Unsafe e-car
“No hurdle for average criminals”: Hacker copies Tesla key unnoticed – and can use it to start the car
So far, the gap in the Tesla 3 and Y has been proven
©Tesla/PR
The uncomplicated unlocking and starting of a Tesla is one of the most popular features of the electric car. A security vulnerability could now change that: it makes it possible to copy the car’s digital keys at close range – without the driver noticing anything.
It sounds like a scene from a spy movie: while a car owner unlocks the Tesla, a nearby hacker uses the opportunity to generate a key for the car himself. Without the knowledge of the driver. If the car is later parked somewhere, the hacker can unlock it and simply drive away.
This is exactly what the security expert Martin Herfurt from Austria managed to do. In a clip uploaded to YouTube, he explains how the attack works. The basis is the option introduced with an update last year to unlock the car with a so-called NFC card. This not only unlocks the door and allows starting for 130 seconds without further query, but also allows new keys to be created during this period, as Herfurt discovered with surprise. And that without you noticing anything in the car.
No hacking skills required for Tesla
The hurdle is not particularly high, Herfurt explained to the star. “If the vehicle to be attacked is unlocked or locked using an NFC KeyCard, then the attacker, who has to be in the vicinity of the vehicle, can learn a key in the vehicle and use the vehicle.” All you need is knowledge of the gap and your own program that allows you to contact all Teslas. The original app only connects to your own car. You don’t necessarily need special hacking skills to use such an app, he emphasizes. “As soon as such software or special hardware is available on the black market, the already low complexity of the attack is no longer an obstacle, even for average criminals.”
The background to the attack is an inexplicable gap in the security of Tesla keys. Otherwise, they can only be set up in the Tesla app, where it is checked whether the owner is really logged in. Surprisingly, this query does not appear to take place when unlocking via the NFC card. Together with the fact that the cars allow any Bluetooth device to be connected via the Bluetooth LE standard during the 130 seconds, this becomes a security catastrophe: During this phase, the Teslas simply accept any key that is offered to them – even from outside Of the car.
This is how you should do it
How many Tesla owners are actually at risk is difficult to say. Although everyone receives the NFC card when they make a purchase, ultimately the variant of automatically unlocking the car via smartphone when approaching (“Phone as a Key”, or PaaK for short) is by far the most popular. However, PaaK is not affected by this vulnerability. However, potential thieves could use a device to block Bluetooth connections, a so-called jammer, to prevent automatic unlocking and then force the NFC card to be used, Herfurt warns in the video. The use of a start pin provides security: It not only prevents the key from being created, but also starting the car if the key has already been copied. Herfurt also recommends regularly checking the keys created for the car in the app.
The expert has so far been able to prove the gap in the Tesla models 3 and Y. However, since an update last year, newer S and X models also have the option of unlocking via NFC card. He suspects that they too may be affected. “Tesla is now obliged to fix these software vulnerabilities quickly,” believes Herfurt. He has received letters since the video was published, after others discovered the gap months ago and reported it to Tesla. “It is to be hoped that Tesla has already used this time to fix the problems,” the expert said star. So far, however, the company has not responded publicly.
Source:Video
Also read:
US authorities investigate: Why does Tesla’s autopilot keep crashing into ambulances?
Dangerous braking error: Tesla recalls almost 12,000 cars
Cheer up and chase down: Elon Musk’s bizarre power over Bitcoin