Salzburg IT Security Researcher martin herfert was originally a big tesla fan, He has set up his own company IT-Wachdienst.comthrough which it provides IT security services, a Tesla style 3 Bought as a company vehicle. Then he had no idea that he would one day use a Tesla vehicle youtube videos in which he demonstrates how the car performs Unlock and steal without much effort leaves.
“The first thing I noticed about Tesla is that every vehicle that has a Permanent ID is available. This allows the cars to be tracked accurately, and the ID also allows us to draw conclusions about the chassis number,” Herfurt told FutureZone. He reported this to Tesla and received a response that in the United States. There were already cameras everywhere that would record license plates and so nothing would change in this practice, according to the researcher.
Herfurt then took a closer look at his Model 3. 2022 security researcher Project “Mood” started and unlocking the tesla via bluetooth on smartphone and via NFC card Cracked. They have released a series of YouTube videos showing how easy it is to steal a Tesla if you are “reasonably” near the vehicle and you have the right equipment. in the video “Tesla Parking Lot JobsYou can see, for example, how Herfurt 2 executes a so-called “man in the middle” attack via Raspberry Pis: one Raspberry Pi communicates with the owner’s smartphone, the other with the car. It was very easy to do,” Herfurt told Futurezone.
3 Ways to Unlock Your Tesla
There are 3 ways to unlock Tesla electric cars. The first way Tesla is particularly proud of is to unlock and go away smart fone, The car detects a nearby smartphone via Bluetooth and unlocks the car.
Tesla also sells an alternative fudgewho likes radio key Is used for. Herfurt hasn’t hacked it yet – because radio keys don’t work for him.
Method number 3 is one NFC card, If you buy a Tesla, you get 2 of them. You also need it to activate the smartphone as a key for the first time using the Tesla app. Unlocking via NFC card can also be hacked, as shown in the YouTube video “gone in 130 seconds“You can see.
Here’s how the hack works
The hack works as follows: After the owner uses the NFC card to unlock, the vehicle accepts for 130 seconds bluetooth LE connection, During this time, the official Tesla app can communicate with the vehicle to turn the smartphone into a car key – if, for example, the owner has changed the cell phone.
According to Herfurt, any key can be sent to Tesla in this time window. To do this, the third-party smartphone simply needs to be within range of the electric car. But how far can you really go? ,several 100 meters There are no problems at all. All you need is a directional antenna. The owner doesn’t even notice that someone is lurking there,” says Herfurt.
To protect the car keys of the smartphone, Tesla added the PIN2Drive feature. “But you can still trick the owner into unlocking the car with an NFC card, for example with a Bluetooth jammer, and this method is still vulnerable to hacks,” Herfurt explains. but that too PIN2drive codes can be spoofed, which Tesla recommends protecting owners from attacks. This can also be seen in the video “Not a Numbers Game – Bypass2Drive”.
new attack scenario
in the Dutch conferencehackers may be involved“(#MCH2022) in Zeewolde Introduced Security ExpertHow the Tesla Model 3 Can Still Be Hacked (PDF of Slides) He showed there an attack that he “Tesla Authorization Extraction / Replay Attack“Name. A potential attacker obtains lock codes from the owner’s cell phone to use them later in the vehicle and gets away with them.
“The problem here is that Tesla’s smartphone application talks to anything that looks like a real vehicle at the Bluetooth level. For every secure interaction with the vehicle, the smartphone app has to cryptographically prove that it’s valid.” On the other hand, the vehicle can say what it wants and does not have to provide any proof of authenticity,” the researcher said in an interview with Futurezone. They have a tool on github called “Temporary” is published., which exploits this problem. It allows you to pretend to be a legitimate Tesla vehicle to dodge the smartphone app and unlock the car.
The hack that Salzburger shows not only works with the Model 3, but with All Tesla Model S and X from 2021,
No more reports to Tesla
Herfurt not only wants to point out Tesla safety gaps, but also has a solution: He’s involved in development teslaki One Apna App, which should enable secure communication between the vehicle and the smartphone. He would like to publish them in autumn 2022. Researchers have been reporting to Tesla for a long time none of the weak points more he finds, though Tesla’s own “bug bounty programSecurity vulnerabilities reported to the company are to be awarded prize money up to 10,000 euros Will be rewarded – if they pledge to keep quiet about safety gaps.
Companies usually do this to show that IT security is important to them. “I think Tesla is taking advantage of this. I don’t know anyone who got any money under the program. The amount of time I spent just for fun is a multiplier of the maximum amount,” says the researcher. Other researchers also informed Herfert that their reported vulnerabilities were neither addressed nor rewarded. Is.”
“Everything that is smart is insecure”
But Tesla vehicles are now less safe than other cars, “In my opinion, Tesla put a lot of effort into the concept of safety. However, it seems that the high employee turnover in the company also leads to unnecessary errors, which negatively impacts the safety of the product. Other car manufacturers also There are security problems. And in general: everything that is smart is weak“, They say Herfurt, who will continue his Tesla hacks,
Freelance twitter maven. Infuriatingly humble coffee aficionado. Amateur gamer. Typical beer fan. Avid music scholar. Alcohol nerd.