Tesla Hack: Full access to all functions

B2B Cyber ​​Security ShortNews

Share post

With a hack, doctoral students from the TU Berlin and a security researcher were able to use all the premium functions of a Tesla that buyers normally have to unlock first: full entertainment, heated rear seats and more. The weak point is probably the new AMD-based infotainment system.

The pre-announcement for BlackHat USA 2023 has it all: In a 40-minute contribution, three doctoral students from the TU Berlin and the security researcher Oleg Drokin want to show. How to hack into a Tesla's infotainment system (MCU-Z) and then unlock the premium features. Because buyers usually have to pay for heated rear seats or faster acceleration via subscription for use. After the hack, the on-board computer is sure that the subscription is valid and that all functions have been paid for.

Tesla hack unlocks subscription services

Tesla is known for its advanced and well-integrated car computers, ranging from everyday entertainment purposes to fully autonomous driving functions. More recently, Tesla has started using this established platform to enable in-car purchases, not just for additional connectivity features, but even analog features like faster acceleration or heated rear seats. Therefore, by hacking the onboard car computer, users could unlock these features without paying for it.

In this talk, the researchers present an attack on newer AMD-based infotainment systems (MCU-Z), which are used in all newer models. It offers two distinct features: First, it enables the first non-patchable AMD-based "Tesla Jailbreak" that allows arbitrary software to run on the infotainment. Second, it makes it possible to extract an otherwise vehicle-specific, hardware-bound RSA key used to authenticate and authorize a car on Tesla's internal service network.

RSA key can be extracted

To do this, the researchers used a known voltage error injection attack against the AMD Secure Processor (ASP), which serves as the root of trust for the system. At the congress and briefing, the researchers show how they used inexpensive, homegrown hardware to launch the glitching attack and subvert the ASP's early boot code. They then show how they redesigned the boot flow to have a root shell for their recovery and production Linux distributions.

The root rights obtained in this way allow any changes to Linux, which also survive restarts and updates. They allow an attacker to decrypt the encrypted NVMe storage and access private user data such as the phone book, calendar entries, etc. On the other hand, it can also benefit vehicle use in unsupported regions. In addition, the ASP attack opens up the possibility of extracting a TPM-protected attestation key that Tesla uses to authenticate the car. This allows a car's identity to be migrated to another car computer without any help from Tesla, making certain repair jobs easier.

More at BlackHat.com


Matching articles on the topic

RAG development in just a few minutes

Playground is the new, low-code user interface from Elastic, the Search AI Company. It enables developers to use Elasticsearch to build ➡ Read more

Mass attacks against edge services

The cyber threat landscape in 2023 and 2024 will be dominated by mass attacks. A previous report on the professionalization of cybercrime ➡ Read more

Ransomware attacks 2023: Over 50 new families and variants

Ransomware attacks are a major and expensive problem for companies. In the last year, attacks have increased significantly, as the study ➡ Read more

TÜV Rheinland falls victim to cyber attack

Cyber ​​attack: According to a report, the company's subsidiary, TÜV Rheinland Akademie GmbH, was attacked by hackers and data was stolen. According to the ➡ Read more

Seeing NIS2 as an opportunity

With the upcoming deadline for implementing the NIS2 Directive, many companies are facing a significant challenge. Our observations show that many ➡ Read more

The Chinese hacker group Sharp Dragon

A provider of an AI-powered, cloud-based cybersecurity platform is warning about the Chinese espionage hacker group Sharp Dragon, formerly known as Sharp Panda. ➡ Read more

Danger from Phishing-as-a-Service Toolkit V3B

Banks and financial institutions in the European Union are facing an ever-increasing threat from cyber attacks. These threats are ➡ Read more

State data center saves on backups – total data loss

In Indonesia, there was a large-scale disruption of digital services on June 20: It emerged that a state data center ➡ Read more