A security researcher successfully exploited a vulnerability that allowed them to not only unlock a Tesla, but also drive away without having to touch one of the car’s keys.
How was the Tesla hacked?
In a video shared with Reuters, Sultan Qasim Khan, researcher at cyber security firm NCC Group demonstrates the attack on a 2021 Tesla Model Y. Its public disclosure also states that the vulnerability was successful on a 2020 Tesla Model 3. Using a relay device attached to a laptop, the attacker can wirelessly close a gap between the victim’s car and phonetricking the vehicle into thinking the phone is within range of the vehicle when it could be hundreds of feet (or even miles) away.
A hack based on Bluetooth Low Energy
If this attack method sounds familiar to you, it should. Cars using fobs with rolling code authentication are susceptible to relay attacks similar to the Tesla exploited by Khan. With a traditional key fob, a couple of crooks extend the vehicle’s keyless entry passive polling signals to a second device within range of the actual key. However, this Bluetooth Low Energy (BLE) based attack can be operated by a couple of thieves or someone who places a small relay connected to the Internet somewhere the owner needs to go, like a coffee shop. Once the unsuspecting owner is within range of the relay, it only takes a few seconds (10 seconds, according to Khan) for the bad actor to drive away.
We have seen relay attacks used before in many carjackings across the country. This new attack vector similarly uses range extension to trick the Tesla vehicle into thinking a phone or key fob is within range. However, instead of using a traditional vehicle key fob, this particular attack targets the victim’s cell phone, or Tesla’s BLE-enabled key fobs.They use the same communication technology as the telephone.
Tesla cars are vulnerable to this type of proximity technology
The specific attack carried out stems from an inherent vulnerability in the BLE protocol, which Tesla uses for its phone as a key and its key fobs for Model 3 and Model Y. This means that while Teslas are vulnerable to the vector of attack, they are far from the only target. Las residential smart locks or just about any connected device that uses BLE as a method of detecting device proximity, something the protocol was never designed to doaccording to NCC, they are also affected.
“In effect, the systems that people rely on to protect their cars, homes and private data are using Bluetooth proximity authentication mechanisms that can be easily broken by inexpensive off-the-shelf hardware,” NCC Group said in a statement. “This research illustrates the danger of using technologies for reasons other than intended, especially when it comes to security issues.”
Other brands such as Ford and Lincoln, BMW, Kia and Hyundai could also suffer from these hacking attacks.
Perhaps even more problematic is that this is an attack on a communication protocol rather than a specific flaw in the vehicle’s operating system. Any car that uses BLE for the phone as a key (such as some Ford and Lincoln vehicles) is likely to be susceptible to attack. Theoretically, this type of attack may also be successful against companies that use Near-Field Communication (NFC) for their phone as a key feature, such as BMW, Hyundai, and Kiaalthough it has not yet been demonstrated, in addition the hardware and the attack vector would have to be different to carry out such an attack in NFC.
Tesla has the advantage of Pin to drive
Tesla introduced a feature called “PIN to drive” in 2018 that, if enabled, acts as a multi-factor security layer to prevent theft. So even if this attack were to be carried out on an unsuspecting victim in the wild, the attacker would still need to know the vehicle’s unique PIN to drive away with their vehicle.
It may interest you: