In a recent blog post, researchers from the NCC Group have demonstrated how the electronic keys of the Tesla Model 3 and Y could be hacked remotely. This flaw could allow hackers to unlock your vehicle.
NCC Group researchers have developed software capable of unlocking a Tesla
According to cybersecurity researchers, the vulnerability lies in Bluetooth Low Energy (BLE), the technology used by Tesla’s electronic unlocking system. This allows owners unlock their vehicle using Bluetooth. These devices are normally designed to protect against a range of attacks. However, researchers from the NCC Group, whose offices are based in the United Kingdom, claim to have developed a tool to carry out a new type of attack, which bypasses existing protection measures.
Apple must pay PanOptis $300 million for patent infringement
One of the researchers, Sultan Qasim Khan, senior security consultant at NCC Group, said he tested this system against a 2020 Tesla Model 3 using an iPhone 13 mini running a recent but older version of the Tesla app. The Iphone was placed 25 meters from the vehicle. The experiment was also successful on a 2021 Tesla Model Y, which also uses the technology “phone-as-a-key”. Tesla’s example is far from isolated. All vehicles using this technology are affected.
Many products that use Bluetooth are vulnerable
The researchers explain that they can “convince a Bluetooth receiver that we are close to it, even hundreds of kilometers away. All this takes only 10 seconds and these feats can be repeated endlessly”. They specify that many products are actually vulnerable such as vehicles with electronic unlocking, laptops with Bluetooth unlocking, smartphones, smart locks, building access control systems, or even medical patient monitoring…
In an attempt to minimize the risks, they provide some interesting leads. It is particularly useful to disable passive unlock feature and Bluetooth on mobile devices. Manufacturers also have a role to play: they can reduce the risk by disabling the proximity key functionality when the smartphone has been standing still for a certain period of time. Researchers are also encouraging Tesla owners to use function “PIN-to-Drive”which requires entering a four-digit code before the vehicle can be started.