Last year, Tesla released an update that made it easier for their vehicles to start after being unlocked with their NFC keycard. Now, a researcher has shown how this feature can be used to steal cars.
For years, drivers who used a Tesla NFC key card to unlock their car had to place the card on the center console to start driving. After the update, it’s Report here Last August, drivers could control their cars immediately after unlocking with the card. The NFC tag is one of three means of unlocking the Tesla; a main fob and a phone app are the other two.
Register your own key
Martin Herfurt, a security researcher in Austria, quickly noticed something odd about the new feature: Not only did it allow the car to start automatically within 130 seconds of being unlocked with an NFC tag, but it also brought the vehicle in. into the accept state. brand new key — no authentication required and shows zero on the in-car display.
“The permission given in the 130 second interval is too general… [it’s] Herfurt said in an online interview. What will happen is that the car can be started and driven without the user having to use the key card a second time. Problem: for a period of 130 seconds, not only is driving a car allowed, but also [enrolling] of a new key. “
The official Tesla phone app doesn’t allow registration of a key unless it’s connected to the owner’s account, but despite that, Herfurt found that the car happily exchanged messages with any device. Any Bluetooth Low Energy or BLE nearby. So the researcher built his own app, named Teslakeethat says VCSecsame language that the official Tesla app uses to communicate with Tesla vehicles.
A malicious version of the Teslakee that Herfurt designed for proof-of-concept purposes shows how easily stealthy thieves can register their private keys over a period of 130 seconds. (The researcher plans to release a benign version of Teslakee that will eventually make such attacks harder to execute.) The attacker then uses the Teslakee app to exchange VCSec messages posted Sign a new key.
All that is required is to be within range of the car for the crucial 130 seconds when it is unlocked with the NFC tag. If car owners often use a phone app to unlock their car — so far common unlock method for Teslas — an attacker could force the use of an NFC tag by using a signal jammer to intercept the BLE frequencies used by the Tesla key phone app.
This video demonstrates the attack in action:
When the driver entered the vehicle after unlocking it with the NFC tag, the thief began exchanging messages between the weaponized Teslakee and the vehicle. Before the driver drives away, the messages will list a key selected by the thief with the vehicle. From there, the thief can use the key to unlock, start and shut down the car. There’s no indication from the in-car display or the legitimate Tesla app that anything is amiss.
Herfurt has successfully used an attack on Tesla Models 3 and Y. He hasn’t tested the method on new facelifted S and X models of 2021 or later, but he thinks they’re also vulnerable because they use the same native support for phone-as -a-key with BLE.
Tesla did not respond to an email seeking comment for this post.