Martin Herfurt, an Austrian security researcher, has found an exploit in one of Tesla's recent features.
In August 2021, Tesla updated its vehicles to be immediately operable after unlocking them with their NFC key card, without having to place the cards on the center console to begin driving. Tesla's can also be unlocked with a key fob or a mobile app. Herfurt discovered that the new update made the car automatically start within 130 seconds of being unlocked with an NFC card. During that time, it would also accept brand new keys without authentication.
"The authorization given in the 130-second interval is too general ... it's not only for drive. This timer has been introduced by Tesla ... in order to make the use of the NFC card as a primary means of using the car more convenient. What should happen is that the car can be started and driven without the user having to use the key card a second time. The problem: Within the 130-second period, not only the driving of the car is authorized, but also the enrolling of a new key," Herfurt said in an online interview.
Users cannot enroll new keys without an official Tesla phone app connected to the car owner's account, but the vehicle still communicates with Bluetooth Low Energy (BLE) devices nearby. Therefore, Herfurt built an app, Teslakee, that uses VCSec, the same language intended for communication between Tesla cars and the official Tesla app.
With this, Herfurt could enroll his own key during the 130 seconds after a Tesla owner has unlocked their vehicle with an NFC key card, allowing him to unlock and start the vehicle himself. One can even force the owner to use one instead of their Tesla app by using a signal jammer to block the BLE frequency used by the official Tesla app.
"The attack exploits Tesla's way of handling the unlock process via NFC card. This works because Tesla's authorization method is broken. There is no connection between the online account world and the offline BLE world. Any attacker who can see the Bluetooth LE advertisements of a vehicle may send VCSEC messages to it. This would not work with the official app, but an app that is also able to speak the Tesla-specific BLE protocol ... allows attackers to enroll keys for arbitrary vehicles. Teslakee will communicate with any vehicle if it is told to," wrote Herfult.
"My impression was that they always already knew and would not really change stuff. This time, there is no way that Tesla does not know about that poor implementation. So for me, there was no point in talking to Tesla beforehand," Herfult continued.
Tesla unveils new Model 3 Performance: 0-60 mph in 2.9 seconds, 163 mph top speed
GIGABYTE confirms AMD Ryzen 9000 Series processors are coming soon
Qualcomm details its Snapdragon X Elite: all SKUs have NPU with 45 TOPS for AI workloads
There's a capsule toy machine in Japan that spits out Intel Core i7-8700 CPUs for around $3
NVIDIA is helping Japan build their bleeding-edge ABCI-Q quantum supercomputer with HPC and AI
ACEMAGIC AD08 "Core i9 11900H" Mini PC Review
Lenovo ThinkPad X1 Carbon Gen 12 Review
ASUS ROG Swift Pro PG248QP Gaming Monitor Review - Frames, frames, and more frames
FlexiSpot C7B-Mesh Ergonomic Office Chair Review
Samsung G8 34-inch QD-OLED Gaming Monitor Review - 175Hz for $900
ASRock NUCBOX-155H Mini PC Review
NuPhy Air96 V2 Wireless Mechanical Keyboard Review
TEAM T-FORCE Siren DUO360 RGB Liquid CPU Cooler Review
AVerMedia Live Streamer ULTRA HD Review
AVerMedia Live Gamer 4K 2.1 Review
Everything you need to know about the latest ASUS NUC Mini PCs - NUC 14 Pro and ROG NUC
How to Overclock Your GPU and Boost Your PC Gaming with ASUS GPU Tweak III
ASUS's AMD Radeon RX 7000 Series GPU lineup has something for every gamer
ASUS OLED Premium Care defends the ROG Swift OLED PG32UCDM gaming monitor from burn-in
Patriot Viper Xtreme 5 Engineering Prototype 48GB Dual-Channel Memory Kit Preview