A Newly Discovered Tesla Vulnerability Allows Thieves To Create Their Own Key

Whenever old industries adopt new technologies, mistakes are inevitable. In the case of the car industry, the IT revolution got them wrong about many things, as security researchers have found so many times. Depending on who you listen to, Tesla is not a car company but rather an IT company that also puts wheels to its products. You’d expect to know how to bulletproof their product against hacker attacks. And yet, the EV maker failed miserably.

Sometimes, people prioritize convenience over security. It’s nice to make a payment just by waving your card, but if you lose it, everyone can do the same. The banks mitigated the problem by limiting the amount of money one could pay without entering the PIN. With cars, convenience can be a lot more costly. Keyless access allows unlocking the vehicle and starting the engine without taking the key out of the pocket. Still, a relay attacker could have your car stolen in seconds.

Despite its strong technological background, Tesla cars have been proved vulnerable to such relay attacks. But a new vulnerability discovered within its keyless entry system has little to do with the relay attacks. As the security analysts discovered, this vulnerability was introduced with an update last August, making it easier to start the car after being unlocked with the NFC key card. So, again, it’s a convenience over security problem.

Before the update, drivers who used their Tesla NFC key card had to place it on the center console to begin driving. With the update, Tesla introduced a 130-second window allowing drivers to operate the car immediately after unlocking it with the card, without requiring the card to be placed in the designated spot on the center console. But, according to the security researcher Martin Herfurt cited by arstechnica.com, the new update also put the car into a state to accept entirely new keys with no authentication required.

“This timer has been introduced by Tesla… in order to make the use of the NFC card as a primary means of using the car more convenient,” Herfurt explained in an online interview. “What should happen is that the car can be started and driven without the user having to use the key card a second time. The problem: within the 130-second period, not only the driving of the car is authorized, but also the enrolling of a new key.”

The vulnerability is made possible by another problem with Bluetooth Low Energy (BLE), which makes the Tesla exchange messages with any BLE device nearby. To demonstrate the vulnerability, Herfurt built an app named Teslakee that speaks VCSec (Vehicle Controller Secondary), the language the official Tesla app uses to communicate with the car. The researcher showed how easy a thief can enroll their own key during the 130-second interval using the Teslakee app.

Unlike the Bluetooth stack used to connect the phone to play music in the car, VCSec works without needing the phone to be paired with the vehicle. All it takes is to be within the range of the car during the crucial 130-second window after being unlocked with an NFC card. He even made a video of the attack in action, which you can watch below. After enrolling his own key with the car, the thief can use it to unlock and drive off.

“The attack exploits Tesla’s way of handling the unlock process via NFC card,” explained Herfurt. “This works because Tesla’s authorization method is broken. There is no connection between the online account world and the offline BLE world. Any attacker who can see the Bluetooth LE advertisements of a vehicle may send VCSEC messages to it. This would not work with the official app, but an app that is also able to speak the Tesla-specific BLE protocol… allows attackers to enroll keys for arbitrary vehicles. Teslakee will communicate with any vehicle if it is told to.”

So far, the analyst has successfully used the attack on Tesla Model 3 and Model Y. He didn’t test the method on other Tesla models, but he thinks they are also vulnerable. That’s because all use the native support for phone-as-a-key with BLE. Herfurt is not the first time to uncover Tesla vulnerabilities. Every time he did, Tesla remained silent, and he expects the same in this case.