As the driver enters the car after unlocking it with an NFC card, the thief begins exchanging messages between the weaponized Teslakee and the car. Before the driver has even driven away, the messages enroll a key of the thief’s choice with the car. From then on, the thief can use the key to unlock, start, and turn off the car. There is no indication from the in-car display or the legitimate Tesla app that anything is amiss.
Herfurt has successfully used the attack on Tesla Models 3 and Y. He hasn’t tested the method on new 2021+ facelift models of the S and X, but he presumes they are also vulnerable because they use the same native support for phone-as-a-key with BLE.
Tesla didn’t respond to an email seeking comment for this post.
Parlez-Vous VCSec?
The vulnerability is the result of the dual roles played by the NFC card. It not only opens a locked car and starts it; it’s also used to…