A security researcher has found a hold in Tesla's security system which allows him to not only unlock a Tesla, but drive away in it without ever having to touch a key.
In a video shared with Reuters, Sultan Qasim Khan, a researcher from the NCC Group, a cybersecurity firm, demonstrates this by accessing a 2021 Tesla Model Y. He said that it also works on a 2020 Tesla Model 3.
Khan uses a relay device attached to a laptop to wirelessly bridge a gap between the car and the car owner's phone. This tricks the vehicle into thinking that the phone is within range of the vehicle when in actual fact it could be hundreds of metres or even kilometres away.
The hack is nothing we haven't seen before.
READ MORE
Cars that use key fobs with rolling code authentication are susceptible to relay attacks similar to the one Khan is using. With a traditional key fob, the vehicle's passive keyless entry can be extended, probing signals to a second device in range of the actual key. But this time, a Bluetooth Low Energy (BLE)-based attack can be operated by thieves by placing a small internet-connected relay somewhere where an owner is bound to go, like a cafe. Once the unsuspecting owner is in range of the relay, it only takes seconds (10 seconds, according to Khan) for the thief to drive off with the car.
But this new attack is much easier as it simply uses a range extension to trick the Tesla into thinking that a phone or key fob is within range. This particular attack uses either the victim's phone or Tesla's BLE-enabled key fobs, which use the same communication technology as the phone.
The attack takes advantage of a vulnerability in the BLE protocol, which Tesla uses for both its phone-as-a-key and key fobs for the Model 3 and Model Y. So, while Tesla's are vulnerable to this type of attack, it means these cars aren't the only ones that could be targeted.
Things like residential smart locks, or other devices that use BLE as a method to detect device proximity (something that NCC says the protocol was never designed to do) are also affected.
"In effect, systems that people rely on to guard their cars, homes, and private data are using Bluetooth proximity authentication mechanisms that can be easily broken with cheap off-the-shelf hardware," the NCC Group said in a statement to Reuters.
"This research illustrates the danger of using technologies for reasons other than their intended purpose, especially when security issues are involved."
Any vehicle that uses BLE for a phone-as-a-key could be vulnerable to this type of attack. But in 2018, Tesla introduced a feature called "PIN-to-drive" which, if enabled, acts as a multifactor layer of security to prevent theft. It would mean that even if the thief gets into the car, they would still need to know the owner's pin number to start the engine.