- A basic piece of hardware allows third-party jailbreaking of a Tesla vehicle.
- The findings came from a security researcher and 3 academic researchers.
- Tesla’s AMD Secure Processor was bypassed with a voltage-glitching flaw.
- The findings will be unveiled at Black Hat USA on Wednesday, August 9.
With the involvement of smart technology, security vulnerabilities in Tesla cars are not a novel occurrence; they have been a well-established fact. Such vulnerabilities are an inherent possibility whenever sophisticated technology is integrated into a vehicle.
Tesla offers in-car purchases to enhance its EVs connectivity, and researchers have already found a method to jailbreak Tesla vehicles and activate crucial features like FSD Beta, or heated seats.
Tesla EVs In-Car Paid Features are Hackable!
Academic researchers from Technical University Berlin and independent researcher Oleg Drokin have found a way to unlock in-car purchasable features of Tesla EVs. Researchers have found that gaining complete control of a Tesla EV was possible by exploiting a flaw in its Bluetooth system.
According to researchers, they managed to gain root access to Tesla EV’s MCU-Z (AMD-based) infotainment system, used in almost all new EV models, which gave them complete control over the vehicle’s operating system and use any feature such as activating and deactivating its systems.
How Does the Attack Work?
Researchers exploited a voltage-glitching (aka fault injection) vulnerability in the ICE (infotainment ECU) board of the EV to bypass Tesla’s AMD Secure Processor, a Trusted Platform Module. This helped them gain root access to the OS and run arbitrary code on the MCU-Z and enable paid features like Acceleration Boost, FSD Beta, and heated seats.
Not just that, they could break geolocation restrictions on FSD Beta and navigation, which may be detrimental for Tesla users because it makes enabling FSD Beta possible in any region/country where it is unavailable.
Tesla Jailbreak details
Interestingly, Tesla jailbreaking turned out easier than expected, and advanced tools weren’t required to achieve it. Researchers successfully exploited MCU-Z by voltage fault injection attack against the ASP using low-cost hardware to mount to glitching attack and disrupt the ASP’s early boot code.
They then reverse-engineered the boot flow to gain a root shell. After gaining root permissions, they enabled arbitrary changes to Linux and decrypt the encrypted NVMe storage to access private user data like calendar entries or phonebook.
The ASP attack also allows extracting a TPM-protected attestation key that authenticates a Tesla EV and migrates the vehicle’s identity to another car computer without Tesla’s consent.
According to co-researcher Christian Werling, this attack can be pulled off with basic electronic engineering using hardware worth up to $100 and a soldering iron. Moreover, the AMD CPU’s vulnerability is unmitigable without a CPU upgrade, and gaining root permissions allows arbitrary changes to Linux that survive updates and reboots. This means the access might be irrevocable.
However, Werling noted that a Teensy 4.0 Development board is better for voltage-glitching as it works better with their open-source attack firmware. In addition, an SPI flash programmer and a logic analyzer can help debug this attack.
It is unclear whether researchers have informed Tesla about this vulnerability. Despite successful jailbreaking, researchers lauded Tesla’s superior security mechanism, claiming it is way ahead of most automakers.
The findings will be revealed at the Black Hat USA on Wednesday, August 9, 2023.
- How to unlock Tesla wireless key fobs in 2 seconds
- Tesla autopilot feature hacked to risk oncoming traffic
- 3rd-party flaw allowed a teen hacker to track Tesla cars
- Sensitive user data found in Tesla car parts sold on eBay
- Bug bounty: Hack Tesla Model 3 to win your own Model 3
- Researchers found another way to hack Tesla Model X Key Fob