When the driver entered the car after unlocking it with the NFC card, the thief began exchanging messages between the weaponized Teslakee and the car. The messages register the thief’s chosen key with the car even before the driver drives away. From then on, thieves can use the key to unlock, start and shut down the car. There’s no indication of anything wrong with the in-vehicle display or the legitimate Tesla app.
Herfurt has successfully used the attack on the Tesla Model 3 and Y. He hasn’t tested the method on the new facelifted S and X models from 2021 onwards, but he thinks they’re also vulnerable because they use the same native support as the phone. – Key with BLE.
Tesla did not respond to emails seeking comment on this post.
Would you say VCSec?
The vulnerability is the result of NFC cards playing a dual role. It doesn’t just open a locked car and start it; it’s also used to authorize key management.
The attack takes advantage of the way Tesla handles the unlocking process via an NFC card. This works because Tesla’s authorization method is broken. There is no connection between the online account world and the offline BLE world. Any attacker who can see the vehicle’s Bluetooth LE advertisement can send it a VCSEC message. This doesn’t work with official apps, but apps that use Tesla’s specific BLE protocol are also possible…allowing attackers to register keys for arbitrary vehicles. Tesla Base will communicate with any vehicle if told.
Herfurt created Teslalakee as Tampa Programwhich “provides tools and information about the VCSEC protocol used by Tesla accessories and the Tesla app to control the vehicle via Bluetooth LE.” Herford is Sanlian Groupa research and hacker group focused on BLE.
This attack is technically easy to implement, but the mechanics of staking out an unattended vehicle, waiting for or forcing the owner to unlock it using an NFC card, and then catching up to the car and stealing it can be cumbersome. This approach is unlikely to be practical in many theft scenarios, but for some it seems to work.
With Tesla radio silenced about the weakness, there’s only so much the owner can do about it. One countermeasure is to set up Pin2Drive to prevent a thief using this method from starting the vehicle, but it will not prevent the thief from entering the car when it is locked. Another protection is to periodically check the list of keys authorized to unlock and start the car through a process Tesla calls “whitelisting.” Tesla owners may wish to perform this check after handing over the NFC card to an untrusted mechanic or valet parking attendant.
“My impression is that they always already know and don’t really change things,” he said. “This time, there’s no way Tesla didn’t know about this poor execution. So to me, it doesn’t make sense to talk to Tesla beforehand.”
This story originally appeared in Ars Technica.