1. Attachments are working again! Check out this thread for more details and to report any other bugs.

Featured Tesla cellular App creates a "man in the middle" security flaw.

Discussion in 'Prius, Hybrid, EV and Alt-Fuel News' started by dbstoo, Mar 15, 2023.

  1. dbstoo

    dbstoo Senior Member

    Joined:
    Oct 7, 2012
    1,213
    648
    0
    Location:
    Near Silicon Valley
    Vehicle:
    2024 Prius Prime
    Model:
    XLE
    There's been almost no news coverage of a major security flaw discovered last week, approximately 6 days ago. Anyone with a Tesla can use their cell phone to unlock and then drive your car.

    The flaw was introduced when Tesla updated their cell phone app and the car firmware to allow the car to treat the cell phone like a real key. It effect, it gives an authenticated cell phone the same privileges as a physical key in their wireless smart keyless entry system. That sounds cool, and it is if it's done correctly.

    The problem appears to be that the Tesla programmers made a classic rookie mistake when coding the authentication, key exchange and authorization routines. The end result is that when you unlock your own Tesla, any other tesla within range of the blue tooth signal will accept your phone as authorized to provide entry. Oh, and it also thinks that your phone is authorized to allow you to start and drive the car.

    In effect, Tesla created a built in "man in the middle" exploit, and then there was virtually nothing mentioned about it for days. It just occurred to me that Twitter could be suppressing any tweet that mentions that flaw. I wonder how we would even know?

    One of the few early reports : https://www.autoblog.com/2023/03/13/tesla-model-3-unlocked-driven-by-wrong-owner

    It was mentioned on Reddit last week that you might want to remove all valuables from your car until an official recall is executed or until you hear from an official Telsa channel that it's been fixed.

    I find it incredible that this made it through the Tesla testing without anyone ever checking to see that it does not have an interaction with the wrong car.

    P.S. Tesla supporters will say that this is no different than the legacy car locks that have as few as 40 unique "jiggler" keys to open the driver's door. That is true, but it's not the same. If you use an "almost right key" to open the door to your Prius you will find that it does not start the car. There is a separate technology that is used inside the car ( the immobilizer ) that must be satisfied that you are authorized to use the car.
     
  2. PriusCamper

    PriusCamper Senior Member

    Joined:
    Mar 3, 2012
    10,775
    4,372
    0
    Location:
    Pacific Northwest, USA
    Vehicle:
    2007 Prius
    Model:
    Two
    On the bright side the least likely person to want to steal a Tesla is someone who already owns a Tesla... Of course accidentally driving someone else's Tesla away could quickly go from bad to worst. Seems like an easy thing to patch and will be done quickly?
     
  3. dbstoo

    dbstoo Senior Member

    Joined:
    Oct 7, 2012
    1,213
    648
    0
    Location:
    Near Silicon Valley
    Vehicle:
    2024 Prius Prime
    Model:
    XLE
    I don't think that there have been any studies that show that tesla owners are more ethical or scrupulous than the average person.

    There have been reports that crooks have used a certain type of range extender as a "man in the middle" in order to break into or steal cars with poorly implemented wireless security. The range extender enables the crook to trigger the app on the owner's phone to unlock and turn on the car from hundreds of feet away. In essence, they don't need to own a tesla in order to take yours and your neighbor's too.

    Will it be easy to patch? I should hope not. Someone in the Dev roll blew it when they wrote the code . They also chose the wrong technique to authenticate the car and the Mobile app. Someone in the QA role blew it in the design stages. Someone in the QC role blew it in the testing stages. Someone in the marketing role has done a great job of proselytizing the owners so that they come to the company's defense. The faulty work needs to be recreated by fresh engineers who understand why the cars that might have been attacked that way may be compromised. If they don't have a way to test for a root kit, the common remediation includes wiping the disk(s) and any device that might have a virus on it. That includes firmware. Of course, those machines are typically turned off and isolated until the system is rebuilt from a known good source.

    No, it should not be easy to fix the flaw and not quick to test it either. It should not be easy to push out the fix as an OTA patch. I hope someone in Tesla is taking this seriously.
     
  4. ChapmanF

    ChapmanF Senior Member

    Joined:
    Mar 30, 2008
    23,073
    14,982
    0
    Location:
    Indiana, USA
    Vehicle:
    2010 Prius
    Model:
    IV
    Is it reported that the MITM attack allows anything to be rooted, or just to allow the car to be unlocked and driven?
     
  5. dbstoo

    dbstoo Senior Member

    Joined:
    Oct 7, 2012
    1,213
    648
    0
    Location:
    Near Silicon Valley
    Vehicle:
    2024 Prius Prime
    Model:
    XLE
    There are surprisingly few reports. Normally you'd see disclaimers from Musk, but not that I've seen so far.

