Tesla Key Drop Attack

Note: This is related to Project TEMPA. Please follow this link for an overview!

The Tesla Key Drop attack works by impersonating a vehicle with a tool like temparary. Once the app on the owner’s phone starts communicating to the emulated BLE interface of the impersonated car, the temparary tool will request an authorization from the phone. After receiving a VCSEC AuthorizationResponse from the smartphone, the temparary tool will claim, that the key that was used to sign the AutorizationResponse was unknown to the vehicle. After an attempt by the app to verify this strange situation, the vehicle key in the smartphone app will be deactivated and the smartphone disconnects from the vehicle.

Since the key in the smartphone will not be deleted by this attack and the key is still valid for the real vehicle, the next time the owner wants to use the vehicle a key recovery process is started. This process requires a KeyCard tap that also works on the NFC sensors in the B-Pillar and in the middle console. The key recovery process differs a little bit from the key whitelisting process that would have been required if the key in the app was not already known by the vehicle.

Status: Open
  • This attack was successfully tested on App Version 4.11.0 (on July 15th 2022)

People Involved


Project TEMPA Slide Deck from Troopers22 (PDF)
Slides presented at Troopers22 on June 29th 2022 in Heidelberg.
Created: Jun 29, 2022
License: CC-BY
Author: Martin Herfurt
Link: https://www.troopers.de/

Project TEMPA background Image (JPG)
This image was recorded by light stacking multiple long exposure images of a Tesla Model 3 with light traces of laser sword toys.
Created: May 18, 2021
License: CC-BY
Author: Martin Herfurt

Sharing is caring!