Posted on June 11, 2022 at 2:46 AM
Hackers exploit Tesla NFC Card Flaw That Allows Them to Create Their Own Keys
Researchers have discovered that a recent Tesla update can give anyone the ability to create their key when the car is unlocked with an NFC card. The update was issued by Tesla to make the vehicles easier to start, but a researcher says the new feature can now be exploited.
In the past, drivers who unlock their cars with the Tesla BFC key card usually place the card on the center console to start driving. The update was reported in August last year. After the update, it allowed drivers to operate their Tesla vehicles immediately after they have unlocked them with the NFC card. Apart from the card, the drivers can also unlock the car using a phone app or a fob.
The Vulnerability Allows Hackers to Use Entirely New Keys
Austria-based security researcher Martin Herfurt, who discovered the vulnerability, stated that he noticed something strange about the new feature. He stated that apart from allowing the car to start within 130 seconds of unlocking with the NFC card, it also accepts entirely new keys. Worse is the fact that there will be no indication from the in-car display or any authentication required for the use of the key.
“The authorization given in the 130-second interval is too general … it’s not only for drive,” Herfurt stated.
He added that Tesla introduced the timer to ensure that the NFC card is the main way of operating the car more conveniently. It means that the user does not need to key the card a second time before it can be started and driven.
However, the issue is the fact that within that 130-second interval, the authorization for the driving of the car is also extended to a new key.
The Tesla phone app does not allow keys to be used unless it is linked to the owner’s account. But Herfurt still discovered the car can easily exchange messages with any Bluetooth Low Energy device that is close. To test and verify the vulnerability, the researcher designed his app called Teslakee. The app speaks VCSec, which is the official language the official Tesla app uses when communicating with Tesla cars.
A Hacker Can Easily Enroll Their Key
Herfurt noted that the malicious app he designed for proof-of-concept indicates that it can be very easy for a threat actor or a thief to enroll their key during the 130-second interval. The researcher is planning to release a light version of the Teslakee, which will make such attacks more difficult to accomplish.
To successfully enroll the key and steal the car, the only thing required is for the thief to be close to the car during the vital 130-second window when it will be unlocked with the NFC card. The attacker can also force the use of the NFC card by utilizing a signal jammer, which blocks the BLE frequency. This is possible even when the car owner uses a phone app the unlock the car, the most common method for Tesla drivers,
Once the driver unlocks and enters the Tesla, the thief can exchange messages between the car and the weaponized Yeslakee. And before the driver moves the car, the messages align the thief’s key with the car, giving it access.
From then, it becomes easier for the thief to use the key to operate the car. And there is no indication from the legitimate Tesla app or the in-car display that anything is wrong, which makes it easier for the theft to occur.
The Flaw Has Been Exploited On Tesla Model Y And 3
Herfurt said he has successfully used the method on Tesla Model Y and 3. But the method has not been tested on Tesla S and X models. However, he thinks they could also be vulnerable
The vulnerability comes due to double roles played by the NFC card. Apart from opening a locked car and starting it, the card can also be used to authorize key management. Herfurt added that the attack takes advantage of Tesla’s method of unlocking its cars through the NFC card.
The attack works because the authorization method is broken, and there is no link between the offline BLE world and the online account world. This gives the attacker the access to send VCSEC messages to the advertised Bluetooth LE for the Tesla car. Herfurt said it ultimately enables the attacker to enroll keys for arbitrary vehicles, as the Teslakee device can communicate with the vehicle when it is told to.