If you own a Tesla Model Y, we may have some unsettling news for you. In a recent white paper titled “NFC Relay Attack On Tesla Model Y,” researchers discovered a new attack that allows a thief (or thieves, we’ll get to that later) to unlock and steal a Model Y electric car.
This latest flaw comes after a software update removed the requirement for Tesla owners to place their NFC key card in the console between the front seats in order to shift into D and drive away. The update allows owners to drive the car within two minutes of unlocking it by pressing the brake pedal. However, the update contained a flaw: the car could accept new keys two minutes after unlocking, and the new keys could unlock and start the vehicle without further authentication, according to Ars Technica.
It takes two to tango
The most recent Tesla relay attack was carried out by two people. To unlock and start a Tesla, you can use the key fob, your smartphone, or the standard NFC key card. Owners of the latter must place or tap the NFC card near the embedded NFC reader in the driver’s side B-pillar. Tesla recommends always carrying the keycard for backup if your smartphone gets lost, stolen, or runs out of juice. With this in mind, IOActive and Rodriguez reverse-engineered Tesla’s NFC protocol in order to identify a potential security flaw in the Model Y.
A person near the car and an accomplice near the owner’s NFC card or Tesla key-enabled smartphone are involved in the hack. A Proxmark RDV4.0 RFID tool is used by the hacker near your Model Y, and it is placed near the NFC reader in the side pillar. In this case, the Proxmark tool sends the challenge via Bluetooth or Wi-Fi to a smartphone or tablet held by the second hacker lurking near your table at a restaurant or while jogging in the park.
The plan is for the accomplice’s smartphone to intercept the keycard response and send it back to the Proxmark tool, and voilà! The thief could get into the car and drive away.
Never too far away
Yes, Bluetooth or Wi-Fi communication between the two thieves is required for the hack to work, severely limiting the distance between them. However, Rodriguez adds that an NFC attack is possible even if the two thieves are separated by Wi-Fi and a Raspberry Pi or similar device. Furthermore, according to IOActive, the hack is also possible via the internet, which means the second thief could be in Dallas with the owner while the first thief waits in a Houston parking lot.
However, it is not all peaches and cream for the thieves. They will be unable to restart the vehicle using the original NFC key card after stealing it and turning off the engine (per The Verge). However, after a second relay attack, the thieves can add a new NFC card to add the new key and continue using the vehicle, or they can “chop” and disassemble the car and sell it for parts.
Prevention is the best cure
Fortunately, there is a silver lining in this cloud of NFC relay attacks. According to The Verge, Rodriguez contacted Tesla to inform them of the new vulnerability, but the American EV manufacturer stated that their PIN-to-Drive feature would prevent such an attack. Before driving, Tesla’s PIN-to-Drive system requires the driver to enter a four-digit verification code on the touchscreen. Many Tesla Model Y owners are unaware of this feature, but it’s past time to enable it to protect against potential NFC-related attacks.
PIN-to-Drive can be enabled in your Tesla by going to Controls, Safety & Security, and then PIN to Drive. The system will prompt you to generate a four-digit verification code, which you must manually enter after unlocking the vehicle. This feature may help prevent future theft, but keep in mind that thieves can still unlock and open your Tesla’s doors to steal valuables inside.
Read more; THE SURPRISING WAYS NANOTECHNOLOGY IS CHANGING THE WORLD AROUND US
Rodriguez comes to the conclusion that Tesla is not the only manufacturer vulnerable to this latest NFC relay attack. Vehicles equipped with digital car keys, whether new or used, are at risk. And, until automakers include a PIN-to-Drive feature in their latest models, a keyfob relay attack is a real possibility.