Voltage glitching unlocks Tesla features
【Summary】German PhD students from Technische Universität Berlin demonstrated at Black Hat how they were able to bypass the purchase requirement to activate heated rear seats in a Tesla Model 3 by using voltage glitching. By soldering wires to the infotainment and connectivity ECU, they were able to drop the voltage at the right time to trick the system into thinking it was being booted securely, gaining root access and unlocking the seats.
A group of German PhD students from Technische Universität Berlin showcased their ability to unlock paywalled features in a Tesla Model 3 at the Black Hat conference. Instead of approaching the problem from an outsider's perspective, the researchers focused on making modifications as someone with physical access to the vehicle. Their first attempt to modify the firmware was unsuccessful due to Tesla's secure boot process, which is a relatively new development in their computers.
Previous versions of Tesla computers had vulnerabilities that were fixed through firmware updates. However, the researchers encountered a roadblock with the current Tesla computers, which have a boot chain of trust, firmware and OS signing, and a root of trust in their AMD SoCs. This made it impossible for the researchers to gain access to the computer.
The researchers found inspiration from a previous study on AMD's Secure Encrypted Virtualization, which involved causing a voltage glitch. They soldered wires to the infotainment and connectivity ECU in the Tesla, causing a voltage drop at the right moment to trick the system into thinking it was being booted securely. This allowed them to gain root access and unlock the heated seats. They also managed to extract information stored in the Tesla computer, such as location history, Wi-Fi passwords, and session cookies.
When the researchers contacted Tesla to share their exploit, Tesla's main concern was whether it was persistent. Since the exploit was not persistent, Tesla did not respond to the researchers. To achieve persistence, the researchers would need to solder a mod chip to the board, which would void the warranty.
The team has not yet tested the exploit in an actual Tesla, but independent security researcher Oleg Drokin, who worked on the project, has tried it successfully. They have not attempted the exploit on other vehicles with software-locked features, but the researchers suspect that other manufacturers may not have the same level of protection as Tesla.
Tesla's reliance on voltage-vulnerable AMD chips raises questions about its supply chain security. The researchers suggest that software modifications could be made to detect voltage modulation and prevent insecure boots. However, Tesla has not responded to inquiries about this matter.
-
Electric Nissan Juke: A Sneak Peek at the Future
-
Electric cars set to become more affordable
-
Major creditor in talks to acquire Volta Trucks
-
Chinese EV maker's valuation close to Tesla
-
EVs' Limited Success in the U.S., Excluding Teslas
-
Toyota's Dedication to Quality Shines in Century Bolt Tightening Process
-
Tragic Accident: Bentley's Speed Questioned in Niagara Falls Deaths
-
Accelerating Car Development with Mazda-backed AI Firm
- Dodge Magnum SRT-8 Up for Auction
- Lancia Stratos Replica: Alfa Romeo V6 and 5-Speed Manual
- Toyota's Massive Investment Boosts Job Opportunities and Car Production
- Major creditor in talks to acquire Volta Trucks
- Car tax revenue boost for Treasury
- Hyundai's plans for a new manufacturing facility in India
- Car tax revenue boost for Treasury.
- Electric cars set to become more affordable
- Nissan Sunderland's upcoming models: Juke and Qashqai
- Car tax revenue boost for Treasury