A computer security researcher has discovered a worrying flaw in the key card provided by Tesla to unlock the vehicle. Due to an update released by the manufacturer in 2021, this feature can be hijacked to steal a Tesla in just minutes.
As you may know, Tesla offers its users three different types of keys to lock/unlock and start their vehicle. To know :
- the phone key, which allows you to use the Tesla app as a remote key via Bluetooth
- The key card, which communicates with your Tesla via short-range RF identification signals
- The key ring, which is an accessory sold separately
Regarding the key card, it is used to “authenticate” your phone keys, and it also allows you to add or remove other key cards, phone keys and key fobs. Until an update released in 2021, drivers had to place the key card on the center console while pressing the brake pedal to start the vehicle.
Also read: Android 12 can now be used as keys in some BMW and Ford cars
A small change to the key card with big consequences
Only, this is no longer the case. Now users can start driving immediately after getting the door of their vehicle via the key card. Computer security researcher Martin Herfut recently noticed that this small change could have serious consequences.
In fact, once the key card has been affixed to the door card reader, the user has exactly two minutes to “authenticate” himself by keeping his foot pressed on the brake pedal. Problem, the expert realized that it was possible during this period of time to make the car accept new keys.
“This timer was introduced by Tesla to make it more convenient to use the NFC card as the main way to operate the car. The car must be able to be started and driven without the user having to use the key card a second time. The problem: in the 130-second period, not only driving the car is allowed, but registering a new key”, he explains.
A thief can register his own Tesla key
Martin Herfurt noticed that his Model 3 was exchanging messages/signals with any nearby Bluetooth Low Energy (BLE) device. Knowing this, the researcher created a copy of the Tesla application, which uses the same computer language, VCSec.
Via this malicious version of the app, Herfut was able to send VCSec requests to the car to register a new key during the famous two-minute slot. When the victim enters his car after unlocking it with an NFC card, the thief can start exchanging messages between the fake app and the vehicle.
He can then register a key of his choice and then unlock, start or stop the car whenever he wants, without even the infotainment screen or the legitimate Tesla driver’s app indicating that anything is wrong.