Jun 2022
2 mins read
Note: This is related to Project TEMPA. Please follow this link for an overview!
After unlocking the vehicle via NFC, Tesla allows potential attackers to store a key on the vehicle for a period of approx. 130s. No warning or similar will be displayed on the vehicle screen during this process.
This convenience feature was introduced in August 2021. Read more about this on driveteslacanada.ca_
Of course, Tesla’s own app ensures that only the owners can store a key for a vehicle. However, this process does not prevent an attacker who can track down the car via Bluetooth from not also being able to deposit a key.
To deposit a key, the attacker needs a VCSEC client or an app that can handle the key protocol. As part of this research, a fully working VCSEC client has been implemented. A de-weaponized version of this app that also helps preventing Relay Attacks will be available via TeslaKee.com
The YouTube Video “Gone in under 130 Seconds” showcases the Authorization Timer Attack (turn on subtitles for commentary).
Further information about this attack can be found in the slide set from REcon22 and later conferences in the Downloads Section
Once, an attacker has a valid key enrolled in the car, the attacker can bypass the PIN2Drive authorization dialogue by sending the VCSEC command “REMOTE_DRIVE”. See this video for a staged presentation: NOT a Numbers Game
PIN2Drive offers NO protection against this attack!
![]() |
Project TEMPA Slide Deck from REcon22 (PDF) Slides presented at REcon22 on June 4th 2022 in Montréal. Created: Jun 04, 2022 License: CC-BY Author: Martin Herfurt Link: https://www.recon.cx/ |
![]() |
Gone in under 130 Seconds Image (JPG) This image is used as a YouTube thumbnail image for thie Video “Gone in under 130 Seconds” Created: May 31, 2022 License: CC-BY Author: Martin Herfurt Link: https://youtu.be/yfG4JS71eUY |
Sharing is caring!