In tests carried out on May 31st, Herfurt, an Austria-based Bluetooth security specialist, found that a Tesla car can be stolen using any Bluetooth Low Energy (LE) device. The exploit depends on the attacker adding their key to the car within the 130-second window when the car starts after being unlocked. Trifinite demonstrated Herfurt’s Proof-of-Concept (PoC) in a YouTube video titled “Gone in under 130 seconds.” The video shows how Herfurt’s weaponized “TeslaKee” software can successfully hijack a Tesla. Herfurt created TeslaKee by reverse-engineering Tesla’s Vehicle Controller Secondary (VCSEC) Bluetooth LE protocol, which communicates with Tesla cars. He is now developing a mobile app to protect Tesla vehicles from the vulnerability he identified.
NFC Update Security Gaps
Currently, Tesla cars can be unlocked in three ways—using Tesla’s NFC card, key fob, or from the app. Tesla released an update in August 2021 to streamline the vehicle access process and make its cars ready to be driven when approached by a driver with an NFC card. The update eliminated the need for drivers to place their cards on the center console to gain access to a car. NFC is a low-power, short-range wireless technology included in modern smartphones, and it has many potential uses. NFC is the basis for contactless payment systems like Apple Pay. While this technology is expected to play a key role in future smart cities, some experts believe it will be obsolete thanks to the newer and more advanced Bluetooth LE. Although NFC is widely used today, the security of this technology is yet to be thoroughly investigated. Therein lies the issue at hand, Herfurt explained. As soon as a Tesla car is unlocked using an NFC card, there is a 130-second interval where new car keys can be enrolled without authentication, Herfurt revealed. Worse still, he found that drivers were not alerted about any new keys popping up in this timeframe. Therefore, an attacker within Bluetooth range with access to “a VCSEC client or an app that can handle the key protocol” could simply add their smartphone as a key and steal the car later. While drivers who use Tesla’s optional smartphone app are notified about new keys, Herfurt notes that these keys “can only be deleted from inside the car using the head unit.” Even Tesla owners who use the phone app to open their cars could be targeted with a “relay attack.” Drivers who choose to unlock their Tesla via the proprietary app, which is supposedly safer, are vulnerable to attackers who use signal jammers to manipulate Bluetooth LE frequencies.
TeslaKee Should Change Things
Herfurt’s TeslaKee mobile app, which is part of his Tesla VCSEC security project called Project Tampa, is available for both Android and iPhone devices, and can “check whether a received authorization request from your car is legitimate and should be answered.” Herfurt said he is developing a “de-weaponized” commercial version of the app to protect Tesla users from such vulnerabilities in the future. For now, it is unclear whether Tesla has addressed this security flaw through an update. When asked a few days ago by a YouTube user whether a fix has been released, Herfurt said: “I have not received the latest software on my car, yet. I’m still on 2022.12.3.2.”
Cutting-edge Automobile Technology: A Double-Edged Sword
Tesla is firmly positioned at the bleeding edge of the automobile industry with several innovations, like its ultra-convenient NFC car access system. This technology has trickled down to practically all Tesla models. However, the quest to apply advanced wireless technologies like NFC can inevitably create cybersecurity gaps. Although keyless technology has been used in the automobile industry for over a decade now, it is still at a primitive stage of its development and has been breached numerous times. Researchers continue to identify security loopholes in Tesla’s pioneering electric vehicles. We’ve reported on a few of these Tesla security exploits uncovered by researchers, including a Bluetooth hack, and a drone hack. If you own a Tesla, and you’re concerned about how to protect your vehicle, you can learn more about the security of Bluetooth technology in our full guide to Bluetooth safety.