Tesla Hack Could Allow Car Theft, Security Researchers WarnAttack Requires 2 People, Customized Gear and Very Close Proximity to the Victim
Security researchers unveiled another potential flaw in the technology used by auto manufacturer Tesla to unlock its cars that makes them vulnerable to theft.
Whether because of Tesla's cutting-edge reputation or because techies like driving electric vehicles, Tesla seems to invite probes from white hat hackers eager to publicize how thieves could drive one away.
The newest example comes from internet of things security company IOActive, which describes an attack involving two people, a customized RFID emulator and a mark who carries a Tesla near-field communication key card for a Model Y sedan.
The research was first reported by Kim Zetter on The Verge.
IO Active says a modified Proxmark RDV4.0 device could be used to prod a Model Y into believing that the security testing device is a legitimate Tesla key card. The trick afterward is to answer the cryptographic challenge Tesla cars issue before unlocking themselves, which requires transferring onward the challenge via a second device such as a smartphone placed in close physical proximity to the key card. The smartphone can maintain a connection with the Proxmark via Bluetooth or Wi-Fi while it establishes contact with the key card via the NFC protocol to pass on the cryptographic challenge and receive the answer.
Although most Tesla owners use their smartphones to unlock their cards, the manufacturer advises owners to carry key cards with them at all times in case of a stolen device or a dead battery.
In a video demonstrating the attack, one hacker armed with a Proxmark device stands next to the Tesla while a second attacker with a smartphone gets close to the victim. The second attacker must get very close: less than 2 inches away from the legitimate key card. The addition of a "specialized, high-power device" might widen the distance to slightly less than 2 feet.
The attack succeeds because Tesla is permissive on time limits for receiving a response to the cryptographic challenge, IOActive says. The company could tighten the time limit, although that runs the risk of the car rejecting legitimate unlocking requests from a slow-moving phone. Car owners could defeat the attack by enabling a feature requiring them to enter a PIN before the vehicle can be driven.
Tesla did not respond to an Information Security Media Group request for information about the research. IOActive says Tesla has also been unresponsive to the company.
The proof of concept is only the latest recent warning that Teslas are hackable. Researchers from NCC Group in May developed an attack using a Bluetooth Low Energy relay. Security researcher Martin Herfurt in June also described a Bluetooth Low Energy attack.
Whether actual car thieves will use these attacks is difficult to know. The nonprofit Highway Loss Data Institute says Tesla is among the brands of cars that are least stolen. But that may might be because Teslas "are usually parked in garages or close to a house to be near a power supply," the institute says.
Even once stolen, Teslas tend to be recovered, not in the least because of the GPS tracking embedded into them. But Tesla theft is possible. Some thieves have stolen cars and possibly evaded later detection by dismantling them.