A new attack can unlock and launch a Tesla Model Y in seconds, the researchers say

Tesla prides itself on its cybersecurity protections, especially the elaborate challenge system that protects its cars from conventional methods of attacking the remote unlocking system. But now a researcher has discovered a sophisticated relay attack that would allow someone with physical access to a Tesla Model Y to unlock and steal it in seconds.

The vulnerability, discovered by Josep Pi Rodriguez, IOActive’s lead security consultant, relates to what is called an NFC forwarding attack and requires two thieves to work in tandem. One thief must be near the car and the other near the car owner, who has an NFC key card or a cell phone with a Tesla virtual key in his pocket or purse.

Magnetic near-field communication keys allow Tesla owners to unlock their vehicles and start the engine by tapping the card against an NFC reader built into the driver’s side of the car. Owners can also use a key fob or virtual key on their mobile phone to unlock their car, but the car’s manual advises them to always carry the NFC key card as a backup in case they lose their key fob or phone. or the phone battery runs out.

In the Rodriguez scenario, attackers can steal a Tesla Model Y as long as they can position themselves within about two inches of the owner’s NFC card or cell phone with a Tesla virtual key, for example, while walking into someone’s pocket or purse at the bottom of the door. street, queue at Starbucks or sit in a restaurant.

The first hacker uses a Proxmark RDV4.0 device to initiate communication with the NFC reader in the driver’s door pillar. The car responds by broadcasting a challenge that the owner’s NFC card should respond to. But in the hack scenario, the Proxmark device transmits the challenge via Wi-Fi or Bluetooth to the cellphone held by the accomplice, which places it near the owner’s pocket or purse to communicate with the key card. The key card response is then relayed back to the Proxmark device, which transmits it to the car, authenticating the thief to the car by unlocking the vehicle.

Although the attack via Wi-Fi and Bluetooth limits the distance between the two accomplices, Rodriguez says that it is possible to launch the attack via Bluetooth several meters away from each other or even further away with Wi-Fi. using a Raspberry Pi to transmit signals. He believes it could be possible to carry out the attack on the Internet as well, allowing an even greater distance between the two accomplices.

If it takes time for the second accomplice to approach the owner, the car will continue to send a challenge until a response is received. Or the Proxmark can send a message to the car saying it needs more time to produce the response to the challenge.

Until last year, drivers using the NFC card to unlock their Tesla had to place the NFC card on the console between the front seats to shift and drive. But a software update last year eliminated that extra step. Now, drivers can operate the car simply by pressing the brake pedal within two minutes of unlocking the car.

The attack devised by Rodriguez can be avoided if car owners enable the PIN-to-drive feature in their Tesla vehicle, requiring them to enter a PIN before they can use the car. But Rodriguez expects many owners to not enable this feature and may not even be aware of its existence. And even with this enabled, thieves could still unlock the car to steal valuables.

There is a hitch in the operation: once the thieves have turned off the engine, they will not be able to restart the car with that original NFC key card. Rodriguez says they can add a new NFC key card to the vehicle that would allow them to use the car at will. But this requires a second relay attack to add the new key, which means that once the first accomplice is inside the car after the first relay attack, the second accomplice has to get close to the owner’s NFC card again to repeat the relay attack, which would allow the first accomplice to authenticate to the vehicle and add a new magnetic key.

If the attackers are not interested in continuing to drive the vehicle, they could also dismantle the car by parts, as happened in Europe. Rodriguez says that eliminating the relay problem he encountered would not be an easy task for Tesla.

“Solving this problem is really difficult without modifying the car’s hardware, in this case the NFC reader and the software that is in the vehicle,” he says.

But he says the company could implement some changes to mitigate this, such as reducing the time the NFC card can take to respond to the NFC reader in the car.

“The communication between the first striker and the second striker lasts only two seconds [right now], but it’s a long time, ”he observes. “If you only have half a second or less to do it, it would be really hard.”

Rodriguez, however, says the company downplayed the problem when it contacted them, indicating that the PIN-to-drive feature would mitigate it. This requires a driver to enter a four-digit PIN into the car’s touchscreen in order to use the vehicle. It is unclear whether a thief could simply try to guess the PIN. Tesla’s user manual does not indicate whether the car will block a driver after a certain number of failed PINs.

Tesla did not respond to a request for comment from The border.

It is not the first time that researchers have found ways to unlock and steal Tesla vehicles. Earlier this year, another researcher found a way to start a car with an unauthorized virtual key, but the attack requires the attacker to be nearby while an owner unlocks the car. Other researchers have shown an attack on Tesla vehicles that involves a remote control attack that intercepts and then reproduces the communication between an owner’s remote control and the vehicle.

Rodriguez says that despite vulnerabilities discovered with Tesla vehicles, he thinks the company has a better safety track record than other vehicles.

“Tesla takes security seriously, but because their cars are much more high-tech than other manufacturers, this increases their attack surface and opens the door for attackers to find vulnerabilities,” he notes. “That said, for me, Tesla vehicles have a good level of safety compared to other manufacturers who are even less technological.”

He adds that NFC relay attack is also possible in vehicles manufactured by other manufacturers, but “these vehicles have no PIN-to-drive mitigation.”

Leave a Reply

%d bloggers like this: