With his hacks, Salzburger shows how easy it is to steal Teslas
Barbara Wimmer
The Salzburg IT security researcher Martin Herfurt was originally a large one Tesla fan. He has set up his own company IT-Wachdienst.comthrough which he offers IT security services, a Tesla model 3 Bought as a company vehicle. Little did he know then that he would one day use the Tesla vehicle for YouTube videos would use in which he demonstrates how the car performs unlock and steal without much effort leaves.
“The first thing I noticed about the Tesla is that every vehicle with a permanent ID Is provided. This allows the cars to be tracked precisely, and the ID also allows conclusions to be drawn about the chassis number,” Herfurt told futurezone. He reported this to Tesla and received feedback that there were already cameras everywhere in the USA that would record license plates and therefore nothing would change in this practice, according to the researcher.
Herfurt then took a closer look at his Model 3. 2022 has the security researcher the project”tempo” started and unlocking the Tesla via Bluetooth on the smartphone and via NFC card cracked. He has released a series of YouTube videos showing how easy it is to steal Teslas if you are “reasonably” near the vehicle and have the right tools with you. In the video “The Tesla Parking Lot Job“You can see, for example, how Herfurt carries out a so-called “man in the middle” attack via 2 Raspberry Pis: One Raspberry Pi communicates with the owner’s smartphone, the other with the car. “It was very easy to carry out an attack,” Herfurt told futurezone.
3 ways to unlock your Tesla
There are 3 ways to unlock Tesla electric cars. The first art that Tesla prides itself on is unlocking and driving away smartphone. The car recognizes the nearby smartphone via Bluetooth and unlocks the car.
Tesla also sells an optional one FOBthe like one radio key is used. Herfurt hasn’t hacked it yet – because the radio key doesn’t work for him.
Method number 3 is one NFC card. If you buy a Tesla, you get 2 of them. You also need this to activate the smartphone as a key for the first time using the Tesla app. Unlocking via NFC card can also be hacked, as shown in the YouTube video “Over in 130 seconds“You can see.
Here’s how the hack works
The hack works as follows: After the owner has used the NFC card to unlock, the vehicle accepts for 130 seconds Bluetooth LE connections. During this time, the official Tesla app can communicate with the vehicle to turn the smartphone into a car key – if, for example, the owner has changed cell phones.
According to Herfurt, any key can be sent to the Tesla within this time window. To do this, the third-party smartphone simply has to be within range of the electric car. But how far away can you really be? “Several 100 meters are no problem at all. You only need a directional antenna. The owner doesn’t even see that someone is lurking there,” says Herfurt.
To protect the smartphone car key, Tesla added the PIN2Drive feature. “But you can still provoke the owner to have to unlock the car with the NFC card, for example with a Bluetooth jammer, and this method is still vulnerable to hacks,” explains Herfurt. But also that PIN2Drive code can be tricked, which Tesla recommends to protect owners from attacks. This can also be seen in the video “NOT a Numbers Game – Bypass2Drive”.
New attack scenario
At the Dutch conference “May contain hackers“ (#MCH2022) in Zeewolde presents the security specialisthow the Tesla Model 3 can still be hacked (PDF of the slides). He showed an attack there that he “Tesla Authorization Extraction/Replay Attack” names. A potential attacker obtains lock codes from the owner’s cell phone in order to use them later in the vehicle and drive away with them.
“The problem here is that Tesla’s smartphone application just talks to anything that looks like the real vehicle at the Bluetooth level. For each secure interaction with the vehicle, the smartphone app must cryptographically prove that it is legitimate. The vehicle, on the other hand, can say what it wants and does not have to provide any proof of authenticity,” said the researcher in an interview with futurezone. He has a tool on Github called published “temporarily”., which exploits this problem. This allows you to pose as a valid Tesla vehicle in order to trick the smartphone app and unlock the car.
The hacks that the Salzburger work not only with the Model 3, but also with all Tesla Model S and X from 2021.
No more reports to Tesla
Herfurt will not only point out Tesla security gaps, but also has a solution: He is involved in the development TeslaKee one own app, via which secure communication between the vehicle and smartphone should be possible. He would like to publish them in autumn 2022. The researcher has been reporting to Tesla for a long time none of the weak points more he finds, although Tesla has its own “Bug Bounty Program“Cap. Security vulnerabilities that are reported to the company are to be awarded prize money of up to 10,000 euros Get Rewarded – If they promise to keep quiet about the security vulnerabilities.
Companies usually do this to show that IT security is important to them. “I think Tesla is taking advantage of this. I don’t know anyone who has received any money under the program. The amount of time that I spent just for the fun of it is worth a multiple of the maximum amount,” says the researcher. Other researchers also informed Herfurt that their reported vulnerabilities had neither been remedied nor rewarded. “The bottom line is that Tesla doesn’t exactly cover itself in glory when it comes to dealing with security vulnerabilities.”
“Everything that is smart is vulnerable”
But Tesla vehicles are now less safe than other cars? “In my opinion, Tesla put a lot of effort into the conception of the security. However, it quickly becomes apparent that the high staff turnover in the company also means that unnecessary errors creep in, which have a negative impact on the safety of the product. Other car manufacturers also have safety problems. And in general: everything that is smart is vulnerable“, says Herfurt, who continues his Tesla hacks.