Tesla relies entirely on digitized keys with which you can open your car as conveniently as possible and then start it. But time and time again, researchers point out security problems that allow easy theft. Now the Austrian Martin Herfurt is demonstrating how easily an attacker can sneak his own duplicate key onto Tesla models.
One of the ways to unlock a Tesla is through the NFC card that owners receive as a key upon purchase. This is less convenient than the “Phone as a Key” (PaaK), which works without any action via Bluetooth Low Energy (BLE) as soon as the driver approaches. But after it was only recently shown how a man-in-the-middle as a relay station near the phone can unlock the attacker’s car and even enable the attacker to drive off, the NFC variant initially appears to be more secure.
130 seconds wide open
But the NFC card is supposed to clearly identify the owner and thus allows additional functions that an attacker can also abuse to steal Tesla. In this way he can teach the car to accept a completely new key. Specifically, after an NFC card swipe, it is possible to store a new key in the Tesla for a full 130 seconds, which it will accept in the future. This is usually done via the Tesla app, which also checks online whether the owner of the car on which the key is to be placed is actually registered.
However, as the security researcher Martin Herfurt found out in his analysis of the proprietary protocol, this authorization is not part of the communication between the app and the vehicle. As long as the latter is addressed correctly, it will ultimately accept any key – even that of an attacker. All it takes is a suitable client app that speaks Tesla’s VCSEC protocol.
Herfurt created one called TeslaKee as part of its Tempa project. As he demonstrates in the video “Gone in under 130 Seconds”, he can use it to place his own keys in the Tesla. In the video, the driver opens the vehicle with an NFC card swipe, which starts the 130-second period. During the the car then accepts Bluetooth LE connections that are considered authorized.
Gone in under 130 Seconds
Tesla theft with a digital duplicate key.
While she is still wearing her seat belt, the nearby attacker smuggles in his key via Bluetooth, which is then considered legitimate. The owner doesn’t notice anything about it; the vehicle display gives no indication of the secret background activities. At any later time, the hacker can open the car with the duplicate key via TeslaKee and drive off.
The most used unlocking method is PaaK with the mobile phone. But an attacker could specifically disrupt this with BLE jamming so that the owner takes out the NFC card and not only opens the car, but also authorizes the key management, Herfurt explained to heise Security. The only protection then is an activated PIN2Drive, in which the driver also has to enter a code. Incidentally, this also prevents Tesla theft through relay attacks on PaaK and BLE. The Austrian also recommends regularly checking his authorized keys in the app.
Herfurt tested the duplicate key attack described with the Models 3 and Y, which support PaaK with BLE by default. The new 2021+ facelift models of S and X have also had the PaaK feature since their rejuvenation and are therefore probably also vulnerable, but have not yet been available for concrete tests. So far, Tesla has not commented on Herfurt’s findings.
To home page
#Researcher #demonstrates #Tesla #theft #secretly #smuggled #duplicate #key