Tesla; still targeted

 

Over the years since that fateful day in 2015, there have been many people who have made their name with vehicle hacks. The attacks can be mundane or affect critical systems. Disabling the A/C is by far different than the engine or braking system.

Any vehicle system will have vulnerabilities. The researcher just must find them. One auto manufacturer targeted in the last approximately three years has been Tesla. The vulnerabilities found have required physical access and others have not. In this instance, the vulnerability was found by a Canadian software developer from Quebec (Shankar Gomare). Normally the vulnerabilities are found by cybersecurity researchers. In this case, he was working on his “Voice for Tesla” iOS app early in 2021 and noted the significant vulnerability with Tesla’s Bluetooth key technology. The developer’s app functions much like Amazon’s Alexa providing reminders via voice. The difference with this is the application would not require a specific word or phrase, as Alexa does.

Through developing the application, the developer noted Tesla uses two different forms of Bluetooth sensors in the vehicle. These are Bluetooth Basic Rate/Enhanced Data Rate (BR/EDR). This is used generally for streaming music. The other is Bluetooth Low Energy (BLE). The phone key uses this method. You would use this as a convenience as this use allows the keyholder to unlock the vehicle by being proximate to the vehicle with the connected mobile device (e.g., phone).

As you can figure, the exploit involves Bluetooth. The vehicle’s sensors are coded to detect the strongest Bluetooth signal for connected devices within its range prior to the execute unlock function. This occurs generally with the owner’s mobile device. Here is the issue. The researcher noted the BLE connection did not require authentication to connect to the vehicle. This ends up allowing the researcher to unlock any Tesla by acting as the phone key by forcing the vehicle the request the key from the actual mobile device-by pulling on the door handle.

For this to work, the actual owner’s mobile device would still need to be within 200m-400m for the BLE range. This may seem a bit risky if the owner were walking to their vehicle at the end of the day and saw the person. Where this would work much better would be if the Tesla were parked in the driveway in the evening. Yes, this was patched with an over-the-air (OTA) update.

This is another example of the importance of allowing legitimate cybersecurity researchers to act. The researcher conducted himself appropriately and worked with Tesla for a responsible disclosure. Think through what could have happened if the bad actor had this method and went another route.