Researcher Shows How Tesla Key Card Feature Can Be Abused to Steal Cars

A researcher has shown how a key card feature introduced by Tesla last year could be abused to add an unauthorized key that allows an attacker to open and start a vehicle.

The research was conducted by Martin Herfurt, an Austria-based member of the Trifinite research group, which focuses on Bluetooth security.

Herfurt’s analysis targeted a change made by Tesla in August 2021 to key card access, removing the requirement for users to place the key card on the central console after using it to open the vehicle.

The researcher found that when a Tesla is unlocked using the key card via NFC, there is a 130-second window when an attacker who is within Bluetooth range of the targeted vehicle can add their own key, which they can later use to unlock and drive the car.

The attack involves abusing Tesla’s VCSEC protocol, which handles communications between the car, the phone app and the key fob. During such an attack, the infotainment system does not notify the victim in any way that a new key has been added.

Herfurt has made a video to show how this “authorization timer attack” works:

The researcher told SecurityWeek that he tested the attack against Tesla Model 3 and Model Y, but he believes it should also work against the newer Model S and Model X.

An exploit targeting Tesla’s infotainment system earned researchers $75,000 at the recent Pwn2Own 2022 hacking competition. Herfurt also wanted to demonstrate his attack at Pwn2Own, but relay attacks were not accepted. In fact, he said he discovered the authorization timer attack vector in September 2021, but was saving it for Pwn2Own before finding out it was not in scope.

The researcher said he did not tell Tesla about his latest research before disclosing it because he believed the carmaker had to know about the issue. Following his disclosure, he got confirmation that Tesla knew about the vulnerability from others who reported a very similar issue to the company months ago.

According to the researcher, Tesla recommends the use of the PIN2Drive feature, which requires users to enter a PIN before they can drive off, but last week he published a video showing that an attacker can bypass PIN2Drive.

Tesla has not responded to a request for comment.

Herfurt is developing TeslaKee, an upcoming mobile application that can allegedly protect Tesla vehicles against these types of relay attacks.

In May, Herfurt showed another method that could be used to steal a Tesla. The technique involved a Bluetooth relay attack where the attacker used two Raspberry Pi devices to relay the radio signal between the Phone Key and a car over a long distance.

The attack relies on two individuals: one standing next to the targeted car, and one standing next to the victim while they are at a distance from their vehicle. Each attacker has a Raspberry Pi and the two devices are connected to each other, creating a channel that enables the victim’s Phone Key to communicate with the car over a long distance.

A very similar Bluetooth-based attack against Tesla cars — one that involved the use of specialized hardware instead of Raspberry Pi computers — was presented recently by the NCC Group. The cybersecurity firm noted that the relay attack tool it developed can be used against any device communicating over BLE.

Related: Tesla Car Hacked Remotely From Drone via Zero-Click Exploit

Related: Researchers Show Tesla Model X Can Be Stolen in Minutes