Tesla Authorization Timer Attack

Note: This is related to Project TEMPA. Please follow this link for an overview!

After unlocking the vehicle via NFC, Tesla allows potential attackers to store a key on the vehicle for a period of approx. 130s. No warning or similar will be displayed on the vehicle screen during this process.

This convenience feature was introduced in August 2021. Read more about this on driveteslacanada.ca_

Of course, Tesla’s own app ensures that only the owners can store a key for a vehicle. However, this process does not prevent an attacker who can track down the car via Bluetooth from not also being able to deposit a key.

To deposit a key, the attacker needs a VCSEC client or an app that can handle the key protocol. As part of this research, a fully working VCSEC client has been implemented. A de-weaponized version of this app that also helps preventing Relay Attacks will be available via TeslaKee.com

The YouTube Video “Gone in under 130 Seconds” showcases the Authorization Timer Attack (turn on subtitles for commentary).

Further information about this attack can be found in the slide set from REcon22 and later conferences in the Downloads Section

Status: Open
  • This attack was successfully tested on Software 2022.12.3.2 (on May 31st 2022)
    Please watch the video for details: Gone in under 130 Seconds
  • This attack was successfully tested on Software 2022.16.1.1 (on June 16th 2022)
    It seems that the 130s timer does not to work to whitelist keys anymore. An attacker with the right software is still able to enroll a key in the moment, where the owner locks and unlocks the vehicle via NFC-KeyCard by tapping the B-pillar NFC endpoint of the vehicle. In this scenario, the KeyCard tap is authorizing multiple things: (Un-)locking the vehicle and whitelisting a new key. Also, there is still no display notification about a newly enrolled key that is shown to the user.

People Involved

Downloads


Project TEMPA Slide Deck from REcon22 (PDF)
Slides presented at REcon22 on June 4th 2022 in Montréal.
Created: Jun 04, 2022
License: CC-BY
Author: Martin Herfurt
Link: https://www.recon.cx/


Gone in under 130 Seconds Image (JPG)
This image is used as a YouTube thumbnail image for thie Video “Gone in under 130 Seconds”
Created: May 31, 2022
License: CC-BY
Author: Martin Herfurt
Link: https://youtu.be/yfG4JS71eUY


Project TEMPA background Image (JPG)
This image was recorded by light stacking multiple long exposure images of a Tesla Model 3 with light traces of laser sword toys.
Created: May 18, 2021
License: CC-BY
Author: Martin Herfurt

Sharing is caring!