Hacking Tesla’s Remote Key Cards

Interesting vulnerability in Tesla’s NFC key cards:

Martin Herfurt, a security researcher in Austria, quickly noticed something odd about the new feature: Not only did it allow the car to automatically start within 130 seconds of being unlocked with the NFC card, but it also put the car in a state to accept entirely new keys—with no authentication required and zero indication given by the in-car display.

“The authorization given in the 130-second interval is too general… [it’s] not only for drive,” Herfurt said in an online interview. “This timer has been introduced by Tesla…in order to make the use of the NFC card as a primary means of using the car more convenient. What should happen is that the car can be started and driven without the user having to use the key card a second time. The problem: within the 130-second period, not only the driving of the car is authorized, but also the [enrolling] of a new key.”

Tags: , ,

Posted on June 14, 2022 at 7:19 AM7 Comments

Comments

Clive Robinson June 14, 2022 8:31 AM

@ ALL,

Tesla and yet another “joy” for their customers being,

“Consumers on the bleeding edge”

Par for the course I guess…

Ted June 14, 2022 10:15 AM

Do Tesla owners not get alerts when new keys are added?

Until the authorization protocols are shored up – or even if & when they are secured – why not at least send the owner a message?

lurker June 14, 2022 1:50 PM

@Ted

Bug or feature?

Ars, “. . . the vehicle gladly exchanges messages with any Bluetooth Low Energy, or BLE, device that’s nearby.”

Ah, there you go, it’s a feature, the well-known BlueTooth promiscuity.

Ars, “There is no indication from the in-car display or the legitimate Tesla app that anything is amiss.”

That must be a feature too: don’t distract the driver with unnecessary information . . .

Ted June 14, 2022 4:02 PM

@lurker

Bug or feature?

So it looks like the new Key Card feature/bug – which gives drivers 130s to start the car after opening it – was rolled out in August 2021.

The attack doesn’t appear to be a free for all. I can’t find gobs of technical documentation, but Martin Herfurt has presentation slides that seem to show how he was able to whitelist keys.

Maybe check out slide 67 and the next few to see his whitelisting process. It would help to have the presentation audio, but oh well.

As I’m sure you saw in the Ars article, there is something in there about him using an app that speaks the VCSEC protocol. I don’t know if all this code is out there?

https://trifinite.org/Downloads/20220604_tempa_presentation_recon22_public.pdf

Mike D. June 14, 2022 10:27 PM

I’m getting one of these soon… wondering how long I’ll get to keep it.

One of the things they mention in the tutorial videos is that they use a key card to authorize your phone, so your phone can act as a key. “Bring your phone” is part of the onboarding process when you pick up your vehicle.

You have to use their app on your phone to complete several steps of the purchase process; I’m not how you’re supposed to buy a Tesla without one. The main site tells you to scan a QR code to get the app and follow the instructions in the app.

Anyway, this is an even more interesting bug when you pair it with the relay attack mentioned recently, where you just need a couple inexpensive devices to relay/tunnel the BLE protocol over some other channel, then get one node next to the car and the other next to wherever the driver keeps their card, and you can unlock the door. In tandem with this bug, you can then pair an arbitrary phone as a new key.

Of course, they can track the car via GPS and the OTA network, so whatever you’re going to do with it, get done fast. It should be trivial for Tesla to verify the identity of the victim, declare the car stolen, and summon law enforcement. And if all else fails, they can send a tow truck over and have the car drive up to it, like for repos.

I’m definitely enabling the PIN-to-start feature on mine.

Bernhard June 15, 2022 1:47 AM

I think it’s a vulnerability in the key enrollment process. The hack exploits the time window for enrolling new key after the doors have been opened using a card.

This should be preventing by allowing enrollment only when the related screen has been chosen from the UI.

The NFC card or protocol was not hacked.

RussW June 15, 2022 7:00 AM

I’m not surprised, honestly. Tesla is one shady business. Just look up the many, many articles about Tesla’s autopilot turning off right before a crash so you can’t sue them. Gee, I wonder what “Features” would be hidden in Elon’s spacecraft

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.