Using the NFC to unlock the car makes it easy for the driver, but gives thieves a chance to create their own key.
Last year, Tesla issued an update that made its vehicles easier to start after being unlocked with their NFC key cards. Now, Ars Technica reports that a researcher has shown how the feature can be exploited to steal cars.
Until last year, drivers who used their Tesla NFC key card to unlock their cars had to place the card on the center console to begin driving. Following last August’s update, drivers could operate their cars immediately after unlocking them with the card. The NFC card is one of three means for unlocking a Tesla. Drivers can also use a key fob or a phone app.
Martin Herfurt, a security researcher in Austria, quickly noticed something odd about the new feature: Not only did it allow the car to automatically start within 130 seconds of being unlocked with the NFC card, but it also put the car in a state to accept entirely new keys—with no authentication required and zero indication given by the in-car display.
The official Tesla phone app doesn’t permit keys to be enrolled unless it’s connected to the owner’s account, but despite this, Herfurt found that the vehicle gladly exchanges messages with any Bluetooth Low Energy, or BLE, device that’s nearby. So the researcher built his own app, named Teslakee, that speaks VCSec, the same language that the official Tesla app uses to communicate with Tesla cars. He has used this app to prove the vulnerability.
Using VCSec messaging to hack the Tesla system
The vulnerability is the result of the dual roles played by the NFC card. It not only opens a locked car and starts it; it’s also used to authorize key management.
Herfurt explains that the hack exploits Tesla’s way of handling the unlock process via NFC card. “This works because Tesla’s authorization method is broken,” he says. “There is no connection between the online account world and the offline BLE world. Any attacker who can see the Bluetooth LE advertisements of a vehicle may send VCSec messages to it. This would not work with the official app, [but] an app that is also able to speak the Tesla-specific BLE protocol… allows attackers to enroll keys for arbitrary vehicles,” according to him. “Teslakee will communicate with any vehicle if it is told to.”
Also read: Tesla Model X keys have security flaw, hackers can steal your car.