1 min read
Note: This is related to Project TEMPA. Please follow this link for an overview!
The Tesla Authorization Replay attack is using a tool like temparary in order to extract VCSEC AuthorizationResponses from a whitelisted smartphone app. For AuthorizationRequests - that are mainly used for passive entry functions - the vehicle communicates a challenge token, that the smartphone app has to answer with an AuthorizationResponse which is embedded in a VCSEC SignedMessage object that has a SIGNATURE_TYPE_AES_GCM_TOKEN SignatureType.
The attacker has to retrieve the session current token value in order to gather valid AutorizationResponses. This information can be easily collected by an unauthenticated call to the vehicle’s VCSEC interface with a tool like tempara. This is possible, because the Session token that is used as a challenge for the VCSEC AuthorizationResponse does not change very often. In tests, the token did not change over the course of several days!
Once the attacker gathered a sufficient amount of valid AuthorizationRequests from the smartphone app, these codes can be dispensed at a later time when the vehicle requests Autorization. This also can be done with a tool like tempara, which is capable of acting as a VCSEC client for the vehicle’s BLE GATT service.
AuthorizationResponses can be used to open the car and drive the car. PIN2Drive DOES offer protection against this attack!
Martin is an independent security researcher focusing - but not exclusively - on various aspects of product security related to Bluetooth wireless technology. As one of the co-founders of the trifinite.group, Martin worked with the Bluetooth SIG, helping the technology and its adopters overcome early design and implementation issues.
Project TEMPA Slide Deck from MCH2022 (PDF)
Slides presented at MCH2022 on July 25th 2022 in Zeewolde.
Created: Jul 25, 2022
Author: Martin Herfurt