Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


IoT Security

Researcher Shows How Tesla Key Card Feature Can Be Abused to Steal Cars

A researcher has shown how a key card feature introduced by Tesla last year could be abused to add an unauthorized key that allows an attacker to open and start a vehicle.

The research was conducted by Martin Herfurt, an Austria-based member of the Trifinite research group, which focuses on Bluetooth security.

A researcher has shown how a key card feature introduced by Tesla last year could be abused to add an unauthorized key that allows an attacker to open and start a vehicle.

The research was conducted by Martin Herfurt, an Austria-based member of the Trifinite research group, which focuses on Bluetooth security.

Herfurt’s analysis targeted a change made by Tesla in August 2021 to key card access, removing the requirement for users to place the key card on the central console after using it to open the vehicle.

The researcher found that when a Tesla is unlocked using the key card via NFC, there is a 130-second window when an attacker who is within Bluetooth range of the targeted vehicle can add their own key, which they can later use to unlock and drive the car.

The attack involves abusing Tesla’s VCSEC protocol, which handles communications between the car, the phone app and the key fob. During such an attack, the infotainment system does not notify the victim in any way that a new key has been added.

Herfurt has made a video to show how this “authorization timer attack” works:

Advertisement. Scroll to continue reading.

The researcher told SecurityWeek that he tested the attack against Tesla Model 3 and Model Y, but he believes it should also work against the newer Model S and Model X.

An exploit targeting Tesla’s infotainment system earned researchers $75,000 at the recent Pwn2Own 2022 hacking competition. Herfurt also wanted to demonstrate his attack at Pwn2Own, but relay attacks were not accepted. In fact, he said he discovered the authorization timer attack vector in September 2021, but was saving it for Pwn2Own before finding out it was not in scope.

The researcher said he did not tell Tesla about his latest research before disclosing it because he believed the carmaker had to know about the issue. Following his disclosure, he got confirmation that Tesla knew about the vulnerability from others who reported a very similar issue to the company months ago.

According to the researcher, Tesla recommends the use of the PIN2Drive feature, which requires users to enter a PIN before they can drive off, but last week he published a video showing that an attacker can bypass PIN2Drive.

Tesla has not responded to a request for comment.

Herfurt is developing TeslaKee, an upcoming mobile application that can allegedly protect Tesla vehicles against these types of relay attacks.

In May, Herfurt showed another method that could be used to steal a Tesla. The technique involved a Bluetooth relay attack where the attacker used two Raspberry Pi devices to relay the radio signal between the Phone Key and a car over a long distance.

The attack relies on two individuals: one standing next to the targeted car, and one standing next to the victim while they are at a distance from their vehicle. Each attacker has a Raspberry Pi and the two devices are connected to each other, creating a channel that enables the victim’s Phone Key to communicate with the car over a long distance.

A very similar Bluetooth-based attack against Tesla cars — one that involved the use of specialized hardware instead of Raspberry Pi computers — was presented recently by the NCC Group. The cybersecurity firm noted that the relay attack tool it developed can be used against any device communicating over BLE.

Related: Tesla Car Hacked Remotely From Drone via Zero-Click Exploit

Related: Researchers Show Tesla Model X Can Be Stolen in Minutes

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...