This Tesla Hack Unlocks A Model Y
We may just have a bit of unsettling news if you happen to own a Tesla Model Y. In a recent white paper by IOActive security consultant Josep Pi Rodriguez titled "NFC Relay Attack On Tesla Model Y," the researchers discovered a new attack that enables a thief (or thieves, we'll get to that later) to unlock and steal a Model Y electric car.
This latest vulnerability comes after a software update eliminates the need for Tesla owners to place their NFC key card in the console between the front seats to shift into D and drive off. The update has enabled owners to drive the car by engaging the brake pedal within two minutes after unlocking the vehicle. But according to a report by Ars Technica, the update came with a flaw: The car could accept new keys within two minutes after unlocking, and the new keys could unlock and start the vehicle without requiring further authentication.
It takes two to tango
The latest Tesla relay attack is a two-person operation. There are three ways to unlock and start a Tesla: Using the key fob, your smartphone, or the standard NFC key card. The latter requires owners to place or tap the NFC card near the embedded NFC reader in the driver's side B-pillar. Tesla recommends always carrying the keycard for backup if your smartphone gets lost, stolen, or runs out of juice. With that in mind, IOActive and Rodriguez reverse-engineered Tesla's NFC protocol to discover a potential weak point in the Model Y's security.
The hack involves a person near the car and an accomplice positioned near the owner's NFC card or Tesla key-enabled smartphone. The hacker near your Model Y uses a Proxmark RDV4.0 RFID tool and places it near the NFC reader in the side pillar. The vehicle responds and transmits a "challenge" that the key card needs to "answer." In this case, the Proxmark tool sends the challenge using Bluetooth or Wi-Fi to a smartphone or tablet held by the second hacker lurking near your table at a restaurant or while jogging in the park.
The idea is for the accomplice's smartphone to pick up the keycard's response and send it back to the Proxmark tool, and voilĂ ! The thief could unlock the car and drive off.
Never too far away
Yes, the hack involves Bluetooth or Wi-Fi communication between the two thieves to succeed, severely limiting the distance between them for the hack to work. Then again, Rodriguez adds that the NFC attack is possible even if the two thieves are far from each other using Wi-Fi and a Raspberry Pi or similar device. Moreover, IOActive believes the hack is also possible using the internet, which means the second thief could be in Dallas with the owner while the first thief waits in a Houston parking lot.
But then again, it's not all peaches and cream for the thieves, either. After stealing the car and shutting off the motor, they won't be able to restart the vehicle using the original NFC key card (per The Verge). However, the thieves can add a new NFC card after a second relay attack to add the new key and continue using the vehicle, or they could "chop" and disassemble the car and sell it for parts.
Prevention is the best cure
Luckily, there's a silver lining amongst these clouds of NFC relay attacks. The Verge adds that Rodriguez contacted Tesla to relay the new vulnerability, but the American EV maker said their PIN-to-Drive feature would prevent such an attack. Tesla's PIN-to-Drive requires the driver to enter a four-digit verification code on the touchscreen before driving the car. Not many Tesla Model Y owners are aware of this feature, but it's high time to activate it to mitigate potential NFC-related attacks.
You can activate PIN-to-Drive in your Tesla by opening Controls, Safety & Security, then PIN to Drive. The system will prompt you to create a four-digit verification code that you need to enter manually after unlocking the vehicle. This feature could prevent future theft, but remember that thieves could still unlock and open the doors to steal valuables inside your Tesla.
Rodriguez concludes that Tesla is not the only manufacturer susceptible to this newest NFC relay attack. New or used vehicles equipped with digital car keys are at risk. And until carmakers implement a PIN-to-Drive feature in their latest offerings, a keyfob relay attack remains a definite possibility.