Voltage glitching unlocks Tesla features

author: FutureCar Staff    

A group of German PhD students recently demonstrated at the Black Hat conference that there is a way to unlock paywalled features in cars. However, this discovery is unlikely to cause major concerns for automakers. The researchers from Technische Universität Berlin focused on bypassing the $300 purchase requirement to activate heated rear seats in a Tesla Model 3. Their approach was different from previous Tesla hackers who tried to gain control of vehicles from the outside. Instead, they approached the problem as someone who already had physical access to the vehicle and wanted to make modifications to installed features.

The researchers' initial attempt was to modify the firmware in the Tesla's computer. However, they were unable to bypass the secure boot process, which is a relatively new development in Tesla's computers. Previous versions of Tesla computers had vulnerabilities that were fixed through firmware updates. Despite these improvements, the researchers faced challenges in accessing the system due to the boot chain of trust, firmware and OS signing, and root of trust in the AMD SoCs used in Tesla computers.

By soldering wires to the infotainment and connectivity ECU, which contains the gateway chip storing software-locked feature settings, the researchers were able to manipulate the voltage to trick the system into thinking it was being booted securely. This allowed them to gain root access to the device and unlock the heated seats. Additionally, they could extract information from the Tesla computer, such as location history, Wi-Fi passwords, and session cookies for services like Spotify and Gmail.

When the researchers contacted Tesla to share their exploit, Tesla's main concern was whether the exploit was persistent. Since it was not, Tesla did not respond further. To achieve persistence, the researchers would need to solder a mod chip to the board itself, which could void the warranty. Although they haven't tested it on an actual Tesla yet, an independent security researcher who worked with the team has reportedly tried it successfully.

The team has not yet attempted to duplicate the exploit in other vehicles with software-locked features, such as BMWs, due to the lack of available computers for testing. However, the lead researcher believes that other manufacturers may not have the same level of protection as Tesla. Tesla has invested in defending its software against attacks and has actively engaged with hackers in the past, which may not be the case for other automakers.

This discovery highlights a potential failure in supply chain security, as Tesla uses voltage-vulnerable AMD chips in its computers. The researchers who previously discovered the AMD voltage glitching vulnerability suggested that software modifications could help detect voltage modulation and prevent insecure boots. It remains to be seen if Tesla will release a patch to address this issue.

Despite attempts to reach out to Tesla for further information, the automaker has not responded to inquiries at this time.

FutureCar Staff