    The following quote from "https://www.thedrive.com/news/tesla-app-unlocks-someone-elses-car-lets-them-drive-away-in-it" speaks to the difficulty in determining how many people have tried to report the flaw.

     
  6. Trollbait

    Trollbait It's a D&D thing

    Joined:
    Feb 7, 2006
    21,597
    11,224
    0
    Location:
    eastern Pennsylvania
    Vehicle:
    Other Non-Hybrid
    Was there just the one incident?

    Ain't going to defend Tesla's poor customer support nor lack of a PR department.
     
  7. mountaineer

    mountaineer Active Member

    Joined:
    May 7, 2019
    125
    105
    0
    Location:
    Ontario
    Vehicle:
    2019 Prius Prime
    Model:
    Premium
    Here's one media report of the problem, when a Vancouver Tesla owner accidentally drove off in someone else's car:

     
  8. Trollbait

    Trollbait It's a D&D thing

    Joined:
    Feb 7, 2006
    21,597
    11,224
    0
    Location:
    eastern Pennsylvania
    Vehicle:
    Other Non-Hybrid
    It's the same event. All the reports are just about what happened with this one guy.
     
  9. hill

    hill High Fiber Member

    Joined:
    Jun 23, 2005
    19,606
    8,036
    54
    Location:
    Montana & Nashville, TN
    Vehicle:
    2004 Prius
    Model:
    IV
    Gee, I wonder why.
    Could this be the reason?
    CPU's gona get what CPU's get - all too often.

    Screenshot_2023-03-17-18-45-49-22_40deb401b9ffe8e1df2f1cc5ba480b12.jpg
    This is like the electric car haters that try to get hysterical about battery fires even though the ratio of gas fires to electric car fires per million miles is pretty insignificant - comparatively speaking. But don't let that stop haters from running Hysteria up the flag
    .
     
    3PriusMike likes this.
  10. Trollbait

    Trollbait It's a D&D thing

    Joined:
    Feb 7, 2006
    21,597
    11,224
    0
    Location:
    eastern Pennsylvania
    Vehicle:
    Other Non-Hybrid
    Has there been a rash Tesla thefts because of this yet?
     
  11. hill

    hill High Fiber Member

    Joined:
    Jun 23, 2005
    19,606
    8,036
    54
    Location:
    Montana & Nashville, TN
    Vehicle:
    2004 Prius
    Model:
    IV

    Screenshot 2023-03-27 145041.png
     
    3PriusMike likes this.
  12. austingreen

    austingreen Senior Member

    Joined:
    Nov 3, 2009
    13,527
    4,057
    0
    Location:
    Austin, TX, USA
    Vehicle:
    2018 Tesla Model 3
    Model:
    N/A
    Tesla's are among the least stolen cars. There are strong theft deterrents since the cars can record the thief and track the cars. This is not to say they can not be stolen, but what thief or chop shop really wants its location known to the police and possible recording of them covering the cameras?

    I did try to open a different tesla that was parked near mine after asking the owner. It didn't work. Not sure what went on in the Canadian incident and whether it really was the app. I would think if this was happening a lot we would hear more than one incident and I am curious to what happened.
     
  13. dbstoo

    dbstoo Senior Member

    Joined:
    Oct 7, 2012
    1,213
    648
    0
    Location:
    Near Silicon Valley
    Vehicle:
    2024 Prius Prime
    Model:
    XLE
    Yesterday I saw an interesting event. There was a man next to a Tesla with his cellphone, and he was walking around the car waving the phone around between poking at the phone screen. He stopped at the passenger door just as I started to pull into that empty stall. He was blocking my path, so I waited for him to finish whatever he was doing. He started to act nervous, facing away from me when he realized that I was watching his activity. I didn't know what he was trying to do or how long it would take, so I backed up and drove to the next lane where a car had just pulled out.

    He was finally successful. His door was open by the time that I finished parking my car. I watched as he did something inside the passenger side of the car, and then he went to the driver side and drove away.
     
    mountaineer likes this.
  14. DavidA

    DavidA Prius owner since July 2009

    Joined:
    Jul 14, 2009
    2,325
    1,811
    18
    Location:
    Chicago western burbs
    Vehicle:
    2017 Prius Prime
    Model:
    Prime Advanced
    Or, he could have been the owner. Not only does Bluetooth need to be activated, but the Tesla App also needs to be running. I won't tell you how many times I've only turned the Bluetooth on and forgot to launch the Tesla App. I've acted nervous while wondering why my car hasn't let me in.

    Always have the Tesla card on your person in case the phone key doesn't work.
     
