Tesla recommends the use of the PIN2Drive function, which requires users to enter a PIN before they can drive, but last week it published a video showing that an attacker can bypass PIN2Drive.
Tesla has not responded to a request for comment.
Herfurt is developing tesla keean upcoming mobile app that can supposedly protect Tesla vehicles against these types of relay attacks.
In May, Herfurt showed off another method that could be used to steal a Tesla. The technique involved a Bluetooth relay attack in which the attacker used two Raspberry Pi devices to transmit the radio signal between the phone key and a car over a long distance.
The attack relies on two people: one standing next to the target car and one standing next to the victim while standing a certain distance from their vehicle. Each attacker has a Raspberry Pi and the two devices are connected to each other, creating a channel that allows the victim’s phone key to communicate with the car over long distances.
The NCC Group recently introduced a very similar Bluetooth-based attack against Tesla cars, one that involved the use of specialized hardware instead of Raspberry Pi computers. The cybersecurity firm noted that the relay attack tool it developed can be used against any device that communicates via BLE.
Related: Tesla Car Hacked Remotely From Drone Via Zero-Click Exploit
Related: Researchers Show Tesla Model X Can Be Stolen in Minutes