The Hacker Mind Podcast: Hacking Teslas
With digital convenience there’s often a price. And if that means a bad actor can create a wireless key for your new Tesla, that price is pretty steep.
At CanSecWest 2022, researcher Martin Herfurt announced a new tool, TeslaKee.com, which he hopes prevents wireless key attacks from happening. Martin joins The Hacker Mind to discuss this and his earlier Bluetooth vulnerability research, including the Car Whisperer and the Tesla Radar.
Vamosi: I once wrote about a petty car thief in Prague, Czech Republic who started the usual way by using scissors to cut the wires and hotwire the engine to drive away. But in the early 2000s, that was starting to give away to key fobs. These initial sets of key fobs were convenient; you could unlock your car from a few feet away. And at the time, while you couldn't necessarily start the car, you still needed the fob to present when you hit the start button. So the car would start. As with most advances in automotive, this technology started at the higher end models. So for a young, streetwise petty thief who wanted to make a big score, he needed to up his game. In the early days, there were not too many of these key fobs. So entropy, randomization. It wasn't very robust. It was a mere 40 bit key length. And in fact, you could map out all the possible combinations of this 40 bit key leg on a typical laptop computer. Even so, the car manufacturers carved out large groups of codes. So if you wanted a Mercedes you only needed to generate the keys in a particular range. So what this petty thief did, he walked around Prague looking for a new Mercedes, and then he used his laptop and an RFID antenna to generate all the possible combinations for a Mercedes keycode until one hit and he did it again. And he did it again. The downside for him was that when he was finally arrested, his laptop had all the key codes still on there. And they further linked him to some 150 other car thefts in the area. Needless to say, he did some serious things. Since then, car manufacturers have improved on this. Certainly no one uses 40 bit encryption anymore. So you would think that when a revolutionary car company like Tesla comes along, maybe they figured out this whole key thing. As Kevin Mahaffey of lookout said, Tesla is just a big network server on wheels. Well, in a moment, you'll hear from someone who figured out something much simpler. Bluetooth, yeah, Bluetooth might just be the key to getting inside any Tesla
Welcome to The Hacker Mind, an original podcast from for all secure. It's about challenging our expectations about the people who hack for a living. I'm Robert Vamosi. And in this episode, I'm talking about hacking Tesla's or rather new product called Tesla key that prevents somebody from hacking into cars. Well, you'll get the idea
Vamosi: I've always wanted to go to CanSecWest. It's in Vancouver, and it's the home of Poland own which is the contest where basically if you hack into something you own it, it's yours. You can take it away and lately the prizes have been Tesla's pretty, pretty cool. Anyway, I've always been wanting to go and finally I got to go this year and unfortunately COVID is still raging around the world. So attendance was light, to say the least. However, the quality of the speakers was still very high.
Herfurt: My name is Martin Herfurt and I'm a security researcher.
Vamosi: Twenty years ago, Martin participated in the early stages of Bluetooth special interest group or Bluetooth SIG. So the standards body that oversees the development of Bluetooth standards and licensing. And ironically, the Bluetooth SIG met in the same hotel where CanSecWest is being held today.
Herfurt: So we were cooperating with the Bluetooth SIG back in the days when we were discovering Bluetooth security loopholes and they were approaching us asking us if we could assist them during these unplug fest they call them these were events where they would ensure that all the Bluetooth manufacturers and all the devices they make would be able to talk to each other because after all, Bluetooth is a device or manufacturer independent standard.
Vamosi: So what exactly is Bluetooth? I mean, how exactly is it different from Wi Fi or NFC?
Herfurt: Of course, it's a range thing and it's a bandwidth thing. And of course it's a frequency thing.
Vamosi: I first became aware of Martin's work back in 2010 when I was writing when gadgets betray us, Martin had observed that certain manufacturers were using fixed pins such as 000 to make it easier for customers to pair their mobile devices with their cars. So they could make calls, listened to music. It was also much easier for Martin to pair his device and in doing so listen in a nearby conversations in nearby cars. Think about it. The consequences of this could be that a police officer could be listening into a car ahead of them on the road even if that person wasn't even currently making a call.
