New app allows hackers to steal Teslas by making their own keys

Martin Herfurt from the Trifinite Group has created Teslakee, as part of Project Tempa, which can unlock and start Tesla vehicles.

1 minute & 54 seconds read time

Martin Herfurt, an Austrian security researcher, has found an exploit in one of Tesla's recent features.

In August 2021, Tesla updated its vehicles to be immediately operable after unlocking them with their NFC key card, without having to place the cards on the center console to begin driving. Tesla's can also be unlocked with a key fob or a mobile app. Herfurt discovered that the new update made the car automatically start within 130 seconds of being unlocked with an NFC card. During that time, it would also accept brand new keys without authentication.

"The authorization given in the 130-second interval is too general ... it's not only for drive. This timer has been introduced by Tesla ... in order to make the use of the NFC card as a primary means of using the car more convenient. What should happen is that the car can be started and driven without the user having to use the key card a second time. The problem: Within the 130-second period, not only the driving of the car is authorized, but also the enrolling of a new key," Herfurt said in an online interview.

Users cannot enroll new keys without an official Tesla phone app connected to the car owner's account, but the vehicle still communicates with Bluetooth Low Energy (BLE) devices nearby. Therefore, Herfurt built an app, Teslakee, that uses VCSec, the same language intended for communication between Tesla cars and the official Tesla app.

With this, Herfurt could enroll his own key during the 130 seconds after a Tesla owner has unlocked their vehicle with an NFC key card, allowing him to unlock and start the vehicle himself. One can even force the owner to use one instead of their Tesla app by using a signal jammer to block the BLE frequency used by the official Tesla app.

"The attack exploits Tesla's way of handling the unlock process via NFC card. This works because Tesla's authorization method is broken. There is no connection between the online account world and the offline BLE world. Any attacker who can see the Bluetooth LE advertisements of a vehicle may send VCSEC messages to it. This would not work with the official app, but an app that is also able to speak the Tesla-specific BLE protocol ... allows attackers to enroll keys for arbitrary vehicles. Teslakee will communicate with any vehicle if it is told to," wrote Herfult.

"My impression was that they always already knew and would not really change stuff. This time, there is no way that Tesla does not know about that poor implementation. So for me, there was no point in talking to Tesla beforehand," Herfult continued.

New app allows hackers to steal Teslas by making their own keys 01

Adam grew up watching his dad play Turok 2 and Age of Empires on a PC in his computer room, and learned a love for video games through him. Adam was always working with computers, which helped build his natural affinity for working with them, leading to him building his own at 14, after taking apart and tinkering with other old computers and tech lying around. Adam has always been very interested in STEM subjects, and is always trying to learn more about the world and the way it works.

Newsletter Subscription

Related Tags