Tesla released an update last year that made it easier for vehicles to be started after they were unlocked using their NFC keys. A researcher now shows how this feature can be used to steal cars.
For years, Tesla NFC card holders had to insert the card into the console in order to unlock their car. Following the update, which was reported here last August, drivers could operate their cars immediately after unlocking them with the card. NFC cards are one of three ways to unlock a Tesla. A key fob or a smartphone app are two other options.
Enrolling your own key
Martin Herfurt, a security researcher in Austria, quickly noticed something odd about the new feature: Not only did it allow the car to automatically start within 130 seconds of being unlocked with the NFC card, but it also put the car in a state to accept entirely new keys–with no authentication required and zero indication given by the in-car display.
“The authorization given in the 130-second interval is too general… [it’s] not only for drive,” Herfurt said in an online interview. This timer was introduced by Tesla… to make it easier to use the NFC card for primary purposes. The car should be able to be started and driven with the key card not having to be used twice. The problem: within the 130-second period, not only the driving of the car is authorized, but also the [enrolling] of a new key. “
The official Tesla phone app does not allow keys to be enrolled, unless it is connected to an owner’s account. However, Herfurt discovered that the vehicle will happily exchange messages with any Bluetooth Low Energy (BLE) device nearby. So the researcher built his own app, named Teslakee, that speaks VCSec, the same language that the official Tesla app uses to communicate with Tesla cars.
A malicious version of Teslakee that Herfurt designed for proof-of-concept purposes shows how easy it is for thieves to surreptitiously enroll their own key during the 130-second interval. (The researcher intends to eventually release a benign Teslakee that will make it harder for such attacks to be carried out. The attacker uses the Teslakee app for VCSec messages to enroll the new key.
All that’s required is to be within range of the car during the crucial 130-second window of it being unlocked with an NFC card. If a vehicle owner normally uses the phone app to unlock the car–by far the most common unlocking method for Teslas–the attacker can force the use of the NFC card by using a signal jammer to block the BLE frequency used by Tesla’s phone-as-a-key app.
This video shows the attack in action.
As the driver enters his car, he unlocks it using an NFC card and begins to exchange messages between the Teslakee weaponized and the car. Before the driver even drives away, the messages register a key for the thief. The key can be used by the thief to unlock, start and turn off the vehicle. The in-car display and the official Tesla app do not indicate that there is anything wrong.
Herfurt successfully attacked Tesla Models 3 & Y. He hasn’t tested the method on new 2021+ facelift models of the S and X, but he presumes they are also vulnerable because they use the same native support for phone-as-a-key with BLE.
Tesla did not respond to an email requesting comment on this post.