10570671892?profile=RESIZE_400xRecently, a researcher has shown how a simple key card feature introduced by Tesla last year could be abused to add an unauthorized key that allows an attacker to open and start a vehicle.  The research was conducted by an Austria-based member of the Trifinite research group, which focuses on Bluetooth security.  Https://trifinite.ord   

The Trifinite Group was founded in August 2004 and it is a loosely coupled group of computer experts that focuses on researching wireless communications and related technology.  Analysis targeted a change made by Tesla in August 2021 to key card access, removing the requirement for users to place the key card on the central console after using it to open the vehicle.

The researcher found that when a Tesla is unlocked using the key card via NFC, there is a 130 second window when an attacker who is within Bluetooth range of the targeted vehicle can add their own key, which they can later use to unlock and drive the car.

The theft cyber-attack involves abusing Tesla’s VCSEC protocol, which handles communications between the car, the phone app and the key fob.  During such an attack, the ‘infotainment’ system does not notify the victim in any way that a new key has been added.  See Project TEMPA:  https://trifinite.org/stuff/project_tempa/

The researcher reported that he tested the attack against Tesla Model 3 and Model Y, but he believes it should also work against the newer Model S and Model X.  An exploit targeting Tesla’s infotainment system earned researchers $75,000 at the recent Pwn2Own 2022 hacking competition.  Trifinite also wanted to demonstrate his attack at Pwn2Own, but relay attacks were not accepted.  In fact, they discovered the authorization timer attack vector in September 2021, but was saving it for Pwn2Own before finding out it was not in scope.

The researcher did not tell Tesla about his latest research before disclosing it because he believes the carmaker had to know about the issue.  Later Tesla said they knew about the vulnerability from others who reported a very similar issue to the company months ago.

According to the researcher, Tesla recommends the use of the PIN2Drive feature, which requires users to enter a PIN before they can drive off, but last week he published a video showing that an attacker can bypass PIN2Drive.  Tesla has not responded to a request for comment.

The Trifinite Group is developing TeslaKee, an upcoming mobile application that can allegedly protect Tesla vehicles against these types of relay attacks.


In May 2022, the group showed another method that could be used to steal a Tesla.  The technique involved a Bluetooth relay attack where the attacker used two Raspberry Pi devices to relay the radio signal between the Phone Key and a car over a long distance.  The attack relies on two individuals: one standing next to the targeted car, and one standing next to the victim while they are at a distance from their vehicle.  Each attacker has a Raspberry Pi and the two devices are connected to each other, creating a channel that enables the victim’s Phone Key to communicate with the car over a long distance.

A very similar Bluetooth-based attack against Tesla cars involved one that uses of specialized hardware instead of Raspberry Pi computers and was presented recently by the NCC Group.  The cybersecurity firm noted that the relay attack tool it developed can be used against any device communicating over BLE.[1]

With all this current and future technology, there is always cyber vulnerabilities that bad actors can and will exploit to conduct criminal activity. 

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.    For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com    

Weekly Cyber Intelligence Briefings:

 Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings


[1] https://www.securityweek.com/researcher-shows-how-tesla-key-card-feature-can-be-abused-steal-cars

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance