Martin Herfurt, an Austrian security researcher, has found an exploit in one of Tesla's recent features.
In August 2021, Tesla updated its vehicles to be immediately operable after unlocking them with their NFC key card, without having to place the cards on the center console to begin driving. Tesla's can also be unlocked with a key fob or a mobile app. Herfurt discovered that the new update made the car automatically start within 130 seconds of being unlocked with an NFC card. During that time, it would also accept brand new keys without authentication.
"The authorization given in the 130-second interval is too general ... it's not only for drive. This timer has been introduced by Tesla ... in order to make the use of the NFC card as a primary means of using the car more convenient. What should happen is that the car can be started and driven without the user having to use the key card a second time. The problem: Within the 130-second period, not only the driving of the car is authorized, but also the enrolling of a new key," Herfurt said in an online interview.
Users cannot enroll new keys without an official Tesla phone app connected to the car owner's account, but the vehicle still communicates with Bluetooth Low Energy (BLE) devices nearby. Therefore, Herfurt built an app, Teslakee, that uses VCSec, the same language intended for communication between Tesla cars and the official Tesla app.
With this, Herfurt could enroll his own key during the 130 seconds after a Tesla owner has unlocked their vehicle with an NFC key card, allowing him to unlock and start the vehicle himself. One can even force the owner to use one instead of their Tesla app by using a signal jammer to block the BLE frequency used by the official Tesla app.
"The attack exploits Tesla's way of handling the unlock process via NFC card. This works because Tesla's authorization method is broken. There is no connection between the online account world and the offline BLE world. Any attacker who can see the Bluetooth LE advertisements of a vehicle may send VCSEC messages to it. This would not work with the official app, but an app that is also able to speak the Tesla-specific BLE protocol ... allows attackers to enroll keys for arbitrary vehicles. Teslakee will communicate with any vehicle if it is told to," wrote Herfult.
"My impression was that they always already knew and would not really change stuff. This time, there is no way that Tesla does not know about that poor implementation. So for me, there was no point in talking to Tesla beforehand," Herfult continued.