Herfurt: I think it was first presented at What The Hack in the Netherlands that was a camp organized by the Nanded or the Dutch computer organization. And the coffee spur was an attempt to show manufacturers of hands free sets that pre-programmed pin that cannot be changed by the user would not be the ideal way to handle security in this respect. So the thing was that one major German car manufacturer had the standard pin of 1234. And on the other hand, that Bluetooth radio was connectable for the whole time. That means like when the car was started and drove away anyone knowing that free, very well known passkey was able to connect to this Bluetooth hands free set in the car and would have been able to listen into conversations within the car or inject audio and that's what we were going for just for a fun project and in order to show that this is an issue with the technology.
Vamosi: So the Car Whisperer had a video, a movie poster, a campaign. But that’s not how it came about.
Herfurt: What The Heck was in parallel with DEF CON and Blackhat and I think Adam and Marcel the two other members, more active members at the time. They were leaving the What the heck to me. The organizer of what the heck Rob wrong gripe, asked me. Well, Martin, your talk is nice. We already know everything you're going to talk about. So come up with something new, please. It's almost always like that with conferences and I totally get it right. They want to have that unique selling point for their paying audience. And so I thought about the thing that I thought would be fun. It's not been like that terrible, terrible security. Stuff that you would like, own anything but I think it's very relatable because everybody knows. So I do have a car and it's really handy to speak without having to attach a cable and everything. So people knew that this was something they used. And suddenly they became aware that there might be some potential for abuse.
Vamosi: Next to buying a house, a car is probably the most expensive purchase you'll ever make. So how do you protect that car? Traditionally, you've had a physical key that you insert into a lock that turns the tumblers and releases that lock. And also that key is used in the ignition Lately though. This has turned into a RFID tag, which is a fob that you carry in your pocket and the fob reaches out to the car and it will unlock the car or lock the car. And when you're in the car, it will identify yourself to the car so that when you press the start button you can drive lately, this has moved even further to your phone. You can now have an app which does all of that correspondence back and forth with the car. And this is what Tesla has adopted. In fact, if you want to get a fiscal key or a key fob you have to pay extra on top of what you paid. For the Tesla. So they're really pushing this technology. Martin, one to look into it, wanted to see what was going on there. And in CanSecWest he reported on a flaw that might affect not only Tesla, but other cars thinking about doing this in the future as well.
Herfurt: So in theory, I'd say whenever car manufacturers pick up similar ideas, it might be possible to have a similar attack there as well. So what I was talking about at kensic was very specific to the Tesla way of doing that. And to my knowledge, I can very well imagine that a lot of car manufacturers are going to copy the way that Tesla is doing that because I believe Tesla's very innovative in that way. And I'm pretty sure there will be copycats because they cannot protect this kind of procedure, right. It's once known people will copy but so that was very specific to Tesla. So I couldn't just take that and go to another car manufacturer's product and say it works well. Very unlikely.
Vamosi: In 2010 researcher Don Bailey said at BlackHat that year that it took him about two hours to figure out how to intercept wireless SMS messages sent between a car and the network and then recreate them on his laptop computer. That isn't quite what we're doing here.
Herfurt: You know, back in the days, I was not really paying attention to a lot of the other things going on. So for example, SMS to the car, not so much an issue because at least not in my world because SMS enabled cars or connected cars with a SIM card in it. Were not so much a thing to me at least so maybe some some upper level cars didn't have it but not the average car to my knowledge so but of course there's always whenever there's a surface to attack people will most likely try to attack. There have been car hacking attempts. For example, a few years back there was semi Kamkar, which is like one of the attacks I was looking into in order to maybe find some inspiration for the TeslaKee.
