When the driver entered the vehicle after unlocking it with the NFC tag, the thief began exchanging messages between the weaponized Teslakee and the vehicle. Before the driver drives away, the messages will record a key selected by the thief with the vehicle. From there, the thief can use the key to unlock, start, and shut down the car. There’s no indication from the in-car display or the legitimate Tesla app that anything is amiss.
Herfurt has successfully used an attack on Tesla Models 3 and Y. He hasn’t tested the method on new facelifted S and X models of 2021 or later, but he thinks they’re also vulnerable because they use the same native support for phone-as -a-key with BLE.
Tesla did not respond to an email seeking comment for this post.
The vulnerability is the result of the dual roles performed by NFC tags. It doesn’t just open a locked car and start it; it is also used to delegate key management.
The attack exploits how Tesla handles unlocking via NFC tags. This works because Tesla’s method of authorization is broken. There is no connection between the online account world and the offline BLE world. Any attacker who can see a vehicle’s Bluetooth LE advertisement can send VCSEC messages to it. This won’t work with the official app, but an app could also use the Tesla-specific BLE protocol… allowing attackers to register keys for arbitrary vehicles. Teslakee will contact any vehicle if it is required.
Herfurt created Teslakee as part of Project Tempa, “provides tools and information about the VCSEC protocol used by Tesla accessories and Tesla apps to control vehicles via Bluetooth LE.” Herfurt is a member of Trifinite groupa research and hacker group focused on BLE.
Technically, the attack could be easily carried out, but the mechanics of capturing an unattended vehicle, waiting or forcing the owner to unlock it with an NFC tag, and then catching up with the vehicle and hitting Stealing it can be very complicated. This method may seem impractical in many cases of theft, but for some it seems doable.
With Tesla maintaining radio silence on this weakness, there’s only so much the owners involved can do. One countermeasure is to set up Pin2Drive to prevent thieves using this method from starting the car, but it will do nothing to prevent thieves from being able to get into the car when the car is locked. Another safeguard is to regularly check the list of keys that are allowed to unlock and start the vehicle through a process Tesla calls “whitelisting”. Tesla owners may want to perform this check after giving the NFC tag to an untrusted mechanic or valet.
Based on the lack of response, Herfurt said he received from Tesla about the vulnerabilities he discovered. 2019 And one more time last yearhe didn’t hold his breath that the company would solve the problem.
“My impression is that they always know ahead and won’t really change things,” he said. “This time around, there’s no reason Tesla wouldn’t know about that poor implementation. So it didn’t make any sense to me to talk to Tesla before then.”
This story originally appeared on Ars Technica.