Security Hole in Tesla NFC Keys

Security Hole in Tesla NFC Keys

Tesla released an upgrade last year that made it simpler to start the cars after using the NFC key cards to unlock them. It has now been discovered that this feature can be used to steal cars. For many years, Tesla NFC key card users had to put the card on the center console before they could start their cars. But after the new change, drivers could immediately start their vehicles after using the card to unlock them. There are three ways to unlock a Tesla; the other two are a key fob and a mobile app.

An Austrian security researcher found a defect that not only put the car in a situation to accept completely fresh keys without any authentication needed and without any notice from the in-car display, but also allowed the car to start automatically after 130 seconds of being unlocked with the NFC card. In order to make utilizing the NFC card as the primary method of using the car more convenient, Tesla has implemented this timer. The car should be able to be started and driven without requiring the user to use the key card again. However, during the 130-second window, both driving and enrolling new students are permitted.


The Teslakee Hacker App

Despite the fact that the official Tesla phone app prevents keys from being registered unless they are linked to the owner's account, the car happily communicates with any Bluetooth Low Energy, or BLE, device that is in close proximity. In order to connect with Tesla cars, the security researcher created his own program, called Teslakee, that speaks VCSec, the same language as the official Tesla app.

Teslakee's malicious version, created as a proof-of-concept, demonstrates how simple it is for thieves to covertly enroll their own key during the 130-second window. The attacker exchanges VCSec communications that enrolls the new key via the Teslakee app. All that is needed to unlock a car with an NFC card is to be in close proximity to it for the key 130-second timeframe. The thief can force the usage of the NFC card by employing a signal jammer to block the BLE frequency used by Tesla's phone-as-a-key app, which is by far the most popular way for Tesla owners to unlock their vehicles.

The bandit starts sending messages to the weaponized Teslakee as the driver gets into the vehicle after using an NFC card to unlock it. The communications enroll a key of the thief's choice with the automobile even before the driver has left. The criminal might then utilize the key to operate the vehicle and the Tesla owner's will be none the wiser.

The attack on the Tesla Models 3 and Y was successful because of the app. The NFC card's dual functions have led to the vulnerability. It is used to authorize key management in addition to starting a locked automobile and opening it.

The way Tesla handles the NFC card unlocking process is exploited by the attack. Tesla's method of permission is flawed, thus this works. The offline BLE world and the online account world are not connected. Any attacker who has access to a vehicle's Bluetooth LE ads can communicate with it using VCSEC messages. Attackers can enroll keys for any vehicle using an app that can speak the Tesla-specific BLE protocol, which would not be possible with the official app. If instructed to do so, Teslakee will communicate with any vehicle. Project Tempa, which provides tools and information regarding the VCSEC protocol used by Tesla accessories and the Tesla app in order to manage automobiles over Bluetooth, and that’s what led to building Teslakee.


How big is the risk?

Technically speaking, it's not difficult to execute the attack, but the logistics of scoping out an unattended automobile, waiting for or coercing the owner to use an NFC card to unlock it, then catching up to the car and stealing it can be challenging. Even though this approach is unlikely to be useful in many stealing cases, it does appear to work in some.