A group of academic researchers have discovered that Tesla cars can be vulnerable to a jailbreak of their onboard infotainment systems, which would allow owners to unlock various paid in-car features for free. This exploit could grant access to perks such as improved bandwidth, faster acceleration, and heated seats. Additionally, the researchers found that it is also possible to escape the infotainment system and gain access to the internal Tesla network, allowing for more advanced modifications.
Tesla vehicles have always been known for their innovative features, including autonomous driving capabilities. All recent Tesla models are equipped with an AMD-based infotainment system called MCU-Z, which enables an in-car purchase scheme for advanced features. These features can be enabled on the car over-the-air (OTA) once they are purchased. However, this system became the target of a group of doctoral students from Technical University Berlin and independent researcher Oleg Drokin.
The researchers discovered that by gaining physical access to the car’s Infotainment and Connectivity ECU (ICE) board, it is possible to use a voltage glitching attack to subvert the AMD Secure Processor (ASP), which serves as the root of trust for the system. This attack requires some electronic engineering knowledge, a soldering iron, and the ability to purchase additional hardware for approximately $100. The researchers recommend using a Teensy 4.0 Development board for the voltage glitching, along with an SPI flash programmer and a logic analyzer for debugging.
The voltage glitching attack allows the researchers to gain root access and run arbitrary software on the MCU-Z, unlocking paid features. What makes this exploit particularly concerning is that the access gained through this attack is nearly irreversible. The researchers state that the vulnerability in the underlying AMD CPU cannot be mitigated without upgrading the CPUs. Having root permissions enables the attackers to make arbitrary changes to Linux that will survive reboots and updates.
Furthermore, after successfully executing the glitching attack, the researchers were able to reverse-engineer the boot flow and extract a vehicle-unique RSA key used to authenticate and authorize a car to Tesla’s internal service network. This key can potentially open up a range of additional possibilities for owners, such as getting around geofencing for advanced features. It could also enable car owners to bypass regional restrictions, allowing them to access features not available in their geographical area.
Additionally, with access to the authentication key, it is possible to migrate a car’s identity to another car computer. This feature could be beneficial in cases where the car’s processor is damaged or flooded. By reusing the Infotainment and Connectivity ECU without provisioning the keys, owners can avoid losing all Tesla services in the car, including app access, software, and map updates.
While the research raises concerns about potential malicious use of the attack, it is important to note that the threat model assumes prolonged physical access to the victim’s car. However, given enough time alone with a target, a cyberattacker could decrypt the car’s on-board storage and access private user data, including phonebook and calendar entries, as well as potentially obtaining the owner’s personal information.
The researchers also mention the possibility of streamlining the attack into a product similar to a “mod chip,” which would allow for plug-and-play jailbreaking of Tesla cars. However, they clarify that they are not planning to pursue this as a business model, as it could pose legal and economic issues.
Although the Tesla findings add to the long tradition of car hacking at Black Hat, the researchers did note that Tesla has better security measures compared to other automotive vendors. They found that the physical security of Tesla’s car systems approaches the level seen in well-secured cellphones, which is uncommon in the car industry.
Overall, these findings highlight the importance of continuously improving the security measures in connected vehicles. As cars become increasingly integrated with technology, it is crucial for automakers to prioritize cybersecurity to protect both the vehicles and their owners’ data.