New Tesla Hack Allows Thieves to Unlock, Steal Car in 10 Seconds

Nearly two million Teslas on the road today are susceptible to this attack.

byRob Stumpf| PUBLISHED May 18, 2022 5:51 PM
New Tesla Hack Allows Thieves to Unlock, Steal Car in 10 Seconds
via Tesla
Share

A security researcher successfully exploited a vulnerability that allowed them to not only unlock a Tesla but also drive away without ever having to touch one of the car's keys.

In a video shared with Reuters, Sultan Qasim Khan, a researcher from the cybersecurity firm NCC Group, demonstrates the attack on a 2021 Tesla Model Y. Its public disclosure also states that the vulnerability was successful on a 2020 Tesla Model 3. By utilizing a relay device attached to a laptop, the attacker can wirelessly bridge a gap between the car and the victim's phone, tricking the vehicle into thinking that the phone is within range of the vehicle when it could be hundreds of feet (or even miles) away.

If this method of attack sounds familiar, it should. Cars that utilize key fobs with rolling code authentication are susceptible to relay attacks similar to the Tesla exploited by Khan. With a traditional key fob, a pair of bad actors extend the vehicle's passive keyless entry probing signals to a second device in range of the actual key. However, this Bluetooth Low Energy (BLE)-based attack can be operated by a pair of thieves or someone who places a small internet-connected relay somewhere where an owner is bound to go, such as a coffee shop. Once the unsuspecting owner is in range of the relay, it only takes seconds—10 seconds, according to Khan—for the bad actor to drive off with the car.

We've seen relay attacks used before in plenty of automotive thefts across the country. This new attack vector similarly uses range extension to trick the Tesla vehicle into thinking that a phone or key fob is within range. However, rather than utilize a traditional vehicle key fob, this particular attack focuses on the victim's cell phone, or Tesla's BLE-enabled key fobs, that use that same communication technology as the phone.

The specific attack carried out stems from an inherent vulnerability in the BLE protocol, which Tesla uses for its phone-as-a-key and their fobs for the Model 3 and Model Y. This means that, while Teslas are vulnerable to the attack vector, they are far from the only target. Residential smart locks or just about any connected device that uses BLE as a method to detect device proximity—something that the protocol was never designed to do, according to NCC—are also affected.

"In effect, systems that people rely on to guard their cars, homes, and private data are using Bluetooth proximity authentication mechanisms that can be easily broken with cheap off-the-shelf hardware," the NCC Group said in a statement to Reuters. "This research illustrates the danger of using technologies for reasons other than their intended purpose, especially when security issues are involved."

Perhaps even more troublesome is that this is an attack on a communication protocol rather than a specific flaw in the vehicle's operating system. Any car that uses BLE for phone-as-a-key (like some Ford and Lincoln vehicles) is likely susceptible to the attack. Theoretically, this type of attack also may be successful against companies that use Near-Field Communication (NFC) for their phone-as-a-key feature, such as BMW, Hyundai, and Kia, though it has not yet been demonstrated, plus the hardware and attack vector would need to be different to perform such an attack on NFC.

Tesla introduced a feature called "PIN-to-drive" in 2018 that, if enabled, acts as a multifactor layer of security to prevent theft. So even if this attack were carried out on an unsuspecting victim in the wild, the attacker would still need to know the vehicle's unique PIN to drive away with their vehicle. Obviously, this doesn't protect against unlocking the vehicle and likely isn't easier to carry out than a simple smash-and-grab (though it is certainly more stealthy).

Got a tip or question for the author? Contact them directly: rob@thedrive.com