Joseph Pi Rodriguez, a principal security consultant for IOActive, discovered the vulnerability; it is called an NFC relay attack which requires two attackers working in tandem. One has to be near the car and the other near the vehicle owner who has a keycard or mobile phone with a virtual key.
Tesla has always taken pride in cybersecurity protection, especially with the car protection system, which challenges the standard method for attacking lock systems. However, Rodriguez has discovered the relay attack, which allows physical access to unlock and steal the Tesla Y model within a few seconds.
Tesla owners can unlock their cars by simply tapping the NFC keycard against the embedded NFC reader on the driver’s side of the vehicle. Another option to open a Tesla is through the virtual key on the device. In addition, the manual advises the owner to carry an NFC keycard as a backup if the battery gets exhausted or you lose the phone.
If the attackers can place themselves two inches from the keycard or virtual key, Rodriguez states that the attackers can steal the Tesla Y model. The thief uses a Proxmark RDV4.0 device to access the NFC reader on the driver’s side, and the car responds to the owner.
However, during the hack, the Proxmark device transmits the signal through WiFi or Bluetooth to the hacker’s phone, which is placed near the owner to connect to the keycard. In turn, the response is transmitted to the Proxmark device and into the car allowing the thief to unlock the vehicle.
Even though WiFi and Bluetooth attacks have limitations with the distance between the two thieves, Rodriguez states that it is possible through Bluetooth from far using a Raspberry Pi for the signal relay. He also says the attack can be conducted through the internet with a great distance between the two hackers.
If the second abetter takes time to get near the car, it keeps sending challenges until it receives a response. Then, the Proxmark can message the vehicle, saying it needs some more time. The drivers using NFC cards to unlock had to place the card on the console between the seats to change the gear and drive until last year. But a software update has removed this step. After two minutes of unlocking the car, drivers can operate it by stepping on the brake pedal.
The attack told by Rodriguez can be avoided by using a pin-to-drive function which requires them to enter a pin, but many do not enable this feature as they are unaware it exists. And with the enabled pin feature, cars can be robbed of valuables.
Once the thieves shut off the engine, it is not possible to restart with the original NFC card, but by adding a new NFC card, it can be operated as they wish. But this requires a second attack; with the first accomplice inside the car, the second one needs to be near the owner’s keycard for the second attack. This would allow the attacker in the car to self-authenticate and add a new card.
If the thieves do not wish to drive the car, they can rip its parts, as has happened in Europe. Rodriguez states that the problem he has addressed is not easy for Tesla to eliminate.
He says, “To fix this issue is hard without changing the hardware of the car — in this case, the NFC reader and software in the vehicle.” He states that the company can adopt some changes to reduce the problem, reducing the time of the NFC card’s response to the NFC reader in the car.
He added, “The communication between the first attacker and the second attacker takes only two seconds [right now], but that’s a lot of time.”
“If you have only half a second or less to do this, it would be hard.”
The company did not take him seriously when he spoke to them. The pin-to-drive function requires a four-digit pin to be entered into the car’s touchscreen. The manual does not imply that the driver gets locked out upon failed attempts to enter the pin. Tesla has not responded yet.
Researchers have tried earlier too to unlock and steal the vehicles from Tesla. Another researcher attempted to unlock the car with an unauthorized virtual key in which the attacker needed to be in the area while the owner opened the vehicle. In another research, an attacker used a critical fob relay attack that obstructs and replays the communication between the key fob and vehicle.
Rodriguez states, “Tesla takes security seriously, but because their cars are much more technological than other manufacturers, this makes their attack surface bigger and opens windows for attackers to find vulnerabilities.”
“That being said, Tesla vehicles have a good security level compared to other manufacturers that are even less technological.” He states that NF attacks are possible in other vehicles, too, but they do not have the PIN to drive mitigation.