A researcher demonstrated how a Tesla key card functionality launched last year might be misused to add an unauthorised key that enables an attacker to access and start a vehicle.
Martin Herfurt, an Austria-based member of the Trifinite research group that specialises in Bluetooth security, conducted the study. Herfurt's research focused on key card access modifications made by Tesla in August 2021, which removed the necessity for customers to place the key card on the central console after using it to open the vehicle.
The researcher discovered that when a Tesla is opened through NFC using the key card, there is a 130-second window during which an attacker within the Bluetooth range of the targeted vehicle may add their own key.
The attack exploits Tesla's VCSEC protocol, which manages communication between the automobile, the phone app, and the key fob.
Findings by the researcher:
During such an assault, the infotainment system makes no attempt to warn the victim that a new key has been inserted.
According to the researcher, he tried the attack on the Tesla Model 3 and Model Y, but he believes it should also work on the newer Model S and Model X.
At the recent Pwn2Own 2022 hacking competition, hackers won $75,000 for an attack targeting Tesla's infotainment system. Herfurt intended to show off his attack at Pwn2Own, but relay attacks were not permitted.
In reality, he claimed to have identified the authorisation timer attack vector in September 2021 but had been keeping it for Pwn2Own.
The researcher stated that he did not inform Tesla about his recent findings before revealing them since he considered the company needed to be aware of the problem.
Following his disclosure, he received confirmation from others who reported a very issue to Tesla months ago that Tesla was aware of the vulnerability.
According to the researcher, Tesla recommends using the PIN2Drive function, which requires customers to input a PIN before driving away, but he produced a video last week demonstrating how an attacker may overcome PIN2Drive. Tesla is yet to react to a comment request.
Herfurt is working on TeslaKee, a new smartphone application that is said to safeguard Tesla vehicles from these sorts of relay attacks. Herfurt demonstrated another approach to stealing a Tesla in May. The attacker utilised two Raspberry Pi devices to relay the radio signal between the Phone Key and an automobile over a considerable distance.