Last year, Tesla issued an update that made its cars easier to start after being unlocked with their NFC key cards. Now a researcher has shown how the feature can be used to steal cars.
For years, drivers who used their Tesla NFC key card to unlock their cars had to place the card in the center console to start driving. After the update, which was reported here last August, drivers were able to drive their cars immediately after unlocking them with the card. The NFC card is one of three means of unlocking the Tesla; a keychain and a phone app are the other two.
Registering your own key
Martin Herfurt, a security researcher in Austria, quickly noticed something odd about the new feature: not only did it allow the car to start automatically within 130 seconds of unlocking with the NFC card, it also put the car in a position to accept entirely new keys – no need for authentication and zero indication given by the in-car display.
“The permission given in the 130-second interval is too general … it’s not just for driving,” Herfurt said in an online interview. “This timer was introduced by Tesla … to make the use of the NFC card as the primary means of using the car more convenient. What needs to happen is that the car can be started and driven without the user using the key card a second time: Within the 130-second period, not only the driving of the car is allowed, but also the recording of a new key.
Tesla’s official phone app doesn’t allow key registration unless it’s linked to the owner’s account, but even so, Herfurt found that the vehicle was happy to exchange messages with any Bluetooth Low Energy or BLE device that was nearby. So the researcher created his own app called Teslakee, which speaks VCSec, the same language that Tesla’s official app uses to communicate with Tesla cars.
A malicious version of Teslakee, which Herfurth designed for proof-of-concept purposes, shows how easy it is for thieves to secretly record their own key during the 130-second interval. (The researcher plans to release a benign version of Teslakee eventually that will make such attacks more difficult to perform.) The attacker then uses the Teslakee application to exchange VCSec messages that record the new key.
All that is required is to be in range of the car during the crucial 130-second window of unlocking it with an NFC card. If a vehicle owner usually uses the phone app to unlock the car – definitely the most common unlock method for Teslas – an attacker can force the use of the NFC card by using a signal jammer to block the BLE frequency used by the phone app as the Tesla key.
