Tesla hackers exploit voltage glitching for feature unlocking

author: FutureCar Staff    

A group of German PhD students from Technische Universität Berlin recently demonstrated a method to unlock paywalled features in a Tesla Model 3. Instead of attempting to gain control of the vehicle from the outside, the researchers approached the problem as if they already had physical access to the car. They wanted to make their own modifications to features that were already installed but locked.

The researchers initially tried to modify the firmware in the Tesla's computer, but they were unsuccessful due to the secure boot process. Previous versions of Tesla computers had vulnerabilities that were fixed through firmware updates. However, the current Tesla computers have improved security measures, including a boot chain of trust, firmware and OS signing, and a root of trust in their AMD SoCs. This made it difficult for the researchers to gain access.

The researchers found inspiration from a previous study that discovered a voltage glitch to subvert AMD's Secure Encrypted Virtualization. They realized that Tesla vehicles also use AMD processors. By soldering wires to the infotainment and connectivity ECU, which contains the gateway chip storing software-locked settings, the team was able to manipulate the voltage and trick the system into thinking it was being booted securely. This allowed them to gain root access and unlock features like heated seats.

In addition to unlocking features, the researchers were able to exfiltrate information from the Tesla computer, such as location history, Wi-Fi passwords, and session cookies for services like Spotify and Gmail. When the researchers contacted Tesla to share their findings, Tesla's primary concern was whether the exploit was persistent. Since it wasn't, Tesla did not respond further.

To achieve persistence, the researchers would need to solder a mod chip to the board itself, which would void the warranty. They have not yet tried the exploit on an actual Tesla, but an independent security researcher who worked with them has tested it successfully. The team has not attempted the exploit on other vehicles with software-locked features yet.

The researchers believe that other automakers may not have the same level of protection as Tesla, as Tesla has invested in attracting hackers and improving its software security. However, the researchers note that Tesla's reliance on voltage-vulnerable AMD chips raises concerns about supply chain security. They suggest that software modifications could be made to detect voltage modulation and prevent insecure boots.

Despite these findings, Tesla has not responded to inquiries or released any patches addressing the vulnerabilities.

FutureCar Staff