Voltage glitching unlocks Tesla features

Home > Industry Analysis > Content

【Summary】German PhD students from Technische Universität Berlin demonstrated at Black Hat how they were able to bypass the $300 purchase requirement to activate heated rear seats in a Tesla Model 3. By soldering wires to the infotainment and connectivity ECU, they were able to manipulate the voltage and gain root access to the device, unlocking the heated seats. They were also able to access and exfiltrate user data stored in the Tesla computer.

FutureCar Staff Aug 16, 2023 7:30 AM PT

Voltage glitching unlocks Tesla features

A group of German PhD students from Technische Universität Berlin recently demonstrated a way to bypass paywalled features in a Tesla Model 3. Instead of trying to gain control of the vehicle from the outside, the researchers approached the problem as if they already had physical access to the car. Their goal was to make modifications to the computer system and unlock optional features that were already installed but locked behind a purchase requirement.

In their first attempt, the researchers tried to modify the firmware in the Tesla's computer. However, they were unable to bypass the secure boot process, which was a relatively new development in Tesla's computers. Previous versions of Tesla computers had vulnerabilities that were fixed through firmware updates, but the current models have a boot chain of trust, firmware and OS signing, and a root of trust in their AMD SoCs, making it difficult for the researchers to gain access.

By soldering wires to the infotainment and connectivity ECU, which houses the gateway chip storing software-locked settings, the team managed to manipulate the voltage and trick the system into thinking it was being booted securely. This allowed them to gain root access to the device and unlock the heated seats. They also discovered that they could exfiltrate information about the car and user data stored in the Tesla computer, such as location history, Wi-Fi passwords, and session cookies for services like Spotify and Gmail.

When the researchers contacted Tesla to share their exploit, the automaker's main concern was whether the exploit was persistent. Since it wasn't, Tesla has not responded to the researchers. Achieving persistence would require soldering a mod chip to the board, which would void the warranty. The team has not yet tried the exploit in an actual Tesla, but an independent security researcher who worked on the project with them has reportedly tested it successfully.

While the researchers have not attempted the exploit on other vehicles with software-locked features, they believe that other manufacturers may not have the same level of protection as Tesla. Tesla has invested in attracting hackers and improving its software security, but it remains unclear if other automakers have taken similar measures. The researchers also noted that Tesla's reliance on voltage-vulnerable AMD chips raises concerns about supply chain security.

It is possible that software modifications could be made to detect voltage modulation and prevent insecure boots, but it is unknown if Tesla will release a patch for this vulnerability. As of now, the automaker has not responded to inquiries regarding this issue.