1 min read
Note: This is related to Project TEMPA. Please follow this link for an overview!
The Tesla Key Drop attack works by impersonating a vehicle with a tool like temparary. Once the app on the owner’s phone starts communicating to the emulated BLE interface of the impersonated car, the temparary tool will request an authorization from the phone. After receiving a VCSEC AuthorizationResponse from the smartphone, the temparary tool will claim, that the key that was used to sign the AutorizationResponse was unknown to the vehicle. After an attempt by the app to verify this strange situation, the vehicle key in the smartphone app will be deactivated and the smartphone disconnects from the vehicle.
Since the key in the smartphone will not be deleted by this attack and the key is still valid for the real vehicle, the next time the owner wants to use the vehicle a key recovery process is started. This process requires a KeyCard tap that also works on the NFC sensors in the B-Pillar and in the middle console. The key recovery process differs a little bit from the key whitelisting process that would have been required if the key in the app was not already known by the vehicle.
Martin is an independent security researcher focusing - but not exclusively - on various aspects of product security related to Bluetooth wireless technology. As one of the co-founders of the trifinite.group, Martin worked with the Bluetooth SIG, helping the technology and its adopters overcome early design and implementation issues.
Project TEMPA Slide Deck from Troopers22 (PDF)
Slides presented at Troopers22 on June 29th 2022 in Heidelberg.
Created: Jun 29, 2022
Author: Martin Herfurt