Last year, Tesla released an upgrade package that allows users to start the engine without putting the card on the console after using the NFC key card to open the door. A researcher has demonstrated that hackers can use this feature to easily steal a user’s electric car.
Australian security researcher Martin Herfurt was quick to point out the “weirdness” of the feature: Not only does it enable the car to start automatically within 130 seconds of opening the door with an NFC card, but it also puts the car in a state where it can accept a new Status of the key – no authentication of the user’s identity, and no prompts on the onboard display.
In an interview, Herford said, “The purpose of Tesla’s introduction of this timer is to make it easier for users to control the car through the NFC card, and the user can drive without using the NFC card a second time. The problem is: here Within 130 seconds, the user not only gets permission to drive but also gets permission to register a new key.”
The Tesla mobile app doesn’t allow new passwords to be registered unless it’s linked to a user account, but Herford found that the car would still “happily” exchange information with nearby BLE (Bluetooth Low Energy) devices. Herford developed an app called Teslalakee that showed hackers could easily register their own keys within those 130 seconds.
The only requirement for hackers to use Teslalakee to secretly register their own keys is to be within 130 seconds of opening the door to the Tesla electric vehicle within 130 seconds of the BLE signal transmission distance. When the car owner uses the mobile app to open the car door, the hacker can force the car owner to use the NFC card by jamming the signal and registering his own key on the plane.
If you like our news and you want to be the first to get notifications of the latest news, then follow us on Twitter and Facebook page and join our Telegram channel. Also, you can follow us on Google News for regular updates.