Tesla prides itself on its cybersecurity protections, particularly the sophisticated challenge system that protects its cars from traditional methods of attacking the remote unlocking system. But now a researcher has discovered a sophisticated relay attack that would allow someone with physical access to a Tesla Model Y to unlock and steal it within seconds.
Discovered by Josep Rodriguez, IOActive’s chief security advisor, the vulnerability involves a so-called NFC relay attack and requires the cooperation of two thieves. One thief must be near the car and the other near the car owner who has an NFC key card or cell phone with a Tesla Virtual Key in their pocket or purse.
Near-field communication key cards allow Tesla owners to unlock their vehicles and start the engine by tapping the card against an NFC reader embedded in the vehicle’s body on the driver’s side. Owners can also use a fob or virtual key on their cell phone to unlock their car, but the car manual advises them to always have the NFC key card with them as a backup in case they lose the fob, phone, or the battery of theirs phone is empty.
In Rodriguez’s scenario, attackers can steal a Tesla Model Y as long as they can be within about two inches of the owner’s NFC card or cell phone with a Tesla Virtual Key on it—for example, in a pocket or purse another person as they walk down the street, stand in line at Starbucks, or sit at a restaurant.
The first hacker uses a Proxmark RDV4.0 device to initiate communication with the NFC reader in the driver’s side door pillar. The car responds by sending a prompt for the owner’s NFC card to respond. But in the hack scenario, the Proxmark device transmits the challenge via Wi-Fi or Bluetooth to the accomplice’s cell phone, who places it near the owner’s pocket or purse to communicate with the key card. The key card response is then sent back to the Proxmark device, which transmits it to the car and authenticates the thief to the car by unlocking the vehicle.
Although attacking over Wi-Fi and Bluetooth limits the distance the two accomplices can be from each other, Rodriguez says it’s possible to carry out the attack over Bluetooth from several feet away from each other, or even further away using Wi-Fi on the Raspberry Pi to forward the signals. He believes it could also be possible to carry out the attack over the internet, allowing an even greater distance between the two accomplices.
If it takes a long time for the second accomplice to get close to the owner, the car will continue to send a challenge until it receives an answer. Or the Proxmark can send a message to the car that it needs more time to produce the challenge response.
Until last year, drivers who wanted to unlock their Tesla with the NFC card had to place the NFC card on the console between the front seats to put them into gear and drive off. But a software update last year eliminated that extra step. Now drivers can operate the car by simply stepping on the brake pedal within two minutes of unlocking the car.
Rodriguez’s attack can be prevented if car owners enable the PIN-to-drive feature in their Tesla vehicle, which prompts them to enter a PIN before they can operate the car. However, Rodriguez expects that many owners will not activate this feature and may not even know it exists. And even with this enabled, thieves could still unlock the car to steal valuables.
There’s a catch to the operation: once the thieves turn off the engine, they can’t start the car with this original NFC key card. Rodriguez says they can add a new NFC key card to the vehicle, which they can use to operate the car as they please. However, this requires a second relay attack to add the new key, meaning that once the first accomplice is in the car after the first relay attack, the second accomplice must again get close to the owner’s NFC key card to repeat the relay attack, which would allow the first accomplice to authenticate to the vehicle and add a new keycard.
If the attackers have no interest in continuing to drive the vehicle, they could simply disassemble the car, as has been done in Europe. Rodriguez says that fixing the relay problem he found would not be an easy task for Tesla.
“Fixing this problem is really difficult without changing the car’s hardware — in this case, the NFC reader and the software in the car,” he says.
However, he says the company could make some changes to mitigate this — like reducing the time it takes for the NFC card to respond to the NFC reader in the car.
“Communication between the first attacker and the second attacker takes only two seconds [right now], but that’s a lot of time,” he notes. “If you only have half a second or less to do that, it would be really hard.”
However, Rodriguez says the company downplayed the issue to him when he contacted them, noting that the PIN-to-Drive feature would mitigate it. To do this, a driver must enter a four-digit PIN into the car’s touchscreen in order to operate the vehicle. It’s not clear if a thief could just try to guess the PIN. Tesla’s owner’s manual doesn’t specify whether the car will lock out a driver after a certain number of failed PINs.
Tesla did not respond to a request for comment from The edge.
It’s not the first time researchers have found ways to unlock and steal Tesla vehicles. Earlier this year, another researcher found a way to start a car using an unauthorized virtual key, but the attack requires the attacker to be nearby while an owner unlocks the car. Other researchers demonstrated an attack on Tesla vehicles that involved a key fob relay attack that intercepts and then replays communications between an owner’s key fob and the vehicle.
Rodriguez says that despite the vulnerabilities discovered in Tesla vehicles, he believes the company has a better track record when it comes to security than other vehicles.
“Tesla takes security seriously, but because their cars are much more technological than other manufacturers, it increases their attack surface and opens windows for attackers to find vulnerabilities,” he notes. “Nevertheless, for me, Tesla vehicles have a good level of safety compared to other manufacturers, which are even less technological.”
He adds that the NFC relay attack is also possible in vehicles from other manufacturers, but “these vehicles don’t have PIN-to-Drive mitigation.”
#attack #unlock #launch #Tesla #Model #seconds #researchers
Leave a Comment