A group of researchers from NCC Group in the UK has demonstrated a new way to break into Tesla vehicles.
The researchers explain that the security vulnerability can be pinpointed to the Bluetooth Low Energy (BLE) technology that is used to enter Tesla vehicles. The technology allows the driver to be authenticated when their key fob or app comes within a certain proximity of the car. The current system already comes with various safeguards, but NCC Group researchers have developed a new tool that is capable of bypassing these safeguards and remotely unlocking vehicles.
In a recent blog post by Sultan Qasim Khan, a senior security consultant at NCC Group, it's explained the researchers were able to successfully remotely unlock a 2020 Tesla Model 3 using an iPhone 13 mini that was running an outdated version of the Tesla app. The researchers explain that the iPhone was placed 27 yards away from the car, and two "relaying devices" were placed between the iPhone and the car. Combining the tool developed by the researchers and the relaying devices, they were able to successfully unlock the Tesla from a decent distance.
Notably, Tesla's aren't the only type of car vulnerable to this kind of attack as the researchers point out that any vehicle that uses Bluetooth Low Energy for its keyless entry system may also possess the same vulnerability.
"Testing on a 2020 Tesla Model 3 running software v11.0 (2022.8.2) with an iPhone 13 mini running version 4.6.1-891 of the Tesla app, NCC Group was able to use this newly developed relay attack tool to unlock and operate the vehicle while the iPhone was outside the BLE range of the vehicle. In the test setup, the iPhone was placed on the top floor at the far end of a home, approximately 25 metres away from the vehicle, which was in the garage at ground level.
The phone-side relaying device was positioned in a separate room from the iPhone, approximately 7 metres away from the phone. The vehicle-side relaying device was able to unlock the vehicle when within placed within a radius of approximately 3 metres from the vehicle.
NCC Group has not tested this relay attack against a Model Y or in conjunction with the optional Tesla Model 3/Y BLE key fob. However, based on the similarity of the technologies used, NCC Group expects the same type of relay attack would be possible against these targets, given the use of similar technologies," wrote the researchers.