Tesla Authorization Extraction/Replay Attack

Note: This is related to Project TEMPA. Please follow this link for an overview!

The Tesla Authorization Replay attack is using a tool like temparary in order to extract VCSEC AuthorizationResponses from a whitelisted smartphone app. For AuthorizationRequests - that are mainly used for passive entry functions - the vehicle communicates a challenge token, that the smartphone app has to answer with an AuthorizationResponse which is embedded in a VCSEC SignedMessage object that has a SIGNATURE_TYPE_AES_GCM_TOKEN SignatureType.

The attacker has to retrieve the session current token value in order to gather valid AutorizationResponses. This information can be easily collected by an unauthenticated call to the vehicle’s VCSEC interface with a tool like tempara. This is possible, because the Session token that is used as a challenge for the VCSEC AuthorizationResponse does not change very often. In tests, the token did not change over the course of several days!

Once the attacker gathered a sufficient amount of valid AuthorizationRequests from the smartphone app, these codes can be dispensed at a later time when the vehicle requests Autorization. This also can be done with a tool like tempara, which is capable of acting as a VCSEC client for the vehicle’s BLE GATT service.

AuthorizationResponses can be used to open the car and drive the car. PIN2Drive DOES offer protection against this attack!

People Involved