Photo: Tesla
Tesla software is considered one of the most secure and light years ahead of what other carmakers install in their vehicles. Still, researchers found out that it's not impenetrable. A jailbreaking method known as a voltage-glitching attack allows tech-savvy users to activate FSD Beta, heated seats, and other paid features.
People who owned earlier generations of iPhones are familiar with the term jailbreaking. Since iOS was rather limited in features at the time, and the iPhone was also available only on the AT&T network, people wanted to circumvent software protection to modify the firmware. The process, known as jailbreaking, involved exploiting known software vulnerabilities to run code that would've been impossible otherwise. Later, the jailbreaking term was also used for other devices, including PlayStations, iPads, Amazone Firesticks, and Roku streamers.
Although Tesla software is considered a hard nut to crack, it's far from bulletproof. During the 2023 Pwn2Own hacking contest, white-hat hackers gained complete control of the infotainment system using a vulnerability in the Bluetooth system. It was the first time Tesla's security was compromised in such a way, but it would not be the last. Researchers from Technical University Berlin managed to gain root access to the MCU-Z (AMD-based) infotainment system of Tesla EVs. This grants complete control over the operating system, activating or disabling features at will.
The team used a method to exploit a known voltage-glitching vulnerability in the Infotainment ECU (ICE) board. This allowed them to bypass the AMD Secure Processor (ASP), a Trusted Platform Module (TPM) module for Tesla. Researchers could gain root access to the operating system and run arbitrary code on the MCU-Z. To demonstrate their achievement, they enabled paid features such as FSD Beta, Acceleration Boost, and heated seats.
They could do even more than that, breaking geolocation restrictions on navigation and FSD Beta. This means you could enable FSD Beta in Europe or any other country where it is not available. Interestingly, jailbreaking a Tesla doesn't require advanced tools, and anyone with some technical know-how could do it.
"Currently, our attack can be applied by people with some electronic engineering background, a soldering iron, and the ability to purchase additional hardware for about $100. We recommend using a Teensy 4.0 Development board for the voltage glitching that is readily usable with our open-sourced attack firmware. An SPI flash programmer is required, and a logic analyzer can greatly help to debug the overall attack," Ph.D. student Christian Werling told DarkReading, as Drive Tesla reported.
Although many consider the possibility of accessing paywalled goodies without proper authorization, the vulnerability can be used for more nefarious purposes. Among other things, it allows attackers to decrypt the file system and access private user data. Their method of breaking Tesla's security is difficult to prevent, as it would require upgrading the CPUs. Root permission gained this way also survives reboots and updates, making it virtually irrevocable.
Despite this breakthrough, security researchers praise Tesla's security, which is more advanced than most other carmakers. Their findings will be presented next week at Black Hat USA in Las Vegas under the title "Jailbreaking an Electric Vehicle in 2023 or What It Means to Hotwire Tesla’s x86-Based Seat Heater." It's unclear whether the team informed Tesla of this vulnerability. Still, considering Tesla's love affair with the hacking community, they most probably did.
Although Tesla software is considered a hard nut to crack, it's far from bulletproof. During the 2023 Pwn2Own hacking contest, white-hat hackers gained complete control of the infotainment system using a vulnerability in the Bluetooth system. It was the first time Tesla's security was compromised in such a way, but it would not be the last. Researchers from Technical University Berlin managed to gain root access to the MCU-Z (AMD-based) infotainment system of Tesla EVs. This grants complete control over the operating system, activating or disabling features at will.
The team used a method to exploit a known voltage-glitching vulnerability in the Infotainment ECU (ICE) board. This allowed them to bypass the AMD Secure Processor (ASP), a Trusted Platform Module (TPM) module for Tesla. Researchers could gain root access to the operating system and run arbitrary code on the MCU-Z. To demonstrate their achievement, they enabled paid features such as FSD Beta, Acceleration Boost, and heated seats.
They could do even more than that, breaking geolocation restrictions on navigation and FSD Beta. This means you could enable FSD Beta in Europe or any other country where it is not available. Interestingly, jailbreaking a Tesla doesn't require advanced tools, and anyone with some technical know-how could do it.
"Currently, our attack can be applied by people with some electronic engineering background, a soldering iron, and the ability to purchase additional hardware for about $100. We recommend using a Teensy 4.0 Development board for the voltage glitching that is readily usable with our open-sourced attack firmware. An SPI flash programmer is required, and a logic analyzer can greatly help to debug the overall attack," Ph.D. student Christian Werling told DarkReading, as Drive Tesla reported.
Although many consider the possibility of accessing paywalled goodies without proper authorization, the vulnerability can be used for more nefarious purposes. Among other things, it allows attackers to decrypt the file system and access private user data. Their method of breaking Tesla's security is difficult to prevent, as it would require upgrading the CPUs. Root permission gained this way also survives reboots and updates, making it virtually irrevocable.
Despite this breakthrough, security researchers praise Tesla's security, which is more advanced than most other carmakers. Their findings will be presented next week at Black Hat USA in Las Vegas under the title "Jailbreaking an Electric Vehicle in 2023 or What It Means to Hotwire Tesla’s x86-Based Seat Heater." It's unclear whether the team informed Tesla of this vulnerability. Still, considering Tesla's love affair with the hacking community, they most probably did.
Google News