Search Icon
Submissions

Access Your Tesla without Your Awareness: Compromising Keyless Entry System of Model 3

Xinyi Xie (Shanghai Fudan Microelectronics Group Co., Ltd.), Kun Jiang (Shanghai Fudan Microelectronics Group Co., Ltd.), Rui Dai (Shanghai Fudan Microelectronics Group Co., Ltd.), Jun Lu (Shanghai Fudan Microelectronics Group Co., Ltd.), Lihui Wang (Shanghai Fudan Microelectronics Group Co., Ltd.), Qing Li (State Key Laboratory of ASIC & System, Fudan University), Jun Yu (State Key Laboratory of ASIC & System, Fudan University)

Tesla Model 3 has equipped with Phone Keys and Key Cards in addition to traditional key fobs for better driving experiences. These new features allow a driver to enter and start the vehicle without using a mechanical key through a wireless authentication process between the vehicle and the key. Unlike the requirements of swiping against the car for Key Cards, the Tesla mobile app’s Phone Key feature can unlock a Model 3 while your smartphone is still in a pocket or bag.

In this paper, we performed a detailed security analysis aiming at Tesla keys, especially for Key Cards and Phone Keys. Starting with reverse engineering the mobile application and sniffing the communication data, we reestablished pairing and authentication protocols and analyzed their potential issues. Missing the certificate verification allows an unofficial Key Card to work as an official one. Using these third-party products may lead to serious security problems. Also, the weaknesses of the current protocol lead to a man-in-the-middle (MitM) attack through a Bluetooth channel. The MitM attack is an improved relay attack breaking the security of the authentication procedures for Phone Keys. We also developed an App named TESmLA installed on customized Android devices to complete the proof-of-concept. The attackers can break into Tesla Model 3 and drive it away without the awareness of the car owner. Our results bring into question the security of Passive Keyless Entry and Start (PKES) and Bluetooth implementations in security-critical applications. To mitigate the security problems, we discussed the corresponding countermeasures and feasible secure scheme in the future.

Paper
Slides
Video

View More Papers

QPEP in the Real World: A Testbed for Secure...

Julian Huwyler (ETH Zurich), James Pavur (University of Oxford), Giorgio Tresoldi and Martin Strohmeier (Cyber-Defence Campus) Presenter: Martin Strohmeier

Read More

VICEROY: GDPR-/CCPA-compliant Enforcement of Verifiable Accountless Consumer Requests

Scott Jordan (University of California, Irvine), Yoshimichi Nakatsuka (University of California, Irvine), Ercan Ozturk (University of California, Irvine), Andrew Paverd (Microsoft Research), Gene Tsudik (University of California, Irvine)

Read More

Formally Verified Software Update Management System in Automotive

Jaewan Seo, Jiwon Kwak, Seungjoo Kim (Korea University)

Read More

Attacks as Defenses: Designing Robust Audio CAPTCHAs Using Attacks...

Hadi Abdullah (Visa Research), Aditya Karlekar (University of Florida), Saurabh Prasad (University of Florida), Muhammad Sajidur Rahman (University of Florida), Logan Blue (University of Florida), Luke A. Bauer (University of Florida), Vincent Bindschaedler (University of Florida), Patrick Traynor (University of Florida)

Read More