Tesla Crypto Counter Confusion Attack

Jul 2022

2 mins read

Bluetooth Low Energy BLE Security Tesla VCSEC PhoneKey TEMPA Automotive PAAK Smartphone Crypto Counter Attack Confudion App

Bluetooth Low Energy BLE security Tesla VCSEC PhoneKey TEMPA automotive PAAK Smartphone Crypto Counter Attack Confudion app

Note: This is related to Project TEMPA. Please follow this link for an overview!

The Tesla Crypto Counter Confusion attack works by impersonating a vehicle with a tool like temparary. Once the app on the owner’s phone starts communicating to the emulated BLE interface of the impersonated car, the temparary tool will request an authorization from the phone. After receiving a VCSEC AuthorizationResponse from the smartphone, the temparary tool will claim, that the crypto counter value that was used for the AutorizationResponse was SMALLER_THAN_EXPECTED. The smartphone app will then ask the vehicle for the actual Session Information, which includes the actual crypto counter value and the challenge token that is going to be sent with future AuthorizationRequests.

This can be used to set a new counter value in the smartphone app, that will be used in the next communication to the real vehicle, which gladly accepts higher values than the current value. Setting this value to the highest possible UINT32 value of 4294967295 (for iOS) / 2147483647 (INT32 for Android) eventually breaks the crypto counter logic.

Since the key in the smartphone will not be deleted by this attack and the key, the key cannot be used for sending VCSEC SignedMessage objects anymore.

Combining this attack with the Tesla Key Drop Attack requires the owner to re-install the official smartphone application and generate a new key that then has to be whitelisted in the vehicle. The whitelisting of a new key from the same smartphone results in two different keys in the vehicle that are named equally. This situation seems to trigger a security mechanism that requires the user to tap the middle console in order to start the car. This condition persists until the second key with the same name has been deleted.

During this time, the constant need for tapping the middle console with the NFC KeyCard re-opens the possibility for attackers to enroll a new key. This way, the Authorization Timer Attack becomes possible again - even though the attack has been mitigated in Software Version 2022.20.5!

Status: Open

This attack was successfully tested on App Version 4.11.0 (on July 15th 2022)

People Involved

Martin is an independent security researcher focusing - but not exclusively - on various aspects of product security related to Bluetooth wireless technology. As one of the co-founders of the trifinite.group, Martin worked with the Bluetooth SIG, helping the technology and its adopters overcome early design and implementation issues.

Downloads

Project TEMPA Slide Deck from MCH2022 (PDF)
Slides presented at MCH2022 on July 25th 2022 in Zeewolde.
Created: Jul 25, 2022
License: CC-BY
Author: Martin Herfurt
Link: https://www.mch2022.org/

Download

Project TEMPA background Image (JPG)
This image was recorded by light stacking multiple long exposure images of a Tesla Model 3 with light traces of laser sword toys.
Created: May 18, 2021
License: CC-BY
Author: Martin Herfurt

Download