Thieves can break into Tesla Model Ys in SECONDS using relay attack

>

A security consultant firm has identified a sophisticated relay attack that lets just two thieves unlock a Tesla Model Y and start the engine in just a matter of seconds.

The operation requires one individual to be near the Tesla owner with their smartphone to capture data from the Key Card, while the other waits by the target vehicle with a device designed to to pick up data from their accomplice.

This attack, according to the consulting firm IOActive, is a flaw in a software update Tesla released in 2021 that eliminates the need for owners to place the Key Card on the center console to change the vehicle’s gears.

After the thief drives off with the stolen Tesla they cannot turn the motor off or they will not be able to restart it, as they are no longer near the original key card, but they could add a new card at some point, The Verge reports.

The victim parks his car, unaware that there are two thieves waiting to steal his vehicle

One of the thieves trails closely behind the Model owner to collect data from his Tesla Key Cars

One of the thieves trails closely behind the Model owner to collect data from his Tesla Key Cars

The victim parks his car, unaware that there are two thieves waiting to steal his vehicle. One of the thieves trails closely behind the Model owner to collect data from his Tesla Key Cars

Prior to the software update, Tesla owners were required to sit in the driver’s seat and place their Key Card on the center console to start the engine and shift from park into drive.

But now that is not needed and thieves have found a way to exploit the flaw.

Two security consultants from IOActive published a white paper, detailing how the attack is carried out.

Tesla uses near-field communication (NFC) to power its Key Card. This protocol allows communication between two electronic devices that are in close proximity.

And in the case of the Tesla, the devices are the Key Card and the NFC reader on the Model Y’s door.

‘To successfully carry out the attack, IOActive reverse-engineered the NFC protocol Tesla uses between the NFC card and the vehicle, and we then created custom firmware modifications that allowed a Proxmark RDV4.0 device to relay NFC communications over Bluetooth/Wi -Fi using the Proxmark’s BlueShark module,’ IOActive shared in the white paper.

The data from the Key Card is set to the other attacker that has a Proxmark device (pictured), which can pick up the data and emulate its functions

The data from the Key Card is set to the other attacker that has a Proxmark device (pictured), which can pick up the data and emulate its functions

The data from the Key Card is set to the other attacker that has a Proxmark device (pictured), which can pick up the data and emulate its functions

A Proxmark RDV4.0 is capable of identifying radio-frequencies, which is how the Key Card information is sent over Bluetooth between the thieves.

It can also use the radio frequency to carry out tasks of the original device. 

‘One attacker places the Proxmark device at the vehicle’s NFC reader and the other uses ‘any NFC-capable device (such as a tablet, computer, or for the purposes of this example, a smartphone) close to either the victim’s Tesla NFC card or smartphone with the Tesla virtual key,’ according to the team.

And the Proxmark and the other attacker’s device communicate over Bluetooth.

The NFC-capable device gathers the Key Card information, which it then sends to the Proxmark device that ‘asks’ the NFC reader on the door to open.

The attacker at the targeted vehicle just holds the Proxmark to the car's reader, which unlocks the door and allows the thief to start the car

The attacker at the targeted vehicle just holds the Proxmark to the car's reader, which unlocks the door and allows the thief to start the car

The attacker at the targeted vehicle just holds the Proxmark to the car’s reader, which unlocks the door and allows the thief to start the car 

The NFC sends a command back to the Key Card  for approval, which is again intercepted by the smartphone of the attacker.

The smartphone then sends the Proxmark a response to share with the NFC that it can open the car door and let the individual start the engine.

The team notes in the paper that this is only possible if the attacker can get at least four centimeters within the victim’s Key Card, which is possible ‘when the victim is distracted, like a crowded night club/disco,’ according to the paper.

The document also highlights ways Tesla can fix the issue in its software.

‘If the system can be more precise with its timing while waiting for a crypto response, it would make it much harder to exploit these issues over Bluetooth/Wi -Fi,’ it reads.

IOActive also shared that it contacted Tesla, which is ‘s well aware of this issue in other Tesla models.’

‘Tesla claims that this security issue is mitigated with the “PIN to Drive” feature, which would still allow attackers to open and access the car, but would not allow them to drive it. However, this feature is optional, and Tesla owners who are not aware of these issues may not be using it,’ the paper concludes.