  15. dbstoo

    dbstoo Senior Member

    Joined:
    Oct 7, 2012
    1,213
    648
    0
    Location:
    Near Silicon Valley
    Vehicle:
    2024 Prius Prime
    Model:
    XLE
    The flaw is triggered when there are two cars that are close together and the driver is granted access to one of them (via a time stamped token) and refused access by the other (possibly by no response). If the timing is right BOTH cars will accept the token as being valid.

    A close analogy is when someone gains entry to a gated apartment house by following a resident through the remotely controlled gate. The resident has already asked for entry, so all the intruder needs to do is to press the call button a second time before the resident reaches the apartment. Someone in some apartment will often open the gate without seeing or even talking to the intruder.
     
    #15 dbstoo, Mar 29, 2023
    Last edited: Mar 29, 2023
  16. austingreen

    austingreen Senior Member

    Joined:
    Nov 3, 2009
    13,527
    4,057
    0
    Location:
    Austin, TX, USA
    Vehicle:
    2018 Tesla Model 3
    Model:
    N/A
    My unscientific test - 2020 tesla model 3 parked next to my 2018 tesla model 3. The owner of the other car did not leave her phone in the car. The Bluetooth nfc would not open her door but did mine. I tried to unlocking my phone, still nothing. My card key similarly did not work on her car. The other way the app can open the car is through internet. The cellular wifi from my phone to the cellular wifi in the cars opened my car, but not hers. I walked back to leave my phone after locking my doors with it. The cellular wifi with her phone in the app opened her car and not mine. Perhaps there is an error in keys in the one case in canada, but I doubt this is a general problem. THere have been no other reports. GM did have incidents where the same key opened more than one car, maybe this was a fluke, or a security bug. No one else seems to have been able to repllicate and I am not the only one.

    That would be the other owner opening the door and remotely starting. I'm sure that can happen, and owners have left phones in teslas which leaves them unlocked and able to start. Alternatively the cars may have been put in service mode which would allow it to be started.

    I've done that too. The first time I almost called my gf to bring me my key card. Now I check to see if bluetooth is on. Once it didn't work anyway and I used the app to unlock the door, and then drove.
     
    #16 austingreen, Mar 29, 2023
    Last edited: Mar 29, 2023
  17. Trollbait

    Trollbait It's a D&D thing

    Joined:
    Feb 7, 2006
    21,597
    11,224
    0
    Location:
    eastern Pennsylvania
    Vehicle:
    Other Non-Hybrid
    It is sounding like we have one owner that forgot to turn their car off, and an oblivious one that didn't realize they got into the wrong car. The latter didn't turn off the car, or had the former restart it through the app, after getting their kids.
     
  18. 3PriusMike

    3PriusMike Prius owner since 2000, Tesla M3 2018

    Joined:
    Jun 21, 2009
    2,934
    2,287
    0
    Location:
    Silicon Valley
    Vehicle:
    2012 Prius Plug-in
    Model:
    Plug-in Base
    Except that there is no action needed to turn "off" a Tesla. You drive around, stop your car, put it into park, open the door, get out, close the door and walk away (with your phone) and it locks. If you forget to put it into park, this happens automatically when you open the door (with a beep and warning message on the screen). If you forget to take your phone the car does not lock. If you don't fully close the door and you walk away you get a notification message on your phone a few minutes later.

    If you are using the key card to drive with it is mostly the same except when you get out of the car you have to tap the card on the driver's B pillar to lock the car.

    Mike
     
    Trollbait and austingreen like this.
  19. Trollbait

    Trollbait It's a D&D thing

    Joined:
    Feb 7, 2006
    21,597
    11,224
    0
    Location:
    eastern Pennsylvania
    Vehicle:
    Other Non-Hybrid
    Phone in car, anybody drive off with it? How obvious is it that the car didn't lock when walking away? Can any alerts for that be turned off?

    What is the range between the phone and car? Could Mr. Oblivious have gotten to the wrong car while the owner was still close enough?

    Doesn't the car and phone need to be paired up before they even would exchange key codes? I know it's possible to access a phone through BT without permission, but wouldn't that be a separate glitch to the one letting the Tesla app on the wrong phone access the car? If a Tesla sniffs every phone that walks by, couldn't anyone down load the app to access a car?
     
  20. hill

    hill High Fiber Member

    Joined:
    Jun 23, 2005
    19,606
    8,036
    54
    Location:
    Montana & Nashville, TN
    Vehicle:
    2004 Prius
    Model:
    IV
    In our 2018 MX that we sold, you could step out - not even close the door, & it closes / locks / shuts down by itself. Height of superfluous car tech
    LOL
    ;)
    .