A flaw in Tesla car access devices allows hackers to create duplicate digital keys, provided they are there in the right place at the right time.
Tesla car hack scenarios are on the rise lately. Last May, NCC security researcher Sultan Qasim Khan showed that Bluetooth-based passive access devices were vulnerable to a relay attack. This concerns the PhoneKey mobile application and the contactless key provided by Tesla. A similar demonstration was performed more or less simultaneously by researcher Martin Herfurt.
You will tell me that this is nothing really new under the sun, because relay attacks on contactless keys have been revealed by researchers and used by hackers for years. The principle is always the same: a first hacker positions himself near the owner of the car, picks up the signal from his access device and transmits it to a second hacker who is next to the car. And hop, sesame, open up! There are technical processes which make it possible to counter this type of attack, but for the moment the manufacturers obviously consider that the risk is not very great and let it run.
But Martin Herfurt has just discovered a new attack, very specific to the firm of Elon Musk. Called “Timer Authorization Attack”, it is much more effective than a relay attack, because it allows the pirate to create his own key for the targeted car, and therefore to use it as he sees fit. The origin of the flaw is in the NFC access card, which is the third means of access to a Tesla.
Until last summer, you first had to hold the card close to the door frame to open the vehicle, then place the card on the middle console to start it. But an update from August 2021 changed this procedure. Now, all you have to do is open the vehicle and it is immediately ready to start for a certain period of time, in this case 130 seconds.
The problem is that this unlocking also comes with another privilege: the enrollment of a new Bluetooth access device. And as Martin Herfurt has seen, there is no need for any authentication to do this. In other words, when a driver enters a Tesla with his NFC card, any hacker within a few tens of meters around can generate a duplicate of the digital keys. What the researcher demonstrated in a YouTube video.
To perform this demonstration, the researcher used a mobile application that uses the same communication protocol as PhoneKey, but with malicious intent. This protocol is proprietary and is called VCSEC. The researcher has managed to analyze it down to the smallest detail by reverse engineering, which now allows him to carry out this type of application. It is therefore not within the reach of the first hacker to come.
For obvious ethical reasons, the researcher did not publish this malicious application on the Internet. But it is possible that other brilliant minds can create it, and if they are unscrupulous, they could market it in the forums. To avoid being tricked, it is recommended to protect the start of a Tesla with a secret code, thanks to the Pin2Drive option. In this case, even if the pirate has succeeded in creating a duplicate of the keys, all he can do is enter the cabin. In addition, it is advisable to regularly check the access devices authorized for the car, which helps to detect possible fraud.