When the driver enters the car after unlocking it with an NFC card, the thief starts exchanging messages between the armed Teslakee and the car. Even before the driver has driven away, the messages inscribe a key of the thief’s choice in the car. From then on, the thief can use the key to unlock, start and turn the car off. There is no indication from the in-car display or the legitimate Tesla app that anything is wrong.
Herfurt has successfully used the attack on Tesla Models 3 and Y. He hasn’t tested the method on new 2021+ facelift models of the S and X, but he assumes they’re also vulnerable because they use the same native support for phone-as-a-key with BLE.
Tesla did not respond to an email requesting comment for this post.
Parlez Vous VCSec?
The vulnerability is due to the dual role played by the NFC card. It doesn’t just open a locked car and start it; it is also used to authorize key management.
Herfurt said:
The attack uses Tesla’s way of handling the unlocking process via NFC card. This works because Tesla’s authorization method doesn’t work. There is no connection between the online account world and the offline BLE world. Any attacker who can see a vehicle’s Bluetooth LE ads can send VCSEC messages to it. This wouldn’t work with the official app, but an app that can also speak the Tesla-specific BLE protocol… allows attackers to enroll keys for arbitrary vehicles. Teslakee will communicate with each vehicle if requested.
Herfurt created Teslakee as part of Project Tempa, which “provides tools and information about the VCSEC protocol used by Tesla accessories and the Tesla app to control vehicles via Bluetooth LE.” Herfurt is a member of Trifinite Groupa research and hacker collective that focuses on OBE.
The attack is technically simple enough to perform, but the mechanics of staking an unattended vehicle, waiting for or forcing the owner to unlock it with an NFC card, and later catching up and stealing the car can be cumbersome . This method probably isn’t practical in many theft scenarios, but it seems feasible for some.
With Tesla maintaining radio silence on this weakness, there’s only so much concerned owners can do. A countermeasure is to set up Pin2Drive to prevent thieves using this method from starting a vehicle, but it will do nothing to prevent the thief from entering the car when it is locked. Another safeguard is to regularly check the list of keys that are authorized to unlock and start the car through a process Tesla calls “whitelisting.” Tesla owners may want to do this check after giving an NFC card to an untrusted mechanic or parking attendant.
Based on the lack of response, Herfurt said he received from Tesla regarding vulnerabilities he discovered in 2019 and again last yearhe doesn’t hold his breath that the company will address the problem.
“My impression was that they always knew things and wouldn’t really change,” he said. “This time there is no way that Tesla is not aware of that poor implementation. So for me there was no point in talking to Tesla beforehand.”
This story originally appeared on Ars Technica†
