Security experts at British information assurance firm NNC Group demonstrated to Bloomberg how easy it is to unlock a Tesla and drive away with it – In less than ten seconds, both a Model 3 and a Model Y had been unlocked.
The experts managed to exploit a vulnerability in Bluetooth communication between the cell phone and the car, more specifically the Bluetooth Low Energy (BLE) protocol, to break in within seconds. The company says it does not currently know if the method was used in actual car theft.
As a Tesla owner, you have become accustomed to the car responding as soon as you approach with the key or mobile phone. And the vulnerability lies in Bluetooth communication, where hackers from NCC Group managed to redirect the signal so that the car thought the owner’s mobile phone was nearby. Then the doors were unlocked and the car was ready to go.
According to Sultan Qasim Khan, a security consultant at NCC Group, the physical system that unlocks the car must be replaced to protect it against such an attack.
The attack method is very similar to what was previously a problem for Tesla’s models with a physical car key (keyfob). The method is called Signal Amplification Relay Attack (SARA), which means that thieves can use a device that captures and amplifies the signal from the electronic car key. Such an amplifier works so well that it can pick up the key signal from inside a house and fool the car into thinking the key is nearby. Alternatively, the signal can be relayed to an assistant located right next to the car.
This method has already been used by thieves around the world. Then Tesla gave the tip to activate the “Pin to Drive” feature, where the car prompts you to enter a PIN code before you can drive off.