New attack can unlock and start a Tesla Model Y in seconds, say researchers

Illustration by Alex Castro / The Verge

The challenge system that protects its cars from conventional methods for attacking the remote unlocks is one of the highlights of the cybersecurity protections thatTesla has. A researcher has found a way to let someone with physical access to a Model Y steal it.

Josep Rodriguez is the principal security consultant for IOActive and he discovered the vulnerability. One person needs to be near the car and the other person needs to be near the car owner who has a virtual key in their pocket or purse.

A near-field communication keycard can be used to open a vehicle by tapping it against a reader in the driver's side. The car manual advises owners to always carry a keycard with them, even if they can use a virtual key on their phone.

In Rodriguez's scenario, attackers can steal a Model Y if they position themselves within about two inches of the owner's phone or card and have a virtual key on it.

The first hacker used a Proxmark device to communicate with the reader in the door pillar. The car sends a challenge to the owner that is supposed to be answered. In a hack scenario, the Proxmark device is used to transmit the challenge to the mobile phone of the person who placed it near the owner's pocket or purse. The keycard's response is transmitted back to the Proxmark device, which can be used to gain access to a car.

Rodriguez says that it is possible to pull off an attack using aRaspberry Pi, which can be used to relay the signals from the other to the other. He thinks it is possible to conduct the attack over the internet.

The car will keep sending challenges until the second person is near the owner. The Proxmark can tell the car that it needs more time to respond.

Until last year, drivers who used the card to unlocks their car had to put the card on the console between the front seats in order to shift it into gear. The software update eliminated that step. Drivers can operate the car by stepping on the brake pedal after they have unlocked it.

If car owners allow the PIN-to-drive function in their vehicle, Rodriguez's attack can be stopped. Rodriguez expects a lot of owners to not enable this feature. Even though this was enabled, thieves could still get into the car.

Once the thieves shut off the engine, they won't be able to restart the car with the original key card. Rodriguez said they could add a new keycard to the car that would allow them to operate it at will.

In Europe, attackers have stripped the car for parts if they don't want to continue to drive it. It wouldn't be easy to eliminate the relay problem for the company.

It is difficult to fix the issue without changing the hardware of the car.

He notes that the communication between the first attacker and the second attacker takes only two seconds. It would be difficult if you only have half a second to do it.

When Rodriguez contacted the company, he was told that the PIN-to-drive function would make up for the problem. To operate the car, a driver needs to type a four-digit PIN into the car's Touchscreen. It is not known if a thief could guess the PIN. The user manual doesn't say if the car will lock out a driver after a few failed PINs.

A request for comment from the company was not responded to.

It is not the first time that researchers have found a way to steal a car. A researcher found a way to start a car with an unauthorized virtual key, but it required the attacker to be in the vicinity while the owner unlocked the car. Other researchers showed an attack against a car that intercepts the communication between the car and the owner.

Rodriguez believes that the company has a better track record on security than other cars.

He says that because their cars are more technological than other manufacturers, they open windows for attackers to find vulnerabilities. Compared to other manufacturers that are not as technologically advanced, the security level of the cars manufactured byTesla is very high.

He says that the attack can be done in vehicles made by other manufacturers, but they don't have PIN-to-drive protections.