With a hack, doctoral students from the TU Berlin and a security researcher were able to use all the premium functions of a Tesla that buyers normally have to unlock first: full entertainment, heated rear seats and more. The weak point is probably the new AMD-based infotainment system.
The pre-announcement for BlackHat USA 2023 has it all: In a 40-minute contribution, three doctoral students from the TU Berlin and the security researcher Oleg Drokin want to show. How to hack into a Tesla's infotainment system (MCU-Z) and then unlock the premium features. Because buyers usually have to pay for heated rear seats or faster acceleration via subscription for use. After the hack, the on-board computer is sure that the subscription is valid and that all functions have been paid for.
Tesla hack unlocks subscription services
Tesla is known for its advanced and well-integrated car computers, ranging from everyday entertainment purposes to fully autonomous driving functions. More recently, Tesla has started using this established platform to enable in-car purchases, not just for additional connectivity features, but even analog features like faster acceleration or heated rear seats. Therefore, by hacking the onboard car computer, users could unlock these features without paying for it.
In this talk, the researchers present an attack on newer AMD-based infotainment systems (MCU-Z), which are used in all newer models. It offers two distinct features: First, it enables the first non-patchable AMD-based "Tesla Jailbreak" that allows arbitrary software to run on the infotainment. Second, it makes it possible to extract an otherwise vehicle-specific, hardware-bound RSA key used to authenticate and authorize a car on Tesla's internal service network.
RSA key can be extracted
To do this, the researchers used a known voltage error injection attack against the AMD Secure Processor (ASP), which serves as the root of trust for the system. At the congress and briefing, the researchers show how they used inexpensive, homegrown hardware to launch the glitching attack and subvert the ASP's early boot code. They then show how they redesigned the boot flow to have a root shell for their recovery and production Linux distributions.
The root rights obtained in this way allow any changes to Linux, which also survive restarts and updates. They allow an attacker to decrypt the encrypted NVMe storage and access private user data such as the phone book, calendar entries, etc. On the other hand, it can also benefit vehicle use in unsupported regions. In addition, the ASP attack opens up the possibility of extracting a TPM-protected attestation key that Tesla uses to authenticate the car. This allows a car's identity to be migrated to another car computer without any help from Tesla, making certain repair jobs easier.
More at BlackHat.com