Vamosi: In 2015 Samy Kamkar debuted at DEF CON and attack he called a role jam attack. The idea is that when you push the unlock button on a key fob, it sends out a modulated radio signal that gets picked up by a receiver in the car. If the modulated code matches the cars then the door will unlock. Here's the RollJam part: a hacker places a wallet sized device somewhere on the targeted car. And then when the owner tries to unlock the vehicle by pressing the unlock button on the remote, the device jams that signal so that the vehicle doesn't hear it and at the same time intercepts that same code. When the owner of the car then tries to use the key remote a second time to unlock the vehicle. The device jams the signal and steals the second code but at the same time since that very first code to the car allowing the door to open. Now the hacker has a unique code in his back pocket that can be used at a later time because the car never really heard that second signal.
Herfurt: The catch was that he was blocking the frequency and was like collecting rolling key attempts like authorization responses in a way and he could later on use in order to unlock the car when the owner was not around. So I thought about that. I really liked the idea but overall the way that Tesla is using the technology would make it really hard or it's not even the same scheme so could not be easily replicated that way. But of course, recording authorization responses from the car was something that I included in the talk it's a little more complicated because there's more advanced cryptography at work. But yeah, maybe it's along the same lines.
Vamosi: So there's the replay attack. And then there's the relay attack. One you're simply capturing it as with Sammy can cards device and replaying it at a later time and date. The other you're actively being a man in the middle and you're relaying the data from one person to another.
Herfurt: So what the video that we published that shows the relay attacks so we just pass on the messages that we receive from the phone key and just give that feed it into the Tesla and Tesla doesn't care so much and talks back to that feeding device, which then transfers all the messages back to the phone. So that's a relay attack. The replay attack means that a pre-recorded message is just sent at a different time to the vehicle and would work in ways of unlocking it and so on. So I haven't tried that activity but that was one of the observations I had during the talk because when I was programming or like developing the Tesla key app, I had a lot of messages going back and forth and that was just one observation that this token which is used for authentication requests. So once you approach your car, and you tap the door handle, this is a signal to the car that somebody wants to enter the car. And it would then ask for authorization and would find out well, is there a phone key in the area? Usually when the phone key sees the car, it's connecting and says here, I'm key with that, that and that Id just for you to know to car and the car then knows right? So this is the right key material that this phone has to use in order to get authorized. But the key by itself is not enough. There's also a challenge it's it's called an ID token in that context and this token changes over time and ascend together with that authorization request to the phone key. The phone key then understands that message and encrypts it back to the sender to the vehicle with that secret key, the car and the phone have that challenge token and only then the car would unlock. So the challenge token or the token that Tesla uses for that should change per request, I'd say. So it doesn't even even better or even worse. It doesn't change on a daily basis so much so I know I did that temporary tool and what that does is enumerates all the keys that are whitelisted in a car so you could ask the car so how many keys are in use in your database? The car would answer and would tell the other device that is questioning all the details about the crypto counter the session token. And that's done because it could be that the phone key gets out of sync for some reason and needs a way to resync and that by itself is not a not a threat. But I saw that crypto counter with that that was not the issue but the token used for the challenges did not change. And even after using that token a few times for authentication responses so like positive, at least at that point, the car should go ahead and say alright, I do and I make a new token so that the next time the phone key has to respond differently. So and in theory are very practical theory. This token, if it's not changing, enables attackers to record these responses of a phone key to authorization requests. I do not know how long this time frame is. But from observation. It's a few hours maybe.
Vamosi: So again, let's take a step back a moment. I have a key fob that lets me in and out of my car. But it's not a Tesla. If I had a Tesla, I would have an app instead of a key fob. And it's that app that we're talking about that allows you to open the doors and start your engine.
Herfurt: Right So the app is replacing the key fob. And that's a very convenient thing because after all, it's one piece less to carry around. So sort of synergy convergence however you want to call it. It's I like it. And it's an application on the phone that is making use of the Bluetooth Low Energy stack in order to send crypt encrypted and not encrypted messages to the car interface. Based on that protocol, which is called VC sec.
Vamosi: Aha. So VC sec, that sounds very promising, particularly if you're a researcher trying to figure all this out. So what is VC sec? VC sec.
