Tesla Passive Entry System is Vulnerable to “Car-Napping” Cyber Attacks | Ron Benvenisti

Tesla’s keyless feature can actually allow cybercriminals to take over your electric vehicle. If this is true, then having digital locks for EVs and conventional cars may also be an issue.

As the automotive industry further expands and improves, car manufacturers have been developing new enhancements so that their vehicles can be leveraged by hackers to take advantage of this attack.

One of these technologies is the keyless feature, which allows drivers to open their car and start their engine without the need of inserting their keys into their car doors or steering wheels.

“Car-Napping”

Sultan Khan of NCC, published a report in Fortune explaining how the keyless feature can lead to “car-napping.”

Tesla Keyless Feature’s Issue 

According to Fortune‘s latest report, Khan demonstrated how the Tesla keyless feature can be used to access EVs. The issue specifically relies on the automaker’s BLE (Bluetooth Low Energy Communications Technology).

BLE allows drivers to open or start their EVs using authorized mobile devices or key fobs in order to access the vehicle’s doors without making any physical contact with your car.

“This system infers proximity of the mobile device or key fob based on signal strength (RSSI) and latency measurements of cryptographic challenge-response operations conducted over BLE.”

He added that if hackers try to take advantage of Tesla’s BLE, Model 3 and Model Y units will be the ones most affected.

How Hackers Can Use Tesla Keyless Feature

To show the public how hackers can take advantage of Tesla keyless feature’s BLE system, Khan developed a new tool that can release a BLE relay attack.

He explained that if cybercriminals can conduct their own relay attacks within the BLE signal range, they can easily gain access to their victims’ Tesla EVs.

As of this writing, there’s still no report by Tesla regarding the BLE issue. Tesla electric car units are not the only ones that can be affected by the Bluetooth Low Energy flaw.

Residential Smart Locks Also Affected

Even residential smart locks can also be accessed by hackers via the BLE issue.

Technical Advisory:

Vendor: Tesla, Inc.

Vendor URL: https://www.tesla.com

Versions affected: Attack tested with vehicle software v11.0 (2022.8.2 383989fadeea) and iOS app 4.6.1-891 (3784ebe63).

Systems Affected: Attack tested on Model 3. Model Y is likely also affected.

Risk:

An attacker within Bluetooth signal range of a mobile device configured for Phone-as-a-Key use can conduct a relay attack to unlock and operate a vehicle despite the authorized mobile device being out of range of the vehicle.

The Tesla Model 3 and Model Y employ a Bluetooth Low Energy (BLE) based passive entry system. This system allows users with an authorized mobile device or key fob within a short range of the vehicle to unlock and operate the vehicle, with no user interaction required on the mobile device or key fob. This system infers proximity of the mobile device or key fob based on signal strength (RSSI) and latency measurements of cryptographic challenge-response operations conducted over BLE.

The cyber criminal can circumvent the existing relay attack mitigations of latency bounding or link layer encryption, and bypass localization defenses commonly used against relay attacks that use signal amplification. As the latency added by this relay attack is within the bounds accepted by the Model 3 (and likely Model Y) passive entry system, it can be used to unlock and drive these vehicles while the authorized mobile device or key fob is out of range.

Impact:

If an attacker can place a relaying device within BLE signal range of a mobile phone or key fob authorized to access a Tesla Model 3 or Model Y, they can then conduct a relay attack to unlock and operate the vehicle.

There is currently no way to ascertain that an attack is in progress. Conventional mitigations against prior BLE relay attacks are rendered ineffective against link layer relay attacks.

Details:

Testing on a 2020 Tesla Model 3 running software v11.0 (2022.8.2) with an iPhone 13 mini running version 4.6.1-891 of the Tesla app, the NCC Group was able to use this newly developed relay attack tool to unlock and operate the vehicle while the iPhone was even outside the BLE range of the vehicle. In the test setup, the iPhone was placed on the top floor at the far end of a home, approximately 82 feet away from the vehicle, which was in the garage at ground level. The phone-side relaying device was positioned in a separate room from the iPhone, approximately 22 feet away from the phone. The vehicle-side relaying device was able to unlock the vehicle when within placed within a radius of approximately 10 feet from the vehicle.

The Tesla Model Y with the optional Tesla Model 3/Y BLE key fob. Is vulnerable to the same type of relay attack .

Relay attacks against the Model 3 remained effective over a local Wi-Fi network. This vulnerability should be sufficient for conducting long-distance relay attacks over the internet against Tesla vehicles.

Recommendations:

Users should use the PIN to Drive feature. Consider also providing users with an option to disable passive entry and disabling passive entry functionality in the mobile app when the mobile device has been stationary for more than a minute.  Additionally set the the mobile app to report the mobile device’s last known location during the authentication process with the vehicle, so that the vehicle can detect and reject long distance relay attacks.

Tesla should deploy a more reliable prevention of relay attacks in all future vehicles.

Any opinions expressed in this commentary are those of the author.

This content, and any other content on TLS, may not be republished or reproduced without prior permission from TLS. Copying or reproducing our content is both against the law and against Halacha. To inquire about using our content, including videos or photos, email us at [email protected].

Stay up to date with our news alerts by following us on Twitter, Instagram and Facebook.

**Click here to join over 20,000 receiving our Whatsapp Status updates!**

**Click here to join the official TLS WhatsApp Community!**

Got a news tip? Email us at [email protected], Text 415-857-2667, or WhatsApp 609-661-8668.

1 COMMENT

  1. I often take naps in my car. But apparently, I can’t do that any longer because car-napping has also been deemed a crime by the “Sleep Police! Outrageous!

Comments are closed.