New Tesla Hack Lets Thieves Unlock and Steal Cars in 10 Seconds

A security researcher successfully exploited a vulnerability that allowed them to not only unlock a Tesla, but also drive away without having to touch one of the car鈥檚 keys.

How was the Tesla hacked?

In a video shared with Reuters, Sultan Qasim Khan, researcher at cyber security firm NCC Group demonstrates the attack on a 2021 Tesla Model Y. Its public disclosure also states that the vulnerability was successful on a 2020 Tesla Model 3. Using a relay device attached to a laptop, the attacker can wirelessly close a gap between the victim鈥檚 car and phonetricking the vehicle into thinking the phone is within range of the vehicle when it could be hundreds of feet (or even miles) away.

A hack based on Bluetooth Low Energy

If this attack method sounds familiar to you, it should. Cars using fobs with rolling code authentication are susceptible to relay attacks similar to the Tesla exploited by Khan. With a traditional key fob, a couple of crooks extend the vehicle鈥檚 keyless entry passive polling signals to a second device within range of the actual key. However, this Bluetooth Low Energy (BLE) based attack can be operated by a couple of thieves or someone who places a small relay connected to the Internet somewhere the owner needs to go, like a coffee shop. Once the unsuspecting owner is within range of the relay, it only takes a few seconds (10 seconds, according to Khan) for the bad actor to drive away.

We have seen relay attacks used before in many carjackings across the country. This new attack vector similarly uses range extension to trick the Tesla vehicle into thinking a phone or key fob is in range. However, instead of using a traditional vehicle key fob, this particular attack targets the victim鈥檚 cell phone, or Tesla鈥檚 BLE-enabled key fobs.which use the same communication technology as the telephone.

Tesla Model Y
Tesla Model Y. / Photo: Courtesy Tesla.

Tesla cars are vulnerable to this type of proximity technology

The specific attack carried out stems from an inherent vulnerability in the BLE protocol, which Tesla uses for its phone as a key and its key fobs for Model 3 and Model Y. This means that while Teslas are vulnerable to the vector of attack, they are far from the only target. Las residential smart locks or just about any connected device that uses BLE as a method of detecting device proximity, something the protocol was never designed to doaccording to NCC, are also affected.

鈥淚n effect, the systems that people rely on to protect their cars, homes and private data are using Bluetooth proximity authentication mechanisms that can be easily broken by inexpensive off-the-shelf hardware,鈥 NCC Group said in a statement. 鈥淭his research illustrates the danger of using technologies for reasons other than intended, especially when it comes to security issues.鈥

Other brands such as Ford and Lincoln, BMW, Kia and Hyundai could also suffer from these hacking attacks.

Perhaps even more problematic is that this is an attack on a communication protocol rather than a specific flaw in the vehicle鈥檚 operating system. Any car that uses BLE for the phone as a key (such as some Ford and Lincoln vehicles) is likely to be susceptible to attack. Theoretically, this type of attack may also be successful against companies that use Near-Field Communication (NFC) for their phone as a key feature, such as BMW, Hyundai, and Kiaalthough it has not yet been demonstrated, also the hardware and the attack vector would have to be different to perform such an attack in NFC.

Tesla Model 3. / Photo: Courtesy Tesla.

Tesla has the advantage of Pin to drive

Tesla introduced a feature called 鈥PIN-to-drive鈥 in 2018 that, if enabled, acts as a multi-factor security layer to prevent theft. So even if this attack were to be carried out on an unsuspecting victim in the wild, the attacker would still need to know the vehicle鈥檚 unique PIN to drive away with their vehicle.


It may interest you:

Spread the love