Last year, the company issued an update that made it easier to start its cars. The feature can be used to steal cars.
For a long time, drivers had to put their key card on the center console in order to start driving. Drivers were able to operate their cars immediately after they unlocked them with the update. One of the ways to get into a car is by using a phone app, a key or a card.
You can enroll your own key.
Martin Herfurt, a security researcher in Austria, noticed something odd about the new feature: Not only did it allow the car to start within 130 seconds of being unlocked, but it also put the car in a state to accept entirely new keys.
Herfurt said that the authorization given in the 130-second interval is too general. The use of the card as a primary means of using the car has been made easier by the introduction of this timer. It should be possible to start the car without the user having to use the key again. The problem is that within the 130-second period, not only the driving of the car is authorized, but also the signing of a new key.
Even though the official phone app doesn't allow keys to be Enrolled unless it's connected to the owner's account, Herfurt found that the vehicle would happily exchange messages with any nearby BLE device. The researcher built his own app that uses the same language that the officialTesla app uses.
A malicious version ofTeslakee that Herfurt designed for proof-of-concept purposes shows how easy it is for thieves to steal someone's key. A benign version ofTeslakee will be released eventually that will make such attacks harder to carry out. The attacker uses theTeslakee app to send and receive VC Sec messages.
All you have to do is be within range of the car during the crucial 130-second window when it will be unlocked. The attacker can use a signal blocker to block the BLE frequencies used by the phone-as-a-key app in order to force the use of theNFC card.
The video shows the attack in motion.