Tesla Jailbreak Unlocks Theft of In-Car Paid Features

  /     /     /  
Publicated : 23/11/2024   Category : security


Tesla Jailbreak Unlocks Theft of In-Car Paid Features


Want heated seats for free? Self-driving in Europe despite a regulatory ban? Researchers have discovered the road to free car-modding on the popular Tesla EVs.



Tesla cars are susceptible to a nearly irreversible jailbreak of their onboard infotainment systems that would allow owners to unlock a bevy of paid in-car features for free. The stolen perks can run the gamut from better bandwidth to faster acceleration and heated seats, according to a team of academic researchers.
The researchers also found that its also possible to escape the infotainment system and pivot to the internal Tesla network for authenticating cars, which creates a wide-open highway to
more advanced modding
— including breaking geolocation restrictions on navigation and self-driving, and the ability to migrate the Teslas user profile to another vehicle.
Teslas have long been at the forefront of enabling smart functionalities, including, famously,
autonomous driving
. True to form,
all recent Tesla models
sport an AMD-based infotainment system known as MCU-Z, which enables an innovative in-car purchase scheme for advanced features, which, when purchased, are enabled on the car over-the-air (OTA).
This was the target for a group of doctoral students from the graduate program at Technical University Berlin and independent researcher Oleg Drokin. Team members will present the research for the first time at Black Hat USA next week in a session entitled
Jailbreaking an Electric Vehicle in 2023 or What It Means to Hotwire Teslas x86-Based Seat Heater
.
The researchers discovered that someone with physical access to the cars Infotainment and Connectivity ECU (ICE) board can use a known
voltage glitching attack
to subvert the MCU-Zs AMD Secure Processor (ASP), which serves as the root of trust for the system.
Currently, our attack can be applied by people with some electronic engineering background, a soldering iron, and the ability to purchase additional hardware for about $100, Ph.D. student Christian Werling says. We recommend using a Teensy 4.0 Development board for the voltage glitching that is readily usable with our open-sourced attack firmware. An SPI flash programmer is required, and a logic analyzer can greatly help to debug the overall attack.
Voltage glitching, also known as fault injection, not only makes it possible to gain root access and run arbitrary software on the MCU-Z to unlock some paid features, but that the access is nearly irrevocable, he says.
While [voltage glitching] is arguably fiddlier to mount than a
software-only attack
, the underlying AMD CPUs vulnerability cannot be mitigated without upgrading the CPUs, Werling explains. Our gained root permissions enable arbitrary changes to Linux that survive reboots and updates.
After successfully executing the glitching attack to subvert the ASP, the team was able to reverse-engineer the boot flow to ultimately extract a vehicle-unique, hardware-bound RSA key used to authenticate and authorize a car to Teslas internal service network.
There is an even higher privilege level on the system used to store the cars keys to the Tesla network, Werling explains. Using the same attack and some sophisticated reverse engineering of the firmware-based Trusted Platform Module, we were able to extract these keys, which are usually protected even from root users on the device.
The keys could open up a range of additional possibilities for owners, the researchers found, including getting around geofencing for advanced features.
Tesla locks some capabilities [in certain regions], the most common being maps, explains Drokin, the independent researcher on the team. There are only a handful of regions that support maps, and if the car happens to be outside of them, users dont get navigation support at all.
He also notes that cars inside North America have access to full self-driving beta features, while Teslas in Europe dont, and the attack could help to free a car from these restrictions, although that would require more reverse engineering.
Additionally, with access to the key Tesla uses to authenticate the car, its possible to migrate a cars identity to another car computer. Drokin notes that this can come in handy in the case of flooded or damaged processors.
A Model 3 car computer costs $200 to $400 on eBay, and Tesla sells it for $1,700 to $2,700 (depending on variant), he explains. Just reusing the ICE without provisioning the keys in would mean you lose all Tesla services in the car, including app access, software and map updates, and so on.
Of course, the research also potentially paves the road for malicious use of the attack, though given the threat model of having prolonged physical access to the victims car, this might be a less critical threat, Werling points out.
Nonetheless, given enough time alone with a target, a cyberattacker could decrypt the cars on-board storage and access private user data such as the phonebook and calendar entries — and potentially the owners personal information as well, the team found.
And, Werling says, the identity migration could enable an attacker to impersonate another Tesla customer, at least temporarily, allowing someone else to hijack someones profile (and features).
He also notes the possibility of streamlining the attack into a product akin to a mod chip, for plug-and-play jailbreaking; he is careful to note that this is not something we are planning to do and would pose a legally and economically questionable business model.
While the Tesla findings are the latest in a long tradition of
car-hacking at Black Hat
, Werling says that the research did reveal that the carmaker has better security than most of its
automotive peers
.
Where Tesla differs from pretty much all other vendors is the physical security of their car systems approaching the level you see on well-secured cellphones of established vendors, he notes, which is very uncommon in the car world.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Tesla Jailbreak Unlocks Theft of In-Car Paid Features