As the driver enters the car after unlocking it with an NFC card, the thief begins exchanging messages between the armed Teslakee and the car. Before the driver is even driven away, the messages enter a key of the thief’s choice for the car. From then on, the thief can use the key to unlock, start and turn off the car. There is no indication from the car’s display or the legitimate Tesla app that something is wrong.
Herfurt has successfully used the attack on Tesla Models 3 and Y. He has not tested the method on new 2021+ facelift models of S and X, but he suspects that they are also vulnerable because they use the same native support for phone- as -one-key with BLE.
Tesla did not respond to a request for comment on this post.
Do you know VCSec?
The vulnerability is the result of the dual roles that the NFC card plays. It not only opens a locked car and starts it; it is also used to authorize key management.
The attack exploits Tesla’s way of handling the unlocking process via NFC cards. This works because Tesla’s approval method is broken. There is no connection between the online account world and the offline BLE world. Any attacker who sees Bluetooth LE commercials for a vehicle can send VCSEC messages to it. This would not work with the official app, but an app that is also capable of speaking the Tesla-specific BLE protocol… allows attackers to sign up for keys to any vehicle. Teslakee will communicate with any vehicle if requested.
Herfurt created Teslakee as part of Project Tempa, which “provides tools and information about the VCSEC protocol used by Tesla accessories and the Tesla app to control vehicles via Bluetooth LE.” Herfurt is a member of Trifinite groupa research and hacker collective focusing on BLE.
The attack is easy enough in technical aspects to perform, but the mechanics of putting an unsupervised vehicle out, waiting for or forcing the owner to unlock it with an NFC card and later overtake the car and steal it can be cumbersome. This method is unlikely to be practical in many theft scenarios, but for some it appears to be viable.
As Tesla maintains radio silence on this weakness, there is only so much that concerned owners can do. A countermeasure is to set up Pin2Drive to prevent thieves using this method from starting a vehicle, but it will do nothing to prevent the thief from entering the car once it is locked. Another protection is to regularly check the list of keys approved to unlock and start the car through a process that Tesla calls “whitelisting”. Tesla owners may want to perform this check after giving an NFC card to a mechanic or parking attendant who is not trusted.
Based on the lack of response, Herfurt said he received from Tesla regarding vulnerabilities he revealed in 2019 and again last yearhe does not hold his breath that the company will address the issue.
“My impression was that they always already knew that and did not really want to change things,” he said. “This time, there is no way that Tesla does not know about the poor implementation. So for me, there was no point in talking to Tesla in advance.”
This story originally appeared on Ars Technica.