Hackers Can Steal Your Tesla by Creating Their Own Personal Keys
A Security researcher found a recent update allows anyone to enroll their own key during the 130-second interval after the car is unlocked with it's NFC card. LAST YEAR, TESLA issued an update that made its vehicles easier to start after being unlocked with their NFC key cards. The security researcher has shown how that this feature can be exploited to steal cars. For years, drivers who used their Tesla NFC key card to unlock their cars had to place the card on the center console to begin driving. Following the update, which was reported here last August, drivers where able to immediately operate their cars after unlocking them with the NFC card. The NFC card is one of three means for unlocking a Tesla; a phone app and a key fob are the other two. How to Enroll Your Own Key Martin Herfurt, the security researcher in Austria, quickly noticed an odd aspect about the new feature: Not only did it allow the car to automatically start within 130 seconds of being unlocked with the NFC card, it also put the car in a state of acceptance for entirely new keys—requiring no authentication and zero indication given by the in-car display. "The authorization given in the 130-second interval is too general … it's not only for drive," Herfurt said in an interview with Top Techs California LLC. "This timer has been introduced by Tesla … in order to make the use of the NFC card as a primary means of using the car more convenient. What should happen is that the car can be started and driven without the user having to use the key card a second time. The problem: Within the 130-second period, not only the driving of the car is authorized, but also the enrolling of a new key." The official Tesla phone app doesn't permit keys to be enrolled unless it's connected to the owner's account, despite this, Herfurt found the vehicle will exchange messages with any Bluetooth Low Energy (BLE) device that's nearby. Herfurt built his own app, named Teslakee, that speaks VCSec, the same language that the official Tesla app uses to communicate with Tesla cars. Using a malicious version of Teslakee which Herfurt designed as a proof-of-concept purpose to show how easy it is for thieves to surreptitiously enroll their own key during the 130-second interval. (Herfurt plans to release a benign version of Teslakee eventually that will make such attacks harder to carry out.) The attacker then uses the Teslakee app to exchange VCSec messages that enroll the new key. The only requirement is to be within range of the car during the crucial 130-second window of it being unlocked with an NFC card. If a vehicle owner normally uses the phone app to unlock the car—by far the most common unlocking method for Teslas—the attacker can force the use of the NFC card by using a signal jammer to block the BLE frequency used by Tesla's phone-as-a-key app. As the driver enters the car after unlocking it with an NFC card, the thief begins exchanging messages between the weaponized Teslakee and the car. Before the driver has even driven away, the messages enroll a key of the thief's choice with the car. From then on, the thief can use the key to unlock, start, and turn off the car. There is no indication from the in-car display or the legitimate Tesla app that anything is amiss. Herfurt has successfully used the attack on Tesla Models 3 and Y. He hasn't tested the method on new 2021+ facelift models of the S and X, but he presumes they are also vulnerable because they use the same native support for phone-as-a-key with BLE. Tesla didn't respond to an email seeking comment for this post. Parlez-Vous VCSec? The vulnerability is the result of the dual roles played by the NFC card. It not only opens a locked car and starts it; it's also used to authorize key management. Herfurt said: The attack exploits Tesla's way of handling the unlock process via NFC card. This works because Tesla's authorization method is broken. There is no connection between the online account world and the offline BLE world. Any attacker who can see the Bluetooth LE advertisements of a vehicle may send VCSEC messages to it. This would not work with the official app, but an app that is also able to speak the Tesla-specific BLE protocol … allows attackers to enroll keys for arbitrary vehicles. Teslakee will communicate with any vehicle if it is told to. Herfurt created Teslakee as part of Project Tempa, which “provides tools and information about the VCSEC protocol used by Tesla accessories and the Tesla app in order to control vehicles via Bluetooth LE.” Herfurt is a member of Trifinite Group, a research and hacker collective that focuses on BLE. The attack is easy enough in technical aspects to carry out, but the mechanics of staking out an unattended vehicle, waiting for or forcing the owner to unlock it with an NFC card, and later catching up with the car and stealing it can be cumbersome. This method isn't likely to be practical in many theft scenarios, but for some, it seems viable. Tesla as usual is maintaining radio silence on this weakness, there's only so much that concerned owners can do. One countermeasure is to set up Pin2Drive to prevent thieves who use this method from starting a vehicle, but it will do nothing to prevent the thief from being able to enter the car when it's locked. Another protection is to regularly check the list of keys authorized to unlock and start the car through a process Tesla calls "whitelisting." Tesla owners may want to perform this check after giving an NFC card to an untrusted mechanic or valet parking attendant. Based on the lack of response Herfurt said he received from Tesla regarding vulnerabilities he uncovered in 2019 and again last year, he's not holding his breath that the company will address the issue. "My impression was that they always already knew and would not really change stuff," he said. "This time, there is no way that Tesla does not know about that poor implementation. So for me, there was no point in talking to Tesla beforehand."