A security consultancy has identified a sophisticated relay attack that allows just two thieves to unlock a Tesla Model Y and start the engine in just seconds.
The operation requires one person to be near the Tesla owner with their smartphone to capture data from the Key Card, while the other wait by the target vehicle with a device designed to retrieve data from its accomplice.
This attack, according to the consultancy IOActive, is a bug in a software update that Tesla released in 2021, which prevents owners from having to place the Key Card on the center console to change the vehicle’s gears.
After the thief drives away with the stolen Tesla, they can’t turn off the engine or restart it because they are no longer near the original key card, but they can add a new card at some point, The edge reports.
The victim parks his car, unaware that two thieves are waiting to steal his vehicle. One of the thieves closely follows the model owner to collect data from his Tesla Key Cars
Prior to the software update, Tesla owners had to sit in the driver’s seat and place their Key Card on the center console to start the engine and switch from parking to driving.
But now that is no longer necessary and thieves have found a way to exploit the leak.
Two security consultants from IOActive published a white paperdescribing how the attack is performed.
Tesla uses Near Field Communication (NFC) to power its Key Card. This protocol allows communication between two electronic devices that are close to each other.
And in the case of the Tesla, the devices are the Key Card and the NFC reader on the Model Y’s door.
“To successfully execute the attack, IOActive reverse engineered the NFC protocol Tesla uses between the NFC card and the vehicle, and then we made custom firmware adjustments that would allow a Proxmark RDV4.0 device to use NFC- communication via Bluetooth/Wi-Fi using Proxmark’s BlueShark module,” IOActive shared in the white paper.
The Key Card’s data is set to the other attacker who has a Proxmark device (shown), which can pick up the data and emulate its functions
IOActive also shared that it has contacted Tesla, who are well aware of this issue with other Tesla models.” It’s not just limited to the Model Y (pictured)
A Proxmark RDV4.0 is capable of identifying radio frequencies, which is how the Key Card information is sent between the thieves via Bluetooth.
It can also use the radio frequency to perform tasks of the original device.
“One attacker places the Proxmark device on the vehicle’s NFC reader and the other uses “any NFC-enabled device (such as a tablet, computer or in this example a smartphone) near the Tesla NFC card.” from the victim or smartphone with the Tesla virtual key,” the team said.
And the Proxmark and the other attacker’s device communicate via Bluetooth.
The NFC-enabled device collects the Key Card information, which it then sends to the Proxmark device, which ‘asks’ the NFC reader on the door to open.
The attacker of the targeted vehicle simply holds the Proxmark against the car’s reader, which unlocks the door and allows the thief to start the car
The NFC sends a command back to the Key Card for approval, which in turn is intercepted by the attacker’s smartphone.
The smartphone then sends the Proxmark a response to tell the NFC that it can open the car door and let the person start the engine.
The team notes in the paper that this is only possible if the attacker can get at least four centimeters inside the victim’s Key Card, which the paper says is possible “when the victim is distracted, such as a busy nightclub/disco.”
The document also highlights ways Tesla can fix the problem in its software.
“If the system can be more accurate with its timing while waiting for a crypto response, it would be much harder to exploit these issues over Bluetooth/Wi-Fi,” it reads.
IOActive also shared that it has contacted Tesla, who are well aware of this issue with other Tesla models.”
Tesla claims that this security issue will be addressed with the ‘PIN to Drive’ feature, which will still allow attackers to access and unlock the car, but not control it. However, this feature is optional and Tesla owners who are not aware of these issues may not use it,” the paper concluded.