Tesla hackers exploit voltage glitching for feature unlocking

Home > Industry Analysis > Content

【Summary】German PhD students from Technische Universität Berlin demonstrated at the Black Hat conference how they were able to bypass the purchase requirement to activate heated rear seats in a Tesla Model 3. They used voltage glitching to fool the system into thinking it was being booted securely, gaining root access to the device and unlocking the seats. The researchers were also able to exfiltrate car information and user data.

FutureCar Staff Aug 16, 2023 10:26 AM PT

Tesla hackers exploit voltage glitching for feature unlocking

A group of German PhD students from Technische Universität Berlin demonstrated at Black Hat how they were able to bypass the purchase requirement to activate heated rear seats in a Tesla Model 3. They approached the problem by trying to make their own modifications to the computer from a Tesla Model 3, rather than gaining control of the vehicle or breaking into it as an outsider.

Initially, the researchers attempted to modify the firmware in the Tesla's computer but were unsuccessful due to the secure boot process. Previous versions of Tesla computers had vulnerabilities that were fixed through firmware updates. However, the researchers faced a challenge with the newer Tesla computers that had a boot chain of trust, firmware and OS signing, and a root of trust in their AMD SoCs, making it difficult for them to gain access.

By soldering wires to the infotainment and connectivity ECU, which contained the gateway chip storing settings for software-locked features, the team managed to manipulate the voltage at the right time to trick the system into thinking it was being booted securely. This allowed them to gain root access to the device and unlock the heated seats. Additionally, they were able to extract information about the car and user data stored in the Tesla computer.

When the researchers shared the exploit with Tesla, the automaker's primary concern was whether the exploit was persistent. Since it was not, Tesla did not respond further. Achieving persistence would require soldering a mod chip to the board itself, which could void the warranty. While the team hasn't tested the exploit in an actual Tesla yet, independent security researcher Oleg Drokin has reportedly tried it successfully.

As for other vehicles with software-locked features, the team has not attempted to duplicate the problem in BMWs or other manufacturers' vehicles. They believe that other automakers may not have the same level of protection as Tesla, as Tesla has invested in defending against software attacks by attracting hackers. However, the use of voltage glitching as a bypass raises questions about supply chain security, considering that voltage-vulnerable AMD chips are used in Tesla computers.

The team that discovered the AMD voltage glitch suggested modifying software to detect voltage modulation as a preventive measure. It remains to be seen if Tesla will release a patch to address this vulnerability.

Tesla has not responded to inquiries regarding these findings.