Tesla prides itself on its cybersecurity protections, especially the elaborate defiance system that protects its cars from conventional methods of remote unlock system attack. But now a researcher has discovered a sophisticated relay attack that would allow someone with physical access to a Tesla Model Y to unlock and steal it in seconds.
The vulnerability – discovered by Josep Pi Rodriguez, principal security consultant for IOActive – involves what is called an NFC relay attack and requires two thieves to work in tandem. One thief should be near the car and the other near the car owner, who has an NFC key card or cell phone with a Tesla virtual key in their pocket or purse.
Near Field Communication key cards allow Tesla owners to unlock their vehicles and start the engine by tapping the card against an NFC reader built into the driver’s side body of the car. Owners can also use a key fob or virtual key on their mobile phone to unlock their car, but the car manual advises them to always have the NFC key card with them as a back-up in case they lose the car. keychain or phone or if their phone battery runs out.
In Rodriguez’s scenario, attackers can steal a Tesla Model Y as long as they can position themselves within about two inches of the owner’s NFC card or cellphone with a Tesla virtual key on it – for example, while they find in someone’s pocket or purse. on the street, stand in line at Starbucks or sit in a restaurant.
The first hacker uses a Proxmark RDV4.0 device to initiate communication with the NFC reader in the driver’s side door pillar. The car responds by transmitting a challenge to which the owner’s NFC card is supposed to respond. But in the hacking scenario, the Proxmark device transmits the challenge via Wi-Fi or Bluetooth to the cell phone held by the accomplice, who places it near the owner’s pocket or purse to communicate with the key card. The key card’s response is then transmitted to the Proxmark device, which transmits it to the car, authenticating the thief to the car by unlocking the vehicle.
Although the attack via Wi-Fi and Bluetooth limits the distance between the two accomplices, Rodriguez says it is possible to carry out the attack via Bluetooth several meters apart or even further with Wi-Fi. -Fi, using a Raspberry Pi to relay the signals. He believes it may also be possible to carry out the attack over the internet, allowing for even greater distance between the two accomplices.
If it takes time for the second accomplice to approach the owner, the car will continue to send a challenge until it gets a response. Or the Proxmark can send a message to the car saying it needs more time to produce the challenge response.
Until last year, drivers who used the NFC card to unlock their Tesla had to place the NFC card on the console between the front seats in order to shift it into gear and drive. But a software update last year eliminated that extra step. Now drivers can operate the car by simply pressing the brake pedal within two minutes of unlocking the car.
The attack Rodriguez engineered can be avoided if car owners activate the PIN-to-drive feature in their Tesla vehicle, requiring them to enter a PIN code before they can drive the car. But Rodriguez expects many owners won’t enable this feature and may not even know it exists. And even with this option enabled, thieves could still unlock the car to steal valuables.
There’s a catch to the operation: once thieves turn off the engine, they won’t be able to restart the car with that original NFC key card. Rodriguez says they can add a new NFC key card to the vehicle that would allow them to operate the car at will. But this requires a second relay attack to add the new key, which means that once the first accomplice is inside the car after the first relay attack, the second accomplice must approach again the owner’s NFC keycard to repeat the relay attack, which would allow the first accomplice to authenticate to the vehicle and add a new keycard.
If the attackers are not interested in continuing to drive the vehicle, they could also simply dismantle the car for parts, as has happened in Europe. Rodriguez says eliminating the relay problem he found would not be a simple task for Tesla.
“Fixing this problem is really difficult without changing the hardware of the car – in this case, the NFC reader and the software that is in the vehicle,” he says.
But he says the company could implement some changes to mitigate it, such as reducing the time the NFC card may take to respond to the NFC reader in the car.
“Communication between the first striker and the second striker only takes two seconds [right now], but it’s a lot of time,” he notes. “If you only have half a second or less to do it, it would be really difficult.”
Rodriguez, however, says the company downplayed the problem for him when he contacted them, indicating that the PIN-to-drive feature would alleviate it. This requires a driver to type in a four-digit PIN code on the car’s touchscreen in order to operate the vehicle. It is not clear if a thief could simply try to guess the PIN code. Tesla’s owner’s manual doesn’t say whether the car will lock out a driver after a certain number of failed PINs.
Tesla did not respond to a request for comment from The edge.
This isn’t the first time researchers have found ways to unlock and steal Tesla vehicles. Earlier this year, another researcher found a way to start a car with an unauthorized virtual key, but the attack requires the attacker to be nearby while an owner unlocks the car. Other researchers have shown an attack on Tesla vehicles involving a key fob relay attack that intercepts and then replays the communication between the owner’s key fob and the vehicle.
Rodriguez says that despite the vulnerabilities discovered with Tesla vehicles, he thinks the company has a better safety record than other vehicles.
“Tesla takes security seriously, but because its cars are much more technologically advanced than other manufacturers, this increases their attack surface and opens windows for attackers to find vulnerabilities,” he notes. “That said, for me, Tesla vehicles have a good level of safety compared to other manufacturers who are even less technological.”
He adds that the NFC relay attack is also possible in vehicles made by other manufacturers, but “these vehicles do not have PIN-to-drive mitigation”.
#attack #unlock #start #Tesla #Model #seconds #researchers