Tesla came up with a convenience feature software update last year to make it easier for the vehicles to start when the owners unlock their car with NFC key cards. However, in a recent turn of events, a researcher found out that this update could be a reason for possible theft and stealing of the vehicle. NFC card key is one of three methods to unlock and operate Tesla vehicles and is exploitable.
The vulnerability or the bug in the software update allows hackers to unlock the Tesla and even drive it away. Not long ago, we mentioned the Bluetooth proximity or BLE hack technique that would let the hackers unlock Tesla. Researchers were able to find a bug then and now again the same thing is happening. Tesla disappoints yet again with their exploitable EV security system.
Table of Contents
How Hackers Hack Tesla NFC Card Key?
Think of a random visit to the convenience store, you unlock your car with an NFC card key, parked in your driveway, and get in without having any idea of a hacker being around you. The hacker or a thief can access the card key using a malicious app within an authorization time of 130 seconds from the time the owner unlocks the car. So, basically, you’d only be getting comfortable or ready to start your car when a hacker would list another card key hacking into your Tesla system.
A YouTube channel trifinite shows the whole action as a hacker authorizes a new NFC card key by exchanging security messages between the 2019 Tesla Model 3 and an app. The hacker can get their key listed on the list of authorized access on the car and could access it to unlock or steal. The vulnerability allows the hacker to gain access to the security system of Tesla just by being in the range of connectivity. The hack is possible at both times when the car is getting locked or unlocked using the NFC key card.
The YouTuber shows how it is done by using an app Teslakee, while one Tesla owner unlocks and gets into her car. The moment she unlocks the car, the hacker lists his own card key credentials into the system using the Teslakee app within seconds of her getting into the car. The video shows that there is no authorization message to allow the key access or notification pop-up on the in-car display screen. Later that day, the hacker gets into the car when parked with the help of the new key and drives it away. The video is titled “Gone in under 130 Seconds”, and the video shows just that in its 135 seconds duration.
Another Youtuber Jeff Welder posted a video showcasing how the remote key exploit works when hacked. The hacker can get into Tesla using the same technique of authorizing a new key and bypassing the pin to put the car into drive mode.
How Can Attacker Bypass The Pin?
Security researcher Martin Herfurt found the bug with the NFC card key as he noticed it behaved oddly when unlocking the car with it. The bug or the bypass allowed a Tesla car to not only get unlocked but also to start within 130 seconds of opening. Moreover, the vulnerability doesn’t end there as the hacker can also create new pass keys and the system would not give any indication or notification.
Tesla vehicles would accept entirely new NFC card keys following the hacking and the system would not even ask for any authentication on the main console or in-car display. Herfurt saw that Tesla would easily exchange security codes and messages through the BLE device when nearby or accessible.
How To Avoid Getting Your Tesla Hacked?
Tesla would definitely be aware of the possible vulnerability with the NFC key card exploit for its cars. Developers must be working on the bug and there should be an OTA update to get rid of the problem soon. However, there are a few things that one could do to ensure safety for their cars. Following are some tips to protect your car from getting hacked:
- Always use your phone to unlock the car as your primary key until Tesla comes with an OTA update to fix the problem.
- Use the PIN2Drive feature on Tesla cars as this would require you to enter your unique PIN to drive.
- Make sure to keep tabs on the whitelist keys in the system to stay aware.
- Use the Tesla app or a web request through your Tesla account to unlock your car in case of lock-out.
- Try not to leave any valuables inside your Tesla for now.
What To Expect In Future?
Tesla earlier had no other car maker even near to their performance and tech in the EV sector. However, the scenario has changed manifold now as many big automakers with existing expertise in the automobile industry are coming up with their EV models. To beat the competitors, Tesla needs to roll up their sleeves and amp up its quality and features across its models. These software vulnerabilities keep popping up and that explains how difficult it is to maintain a safe environment even for Tesla, as a company.
No matter what explanation or excuses, Tesla comes up with this one, there is so much that is still unexplained. How there are so many hacks available that actually work and how come Tesla is not the first one to squash the claims. It would be interesting to see how fast Tesla comes up with a response for this one. Not to forget the recent mass firing and the Twitter issue are already eating up much of Elon Musk’s time at Tesla. Be it a relay attack or the NFC key card one, there should be an OTA update coming soon!