Tesla Authorization Timer Attack

Jun 2022

2 mins read

Bluetooth Low Energy BLE Security Tesla VCSEC PhoneKey TEMPA Automotive PAAK Authorization Timer Attack NFC KeyCard

Bluetooth Low Energy BLE security Tesla VCSEC PhoneKey TEMPA automotive PAAK Authorization Timer Attack NFC KeyCard

Note: This is related to Project TEMPA. Please follow this link for an overview!

After unlocking the vehicle via NFC, Tesla allows potential attackers to store a key on the vehicle for a period of approx. 130s. No warning or similar will be displayed on the vehicle screen during this process.

This convenience feature was introduced in August 2021. Read more about this on driveteslacanada.ca_

Of course, Tesla’s own app ensures that only the owners can store a key for a vehicle. However, this process does not prevent an attacker who can track down the car via Bluetooth from not also being able to deposit a key.

To deposit a key, the attacker needs a VCSEC client or an app that can handle the key protocol. As part of this research, a fully working VCSEC client has been implemented. A de-weaponized version of this app that also helps preventing Relay Attacks will be available via TeslaKee.com

The YouTube Video “Gone in under 130 Seconds” showcases the Authorization Timer Attack (turn on subtitles for commentary).

Further information about this attack can be found in the slide set from REcon22 and later conferences in the Downloads Section

important

Once, an attacker has a valid key enrolled in the car, the attacker can bypass the PIN2Drive authorization dialogue by sending the VCSEC command “REMOTE_DRIVE”. See this video for a staged presentation: NOT a Numbers Game

PIN2Drive offers NO protection against this attack!

Status: Mitigated

This attack was successfully tested on Software 2022.12.3.2 (on May 31st 2022)
Please watch the video for details: Gone in under 130 Seconds
This attack was successfully tested on Software 2022.16.1.1 (on June 16th 2022)
It seems that the 130s timer does not to work to whitelist keys anymore. An attacker with the right software is still able to enroll a key in the moment, where the owner locks and unlocks the vehicle via NFC-KeyCard by tapping the B-pillar NFC endpoint of the vehicle. In this scenario, the KeyCard tap is authorizing multiple things: (Un-)locking the vehicle and whitelisting a new key. Also, there is still no display notification about a newly enrolled key that is shown to the user.
The original “Authorizaotion Timer Attack” stopped working on 2022.20.5 (tested on July 16th) Whitelisting/Enrolling keys via B-Pillar tap is no longer possible. This mitigates the attack, but still leaves the possibility to enroll keys when the NFC endpoint in the middle console is tapped with the KeyCard.

People Involved

Martin is an independent security researcher focusing - but not exclusively - on various aspects of product security related to Bluetooth wireless technology. As one of the co-founders of the trifinite.group, Martin worked with the Bluetooth SIG, helping the technology and its adopters overcome early design and implementation issues.

Downloads

Project TEMPA Slide Deck from REcon22 (PDF)
Slides presented at REcon22 on June 4th 2022 in Montréal.
Created: Jun 04, 2022
License: CC-BY
Author: Martin Herfurt
Link: https://www.recon.cx/

Download

Gone in under 130 Seconds Image (JPG)
This image is used as a YouTube thumbnail image for thie Video “Gone in under 130 Seconds”
Created: May 31, 2022
License: CC-BY
Author: Martin Herfurt
Link: https://youtu.be/yfG4JS71eUY

Download

Project TEMPA background Image (JPG)
This image was recorded by light stacking multiple long exposure images of a Tesla Model 3 with light traces of laser sword toys.
Created: May 18, 2021
License: CC-BY
Author: Martin Herfurt

Download