Security researchers unveiled another potential flaw in the technology used by auto manufacturer Tesla to unlock its cars that makes them vulnerable to theft. White hat hackers seem to love publicizing how thieves could get ahold of a Tesla, whether because of Tesla's cutting-edge reputation or because techies like driving electric vehicles. The latest example is from internet of things security company IOActive, which describes an attack involving two people, a customized RFID emulator and a 'mark,' who carries a Tesla near-field communication key card for a Model Y sedan.
IOActive says a modified Proxmark RDV4.0 device could be used to prod a Model Y into believing that the security testing device is a legitimate Tesla key card. The trick afterward is to answer the cryptographic challenge Tesla cars issue before unlocking themselves, which requires transferring onward the challenge via a second device such as a smartphone placed in close physical proximity to the key card. The smartphone can maintain a connection with the Proxmark via Bluetooth or Wi-Fi while it establishes contact with the key card via the NFC protocol to pass on the cryptographic challenge and receive the answer. Although most Tesla owners use their smartphones to unlock their cards, the manufacturer advises owners to carry key cards with them at all times in case of a stolen device or a dead battery.
In this video demonstrating the attack, one hacker armed with a Proxmark device stands next to the Tesla while a second attacker with a smartphone gets close to the victim. The second attacker must get very close: less than 2 inches away from the legitimate key card. The addition of a "specialized, high-power device" might widen the distance to slightly less than 2 feet. According to IOActive, the attack succeeds because Tesla is permissive on time limits for receiving a response to the cryptographic challenge. The company could tighten the time limit, although that runs the risk of the car rejecting legitimate unlocking requests from a slow-moving phone. Car owners could defeat the attack by enabling a feature requiring them to enter a PIN before the vehicle can be driven.
Tesla did not respond to an Information Security Media Group request for information about the research. IOActive says Tesla has also been unresponsive to the company.
It's hard to know whether actual car thieves will use these attacks. The nonprofit Highway Loss Data Institute says that Tesla is among the least stolen car brands. (But that might be because Teslas "are usually parked in garages or close to a house to be near a power supply," the institute says.) Even if they are stolen, Teslas tend to be recovered. This is likely because of the GPS tracking embedded into them.