Tesla’s 2021 update that made its vehicles easier to start once unlocked using their NFC key cards can be exploited to steal cars. This was recently demonstrated by a researcher who studied the said vulnerability.

Initially, drivers who used their Tesla NFC key card to unlock their cars need to place the card on the centre console to start driving. After the update last August, drivers could start their cars immediately after unlocking them with the card. 

Martin Herfurt, an Austrian security researcher, found out that not only did it automatically start the car within 130 seconds of being unlocked with the NFC card, but it also made it possible for the car to accept new keys—with no authentication required nor any indication provided by the in-car display.

“The authorization given in the 130-second interval is too general… [it’s] not only for drive. What should happen is that the car can be started and driven without the user having to use the key card a second time. The problem: within the 130-second period, not only the driving of the car is authorized, but also the [enrolling] of a new key,” Herfurt said in an online interview.

The official Tesla phone app does not allow keys to be enrolled unless connected to the owner’s account. Nevertheless, Herfurt discovered that the car is able to exchange messages with any nearby Bluetooth Low Energy, or BLE device. Hence, Herfurt built his own app and called it Teslakee. The app is able to speak VCSec, the actual language that the Tesla app uses to communicate with Tesla cars.

Herfurt designed a malicious version of his app to show how easy it is for thieves to enter their own key during the 130-second interval. 

The only requirement is to be within range of the car during the 130-second window of it being unlocked with an NFC card. With the phone app being the most common method to unlock Tesla cars, a hacker can use a signal jammer to successfully block the BLE frequency used by Tesla’s phone-as-a-key app.

As the driver enters the car after it has been unlocked with the NFC card, the thief starts exchanging messages between the malicious Teslakee app and the car. Before the car is able to drive off, the messages input the thief’s key of choice with the car. After this, the thief may already use the key to unlock, start, and turn off the car. No indication appears from the in-car display or the legitimate Tesla app that something is going wrong.

As a countermeasure, Tesla car owners are urged to set up Pin2Drive to prevent thieves from starting a car through this method. However, this will not be able to stop the thief from entering a locked Tesla car. 

Owners are also advised to regularly monitor the keys authorized to unlock and start the car via what Tesla calls “whitelisting.” Tesla owners may do this check after giving an NFC card to a mechanic or a valet parking attendant.