Voltage glitching unlocks Tesla features

Home > Industry Analysis > Content

【Summary】German PhD students from Technische Universität Berlin demonstrated at Black Hat how they were able to bypass the purchase requirement to activate heated rear seats in a Tesla Model 3. By manipulating the voltage in the vehicle's computer, they were able to unlock the features and gain root access to the device. They were also able to exfiltrate information about the car and user data stored in the Tesla computer. Tesla has not yet responded to the researchers' findings.

FutureCar Staff Aug 17, 2023 10:20 AM PT

Voltage glitching unlocks Tesla features

A group of German PhD students from Technische Universität Berlin recently demonstrated a method to unlock paywalled features in a Tesla Model 3. Instead of attempting to control or break into the vehicle from an external perspective, the researchers approached the problem as individuals with physical access to the car. Their goal was to make modifications to the computer system and bypass the $300 purchase requirement for activating heated rear seats.

The initial attempt involved trying to modify the firmware in the Tesla's computer, but they encountered difficulties due to the secure boot process, which was a new development in Tesla's computers. Previous versions of Tesla computers had vulnerabilities that were patched through firmware updates. However, the researchers discovered that the latest Tesla computers had a boot chain of trust, firmware and OS signing, and a root of trust in their AMD SoCs, making it challenging for them to gain access.

The researchers found inspiration from a previous study that exposed a voltage glitch in AMD's Secure Encrypted Virtualization. Since Tesla vehicles use AMD processors, the team soldered wires to the infotainment and connectivity ECU, which contained the gateway chip storing software-locked settings. By manipulating the voltage at the right moment, they tricked the system into thinking it was booting securely. This allowed them to gain root access to the device and unlock the heated seats. Additionally, they were able to extract information such as location history, Wi-Fi passwords, and session cookies from the Tesla computer.

When the researchers informed Tesla about the exploit, the company's first concern was whether it was persistent. Since it was not, Tesla did not respond further. Achieving persistence would require soldering a mod chip to the board, which could void the warranty. While the team has not tested the method on an actual Tesla vehicle, independent security researcher Oleg Drokin, who collaborated with them, has successfully done so. The researchers have not attempted to duplicate the problem in other vehicles with software-locked features, but they suspect that other manufacturers may not have the same level of protection as Tesla.

Although Tesla has invested in defending against software attacks by attracting hackers, the use of voltage glitches as a bypass method raises concerns about supply chain security. The team behind the 2021 AMD voltage glitching paper suggested modifying software to detect voltage modulation and prevent insecure boots. It remains to be seen if Tesla will release a patch to address this vulnerability.

Unfortunately, Tesla has not responded to inquiries regarding these issues.