Tesla Fails Yet Again: Hackers can Steal Cars via NFC
Tesla Models 3 and Y can be unlocked and stolen via a bug in their NFC software. Late model S and X cars are probably vulnerable, too.
Déjà vu? We spoke of a similar bug last month. That one was in the BLE proximity support. It turns out that two separate research groups found two related new NFC bugs at around the same time.
Elon Musk (pictured) needs to abuse even more engineers. In today’s SB Blogwatch, we lock away our NFC cards.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Kate Bush being poised and brilliant for 12 minutes.
NFC: ‘No F***ing Chance’ it’s Secure
What’s the craic? Dan Goodin reports—“New Tesla hack gives thieves their own personal key”:
“Tesla maintaining radio silence”
Martin Herfurt, a security researcher in Austria, quickly noticed something odd: … Not only did it allow the car to automatically start within 130 seconds of being unlocked with the NFC card, but it also put the car in a state to accept entirely new keys—with no authentication required and zero indication given by the in-car display. … Herfurt found that the vehicle gladly exchanges messages with any Bluetooth Low Energy, or BLE, device that’s nearby.
…
A malicious [PoC app] shows how easy it is for thieves to surreptitiously enroll their own key during the 130-second interval. … As the driver enters the car after unlocking it with an NFC card, the thief begins exchanging messages between the [malicious app] and the car. Before the driver has even driven away, the messages enroll a key of the thief’s choice with the car.
…
Tesla didn’t respond to an email seeking comment.
Erzählen Sie uns bitte mehr. Martin Herfurt tells us more—“Authorization Timer Attack”:
After unlocking the vehicle via NFC, Tesla allows potential attackers to store a key on the vehicle for a period of approx. 130s. No warning or similar will be displayed on the vehicle screen during this process. This convenience feature was introduced in August 2021.
…
Of course, Tesla’s own app ensures that only the owners can store a key for a vehicle. However, this process does not prevent an attacker who can track down the car via Bluetooth from not also being able to deposit a key. … The attacker needs a VCSEC client or an app that can handle the key protocol. As part of this research, a fully working VCSEC client has been implemented. … The YouTube Video “Gone in under 130 Seconds” showcases the … attack (turn on subtitles for commentary):
A similar vulnerability was also discovered independently by Jeff Welder and Samed Ozdemir—“Tesla Stolen in Seconds!”:
“An attacker can bypass the PIN”
Tesla is aware of this exploit, and we are proceeding through BugCrowd. … Don’t use your NFC key card for the time being. Use your phone as your primary key until this is fixed via OTA update.
…
If your car supports NFC key cards, your car is subject to this exploit. [But] use of phone key and passive entry leaves no opportunity to inject a key using this exploit.
…
PIN to drive [doesn’t help]. After a key is injected, an attacker can bypass the PIN.
It’s yet another example of convenience trumping security. Syonyk sees it as a teachable moment:
And this is why you need a good internal “Adversarial Analysis” process for public facing features. … You should, at various points in the design and implementation process, have a “How can someone abuse this new feature?” review.
…
Of course, with all the complexity in modern systems, it’s hard to do this. [But] if the systems are so complex that the people writing them can’t reason about it, how can they actually make sure it’s correct?
…
[It doesn’t] make Tesla’s software development process look particularly good. [It] has more in common with a free-to-play game developer than actual critical human interface control systems development.
And so much for the PIN2Drive safety net. u/woek is astounded:
Exactly! I’m astounded. I’ve been asked, “What if you lose your phone and someone steals your car?” many times and my answer was always Pin To Drive.
Apparently that’s not the answer?
How could this happen? Frodo Douchebaggins knows how:
You know that coworker who can do the first like 90% of a project and make it really impressive, but then loses interest once he has to finish up detail work and documentation? That is every single aspect of Tesla, as far as I can tell.
Schadenfreude much? u/poncewattle plays the victim:
And so it begins. … For the next several days all of my friends will be smugly forwarding stories about this to me.
But whatever happened to “responsible disclosure”? It’s no surprise to Jedakiah:
Come on Tesla, how do you not have a bug bounty that covers this? That’s shameful. I can’t blame the researcher for going public out of the gate, after you repeatedly rebuffed past discoveries.
Tell me a story. u/martinkoistinen waits for you to sit comfortably:
If I were a Tesla thief with the technical tools to do this, I’d hang out in the parking lot of a posh restaurant and wait for a Tesla to be parked by a valet. Not only is the valet extremely likely to be using the card key, but the cars would come to me instead of me seeking them out. As a bonus, the police would be focused on the valet, not a more sophisticated car thief.
This is a serious issue that needs to be addressed, and quickly.
Meanwhile, Sarty gets sarky: [You’re fired—Ed.]
Really gives you the warm fuzzies about [full self driving] development, right?
And Finally:
“Despite an obnoxious, uninterested interviewer”
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: DonkeyHotey (cc:by; leveled and cropped)
