In 2023, Tesla can be hacked to unlock paid features for free, researchers say
The MCU-Z
According to a group of academic researchers, a nearly irreparable bug in the entertainment system of Tesla’s electric vehicles allows owners to unlock a series of paid features for free, including improved acceleration and heated seats.
The researchers also found that it is possible to jump from the entertainment system to Tesla’s internal network for vehicle authentication, which opens up more possibilities, including breaking through the geographical restrictions of navigation and automatic driving, and migrating Tesla’s “user profile” to another car.
As far as I know, all the latest Tesla vehicles come with an AMD-based entertainment system called MCU-Z, which can be updated via OTA to enable advanced features.
That’s exactly what Oleg Drokin, a group of doctoral students and independent researcher at the Technical University of Berlin, is targeting.
They will present the research for the first time at next week’s Black Hat USA conference, titled “Electric Car Jailbreak or How to Turn On Tesla’s x86-based Heated Seats in 2023.”
Researchers have discovered that a known voltage fault injection attack can be exploited to bypass the MCU-Z’s AMD Security Processor (ASP) simply by having physical access to the car’s entertainment and connectivity electronic control unit (ICE) board.
“Currently, our attack can be performed by professionals with some electrical engineering background, using a soldering iron and additional hardware for about $100.
We recommend using a Teensy 4.0 development board for the voltage Fault injection can be easily done using our open-source attack firmware.
An SPI flash programmer is also required, and a logic analyzer can go a long way in debugging the entire attack.”
Werling explained that voltage fault injection not only makes it possible to gain root access and run arbitrary software on the MCU-Z to unlock some paid features, but that access is almost irreversible.
“While (voltage fault injection) is harder to perform than a software-only attack, the vulnerability cannot be fixed without upgrading the CPU.
The root privileges we obtained allow us to make arbitrary modifications to Linux that persist across reboots and updates to the car .”
After successfully executing a fault injection attack to bypass the ASP, the team was able to reverse engineer the bootstrap process, ultimately extracting the vehicle’s unique, hardware-bound RSA key for authentication and authorization to Tesla’s internal service network.
“There is also a higher privilege level on the system used to store the keys for the vehicle to connect to the Tesla network,” Werling explained.
Using the same attack and sophisticated reverse engineering of the firmware-based Trusted Platform Module (TPM), we were able to Extract these keys.”
The team found that having these keys could open up a host of additional possibilities for car owners, including bypassing geo-fences for advanced features.
Drokin, an independent researcher, said: “Tesla locked down some features, the most common being maps.
Only a few regions support maps, and if the vehicle happens to be outside of these regions, the user has no navigation support at all.”
FSD Beta
He also noted that the FSD Beta feature is available on vehicles in North America, but not on Tesla vehicles in Europe, and that this attack “could help lift those restrictions, although it would require more reverse engineering.”
In addition, with the key that Tesla uses to authenticate the vehicle, the identity of the vehicle can be migrated to another on-board computer.
Drokin noted that this would come in handy in the event of a broken processor.
He explained: “Model 3 on-board computers on eBay cost between $200 and $400, and Tesla sells them for $1700 to $2700 (depending on the model).
If you just reuse the ICE without configuring the key, you will lose All Tesla services for the vehicle, including app access, software and map updates, and more.”
Leave A Comment