A group of German PhD students from Technische Universität Berlin showcased a method to unlock paywalled features in cars at the Black Hat conference. In their presentation, the researchers demonstrated how they were able to bypass the $300 purchase requirement for activating heated rear seats in a Tesla Model 3 by modifying the computer from the vehicle.
Unlike previous Tesla hackers who tried to gain control of vehicles from an external standpoint, the researchers approached the problem as if they already had physical access to the car and were attempting their own modifications. Their initial approach involved attempting to modify the firmware in the Tesla’s computer. However, they encountered a secure boot process that prevented their access. This secure boot process was a relatively new development in Tesla’s computers and added an extra layer of protection.
The researchers noted that previous versions of Tesla computers had vulnerabilities, such as off-chip boot loader buffer overflows. These vulnerabilities were addressed and fixed through firmware updates. The researchers also acknowledged that earlier versions of Tesla computers had open X servers, hard-coded passwords, and unsigned code. However, in the present day, Tesla computers have implemented a boot chain of trust, firmware and OS signing, and a root of trust in their AMD System-on-Chips (SoCs). These security measures posed a challenge for the researchers, as they were unable to gain access to the computer system.
To overcome these obstacles, the researchers soldered a couple of wires to the infotainment and connectivity electronic control unit (ECU) in the Tesla. This ECU contains the gateway chip that stores settings for software-locked features. By manipulating the voltage at the right time, the researchers were able to trick the system into thinking it was being securely booted while gaining root access to the device. This allowed them to unlock the heated seats. In addition, they used their access to exfiltrate information stored in the Tesla computer, including location history, Wi-Fi passwords, and session cookies for services like Spotify and Gmail.
The researchers contacted Tesla to share their exploit, and the automaker’s first concern was whether the exploit was persistent. Unfortunately, the researchers confirmed that it was not persistent, meaning that the exploit would not persist after the vehicle was restarted. Tesla has not responded to the researchers since their disclosure. Achieving persistence would require soldering a mod chip to the board itself, which may not be a desirable option for Tesla owners due to warranty concerns.
While the researchers have not tested their technique on an actual Tesla vehicle, independent security researcher Oleg Drokin has reportedly tried it and found success. The researchers have not yet attempted to duplicate the exploit on other vehicles with software-locked features, such as BMWs, as they have not been able to obtain a computer from those vehicles. However, the lead researcher, Christian Werling, expressed doubt that other manufacturers have the same level of protection as Tesla.
Werling noted that Tesla has been proactive in defending against software attacks by actively seeking to attract hackers and investing in security measures. This approach may explain why Tesla’s computers have advanced security features compared to other automakers. However, the researchers find it concerning that Tesla did not anticipate a voltage glitch as a potential vulnerability, especially since Tesla vehicles use AMD processors that were previously found to be vulnerable to voltage manipulation in a separate research paper.
The researchers suggested that Tesla could release a patch to address this issue, either through hardware redesigns or software modifications to detect voltage manipulation. However, Tesla has not responded to inquiries regarding this matter. As of now, it remains unclear if Tesla will take any action to protect against this exploit, but the demonstration serves as a reminder of the importance of robust supply chain security and ongoing efforts to stay ahead of potential vulnerabilities.