Tesla prides itself on its cybersecurity protections, particularly the elaborate challenge system that protects its cars from conventional methods for attacking the remote unlock system. But now, one researcher has discovered a sophisticated relay attack that would allow someone with physical access to a Tesla Model Y to unlock and steal it in a matter of seconds.
The vulnerability — discovered by Josep Pi Rodriguez, principal security consultant for IOActive — involves what’s called an NFC relay attack and requires two thieves working in tandem. One thief needs to be near the car and the other near the car owner, who has an NFC keycard or mobile phone with a Tesla virtual key in their pocket or purse.
Near-field communication keycards allow Tesla owners to unlock their vehicles and start the engine by tapping the card against an NFC reader embedded in the driver’s side body of the car. Owners can also use a key fob or a virtual key on their mobile phone to unlock their car, but the car manual advises them to always carry the NFC keycard as a backup in case they lose the key fob or phone or their phone’s battery dies.
In Rodriguez’s scenario, attackers can steal a Tesla Model Y as long as they can position themselves within about two inches of the owner’s NFC card or mobile phone with a Tesla virtual key on it — for example, while in someone’s pocket or purse as they walk down the street, stand in line at Starbucks, or sit at a restaurant.
The first hacker uses a Proxmark RDV4.0 device to initiate communication with the NFC reader in the driver’s side door pillar. The car responds by transmitting a challenge that the owner’s NFC card is meant to answer. But in the hack scenario, the Proxmark device transmits the challenge via Wi-Fi or Bluetooth to the mobile phone held by the accomplice, who places it near the owner’s pocket or purse to communicate with the keycard. The keycard’s response is then transmitted back to the Proxmark device, which transmits it to the car, authenticating the thief to the car by unlocking the vehicle.
Although the attack via Wi-Fi and Bluetooth limits the distance the two accomplices can be from one another, Rodriguez says it’s possible to pull off the attack via Bluetooth from several feet away from each other or even farther away with Wi-Fi, using a Raspberry Pi to relay the signals. He believes it may also be possible to conduct the attack over the internet, allowing even greater distance between the two accomplices.
once the thieves shut off the engine, they won’t be able to restart the car
If it takes time for the second accomplice to get near the owner, the car will keep sending a challenge until it gets a response. Or the Proxmark can send a message to the car saying it needs more time to produce the challenge response.
Until last year, drivers who used the NFC card to unlock their Tesla had to place the NFC card on the console between the front seats in order to shift it into gear and drive. But a software update last year eliminated that additional step. Now, drivers can operate the car just by stepping on the brake pedal within two minutes after unlocking the car.
The attack Rodriguez devised can be prevented if car owners enable the PIN-to-drive function in their Tesla vehicle, requiring them to enter a PIN before they can operate the car. But Rodriguez expects that many owners don’t enable this feature and may not even be aware it exists. And even with this enabled, thieves could still unlock the car to steal valuables.
There is one hitch to the operation: once the thieves shut off the engine, they won’t be able to restart the car with that original NFC keycard. Rodriguez says they can add a new NFC keycard to the vehicle that would allow them to operate the car at will. But this requires a second relay attack to add the new key, which means that, once the first accomplice is inside the car after the first relay attack, the second accomplice needs to get near the owner’s NFC keycard again to repeat the relay attack, which would allow the first accomplice to authenticate themself to the vehicle and add a new keycard.
If the attackers aren’t interested in continuing to drive the vehicle, they could also just strip the car for parts, as has occurred in Europe. Rodriguez says that eliminating the relay problem he found wouldn’t be a simple task for Tesla.
“To fix this issue is really hard without changing the hardware of the car — in this case the NFC reader and software that’s in the vehicle,” he says.
But he says the company could implement some changes to mitigate it — such as reducing the amount of time the NFC card can take to respond to the NFC reader in the car.
“The communication between the first attacker and the second attacker takes only two seconds [right now], but that’s a lot of time,” he notes. “If you have only half a second or less to do this, then it would be really hard.”
Rodriguez, however, says the company downplayed the problem to him when he contacted them, indicating that the PIN-to-drive function would mitigate it. This requires a driver to type a four-digit PIN into the car’s touchscreen in order to operate the vehicle. It’s not clear if a thief could simply try to guess the PIN. Tesla’s user manual doesn’t indicate if the car will lock out a driver after a certain number of failed PINs.
Tesla did not respond to a request for comment from The Verge.
It’s not the first time that researchers have found ways to unlock and steal Tesla vehicles. Earlier this year, another researcher found a way to start a car with an unauthorized virtual key, but the attack requires the attacker to be in the vicinity while an owner unlocks the car. Other researchers showed an attack against Tesla vehicles involving a key fob relay attack that intercepts and then replays the communication between an owner’s key fob and vehicle.
Rodriguez says that, despite vulnerabilities discovered with Tesla vehicles, he thinks the company has a better track record on security than other vehicles.
“Tesla takes security seriously, but because their cars are much more technological than other manufacturers, this makes their attack surface bigger and opens windows for attackers to find vulnerabilities,” he notes. “That being said, to me, Tesla vehicles have a good security level compared to other manufacturers that are even are less technological.”
He adds that the NFC relay attack is also possible in vehicles made by other manufacturers, but “those vehicles have no PIN-to-drive mitigation.”