Martin Herfurt, an Austrian security researcher, found an exploit in one of Tesla’s recent features.
In August 2021, Tesla updated its vehicles to be immediately usable after unlocking them with their NFC key card, without having to place the cards on the center console to start driving. Teslas can also be unlocked with a key fob or mobile app. Herfurt discovered that the new update automatically started the car within 130 seconds of unlocking it with an NFC card. Meanwhile, it would also accept new keys without authentication.
“The permission given in the 130 second interval is too general…it’s not just for driving. This timer was introduced by Tesla…in order to make it more convenient to use the NFC card as the main way of using the car. What should happen is that the car can be started and driven without the user having to use the key card a second time. The problem: Within the 130-second time frame, not only driving the car is allowed, but also registering a new key“Herfurt said in an online interview.
Users cannot register new keys without an official Tesla phone app connected to the car owner’s account, but the vehicle still communicates with nearby Bluetooth Low Energy (BLE) devices. Therefore, Herfurt created an app, Teslakee, which uses VCSec, the same language for communication between Tesla cars and the official Tesla app.
With this, Herfurt could register their own key for the 130 seconds after a Tesla owner unlocks their vehicle with an NFC key card, allowing them to unlock and start the vehicle themselves. The owner can even be forced to use one instead of their Tesla app by using a signal jammer to block the BLE frequency used by the official Tesla app.
“The attack exploits how Tesla handles the unlocking process via the NFC card. It works because Tesla’s authorization method is broken. There is no connection between the online account world and the offline BLE world. Any attacker who can see a vehicle’s Bluetooth LE advertisements can send VCSEC messages to it. It wouldn’t work with the official app, but an app that is also able to speak Tesla-specific BLE protocol…allows attackers to register keys for arbitrary vehicles. Teslakee will communicate with any vehicle if told to“, wrote Herfult.
“I felt like they always already knew and wouldn’t really change things. This time, it’s impossible for Tesla not to be aware of this poor implementation. So for me, there was no point talking to Tesla before“, continued Herfult.