© APA/AFP/ATTILA KISBENEDEK / ATTILA KISBENEDEK
An Austrian security researcher demonstrates how the Model 3 and Y can be stolen without much effort.
The Austrian security researcher Martin Herfurt has discovered a security gap in Teslas. This allows a digital duplicate key to be stored in the electric car in order to unlock the car later and drive away with it.
Smartphone as a key, FOB and NFC card
There are 3 ways to unlock Tesla electric cars. The most convenient way to do this is with a smartphone. The car recognizes the nearby smartphone via Bluetooth and unlocks the doors. Tesla also sells an optional FOB that is used like a radio key. Method number 3 is an NFC card. If you buy a Tesla, you get 2 of them. You also need this to activate the smartphone as a key for the first time using the Tesla app.
After the owner uses the NFC card to unlock a Tesla, the car will accept Bluetooth LE connections for 130 seconds. During this time, the official Tesla app can communicate with the vehicle to turn the smartphone into a car key. The Tesla app does have an online query to authenticate the owner – but that's not part of the phone-car connection.
Own app creates keys for Tesla
According to Herfurt, any key can be sent to the Tesla within these 130 seconds, as long as it is done using Tesla's own VCSEC protocol. He made an "evil" version of his own app "TeslaKee".
If the NFC card was used to unlock or lock the Tesla, all you have to do is be within Bluetooth range of the electric car with your smartphone. He gives the Tesla his own key via his app. You don't notice any of that in the Tesla. There is no on-screen notification, nor is there a security check to establish a secure connection.
Once the Tesla is stationary and the driver is gone, they can simply use their TeslaKee app to unlock the car, get in and drive off. According to Herfurt, you can get the owner to use the NFC card, for example by using a Bluetooth jammer. Because the car then does not react to unlocking via smartphone, the NFC card is pulled out. By the way, Tesla recommends always having the NFC card with you, even if you use the cell phone as a key – in case the battery is empty or it has been stolen.
Danger at workshop and valet parking
Another scenario for this attack is when the NFC card is shared at short notice. This could be the case, for example, when you take the car to the workshop or drop it off at the hotel or valet parking. An attacker could smuggle their own key into the Tesla with such an app and steal the car days or weeks later at a good opportunity.
According to Heise, Herfurt tested the gap with a Model 3 and Y because they support the smartphone key function. He suspects that younger versions of the S and X are also susceptible because they also support the smartphone as a key. But he hasn't been able to test it yet. According to him, he has reported the problem to Tesla but has not yet received a response.