Tesla last year released an update that made it easier to start cars after unlocking with NFC key cards. Now the researcher has shown how this feature can be used to steal cars.
For years, drivers who used their Tesla An NFC key card to unlock their cars had to be placed on the center console to start driving. After the update that was reported here Last August, drivers could drive their cars immediately after unlocking with a card. The NFC card is one of three Tesla unlock methods; keychain and phone app are the other two.
Martin Herfurth, an Austrian security researcher, was quick to notice something strange about the new feature: not only did it allow the car to automatically start within 130 seconds of unlocking with an NFC card, it also put the car into a state that would accept brand new keys – without the need for authentication. and zero indication on the car display.
“The 130-second clearance is too general… it’s not just about driving,” Herfurth said in an online interview. “This timer was introduced by Tesla … in order to make using an NFC card as the primary means of using a car more convenient. What should happen is that the car can be started and driven without the need for a key by the user. card a second time. Problem: Within 130 seconds, not only driving is allowed, but also registration of a new key.
Tesla’s official phone app doesn’t allow keys to be registered unless it’s connected to the owner’s account, but despite this, Herfurt found the car happily messaging with any Bluetooth Low Energy or BLE device that’s nearby. Therefore, the researcher created his own application called Teslakiwhat does he say VCsecthe same language that the official Tesla app uses to communicate with Tesla vehicles.
The malicious version of Teslakee developed by Herfurth to test the concept shows how easy it is for thieves to secretly register their own key within a 130-second interval. (The researcher plans to eventually release a secure version of Teslakee that will make such attacks more difficult.) The attacker then uses the Teslakee application to exchange VCSec messages that register the new key.
All that is required is to be within range of the car during the crucial 130-second window when it is unlocked with an NFC card. If the vehicle owner usually uses the phone application to unlock the vehicle, common unlock method for Teslas, an attacker can force an NFC card using a signal jammer to block the BLE frequency used by Tesla’s “phone as a key” app.
This video shows the attack in action:
When the driver gets into the car after unlocking it with an NFC card, the thief starts messaging between the armed Teslakee and the car. Even before the driver has left, messages register a key of the thief’s choice with the car. From that moment on, the thief can use the key to unlock, start and turn off the car. There is no indication on the car’s display or on the legitimate Tesla app that anything is wrong.
Herfurth has successfully used the attack on Tesla Models 3 and Y. He has not tested this method on the new 2021+ facelift Models S and X, but he suggests they are also vulnerable because they use the same built-in phone support as -a -key with BLE.
Tesla did not respond to an email asking for comment on this post.
The vulnerability is the result of the dual role of the NFC card. He not only opens the locked car and starts it; it is also used for key management authorization.
The attack exploits Tesla’s way of handling the unlock process with an NFC card. This works because Tesla’s authorization method doesn’t work. There is no connection between the online account world and the offline BLE world. Any attacker who can see the vehicle’s Bluetooth LE advertisement can send them VCSEC messages. This won’t work with the official app, but an app that can also speak the Tesla-specific BLE protocol…allows attackers to register keys for arbitrary vehicles. Teslakee will bind to any vehicle if ordered to do so.
Herfurt created Teslakee as part of Tempa Project, which “provides tools and information about the VCSEC protocol used by Tesla accessories and the Tesla app to control vehicles via Bluetooth LE.” Herfurt is a member Tripoint groupresearch and hacking team specializing in BLE.
The attack is technically easy enough to pull off, but the mechanics of spying on an unattended vehicle, waiting, or forcing the owner to unlock it with an NFC card and then chasing the vehicle and stealing it can be cumbersome. This method is unlikely to be practical in many theft scenarios, but seems viable for some.
With Tesla maintaining radio silence over this weakness, there isn’t much that interested owners can do. One countermeasure is to set up Pin2Drive so that a thief using this method cannot start the car, but this will do nothing to prevent a thief from breaking into the car when it is locked. Another defense is to regularly check the list of keys allowed to unlock and start the car, through a process Tesla calls “whitelisting.” Tesla owners may want to perform this check after handing over an NFC card to an untrustworthy mechanic or valet.
Based on the lack of response, Herfurth said he received information from Tesla about vulnerabilities he found in 2019 and again last yearhe did not hold his breath that the company would resolve the issue.
“I got the impression that they always already knew and were not going to change anything,” he said. “This time, Tesla cannot be unaware of this poor implementation. So it didn’t make sense for me to talk to Tesla beforehand.”
This story originally appeared on Ars Technique.
Credit: www.wired.com /