Tesla BLE Relay Attack

Note: This is related to Project TEMPA. Please follow this link for an overview!

Besides the ability to relay the 2.4GHz radio signal between the PhoneKey and the Tesla vehicle, it is also possible to relay information on protocol level by using standard software like gattacker.

The advantage of the protocol-based relay attack is that the distance between victim and vehicle is not limited by physical constraints introduced by radio timeouts and allows the injection of crafted messages and the analysis of communicated messages.

The YouTube Video “The Tesla Parking Lot Job” showcases the Bluetooth Relay Attack (turn on subtitles for commentary).

Further information about this attack can be found in the slide set in the Downloads Section
An upcoming mitigation approach is using the TeslaKee app that will be available via TeslaKee.com

Status: Open

  • This attack was successfully tested on Software 2022.12.3.2 (on May 31st 2022)
  • This attack was successfully tested on Software 2022.16.1.1 (on June 15th 2022)

People Involved

Downloads


Project TEMPA Slide Deck from CanSecWest22 (PDF)
Slides presented at CanSecWest22 on May 18th 2022 in Vancouver.
Created: May 18, 2022
License: CC-BY
Author: Martin Herfurt
Link: https://www.secwest.net/


The Tesla Parking Lot Job Image (JPG)
This image is used as a YouTube thumbnail image for thie Video “The Tesla Parking Lot Job”
Created: Mar 12, 2022
License: CC-BY
Author: Martin Herfurt
Link: https://youtu.be/eDbSzVTYqBY


Project TEMPA background Image (JPG)
This image was recorded by light stacking multiple long exposure images of a Tesla Model 3 with light traces of laser sword toys.
Created: May 18, 2021
License: CC-BY
Author: Martin Herfurt

Sharing is caring!