Herfurt: Yeah. I was wrong in the in the first assumption that this is vehicle control secure or security or something related to security. We see sec I found out later is vehicle control secondary. And yeah, makes a lot of sense, right? Because, of course it has to do with security in a way but it's not its main purpose.
Vamosi: So what is the purpose of this vehicle control secondary in Tesla's
Herfurt: started looking into that when I was finding out about that message format so I was able to be in the middle when the car talks to the phone and vice versa. So I was receiving these messages, which I was in the first sight not really able to make sense of them. I figured quickly that the first two bytes were length related so it would just tell the recipient of the message how many bytes are going to follow. And the rest was like a miracle to me first, but then I found a tool. It's called PBT, K and I found out about protobuf, which is a binary version of JSON. JSON is a textual human readable format for data. And protobuf has initially been developed by Google and is shrinking that down by making a binary format from it. So text elements get replaced by numbers. Really small, small, small, really good fit for the Bluetooth Low Energy Technology because it's less limited bandwidth there. And I found out that it's really easy to extract the VC SEC proto file, which is exactly that vocabulary for that protobuf implementation. And having that and having the proto C tool enabled me to translate or to D serialize. All these messages I was receiving back to text format, which was really handy, right? Because then it made a lot of sense. What's going on there, right? And with version or app version four, they switched it and the PB TK tool stopped working for me. So the PB TK tool is like on GitHub, and that was also asking, maybe they could extend that to square or square wire. So it's another implementation for the same kind of thing. So it's compatible with each other. But different manufacturers use different notations in the class files. That means I had to hack a script which is not as good as the PB TK tool. I just grabbed all the class files for certain annotations and scribbled them out and out comes a profile which is more or less to the original. Not the same, though, but works for me. And it's also an indicator repository now for people to play with that. And that that's the first step you need to do if you're talking BC sag or you want to understand BC sag, you have to have that vocabulary, having that you can decode or deserialize the messages and then a little bit of guesswork has to be used as well are guesswork that is backed on the obfuscated code you have right. So for example, it took me a while to figure out when there are authorization requests. How would you answer it to that there is something which is encrypted which is like the black box of the message he would see its crypto counters such and such signatures such and such and, you know, array that has to do with that encryption, that I know how it works, but still, what's inside that encrypted bid. That's hard. To find out and you could look into the code and it's really hard to trace back where the information comes from that is going into that crypto text. But finally, also with guessing there's been this VC SEC message type it's called authorization response, like in retrospect, easy, right? But also there there's fields that I had to guess because I never saw an original message because an original message would only be available from the phone right and the phone. I did not succeed extracting the keys from the phone. Because I'm not good at that. I think it's very doable. And I had I had a discussion yesterday as well. So I think dynamic instrumentation with Freda for the people who know about that could work there. And that's also what I tried already, but I did not find the right places to set a hook. The hook means that whenever a certain function is called, you are able by dynamic instrumentation to tell what this function is going to return or you can see what it's gonna return. And once there is a function, like get secret, or something along these lines, you would hook that and get the secret key which is somewhere buried in the device. So it's not not just lying there. It's using device encryption and it's pretty good protected. So one of the ways you can unlock your Tesla is through an NFC Card that owners receive upon purchase. This is less convenient than the phone as a key option, which works on any Bluetooth enabled device as soon as the car driver approaches, but the NFC Card is supposed to clearly identify the owner and thus allows additional functions that the attacker might be able to use in order to steal. For example, there can be multiple owners of the card and in particular, what Martin found was that after an NFC card swipe, it is possible to store a brand new key for that car in the first 130 seconds after it's swiped.I
Vamosi: So what's interesting is a few months ago, Tesla had an app outage, a few users were unable to open their cars or use their cars in general, because the app could not access the server. This only lasted for a few hours, but it does show some of the vulnerabilities that could happen if you're not connected.
Herfurt: So I became aware of that. It was a very small outage, but it's not related to the Bluetooth back end. Actually. The good thing about the Bluetooth phone key is that it works offline. It's good and bad in a way but I think it was specially designed to work under circumstances where there is no network coverage and so on like let's say you're in the underground garage and you want to use your car that should work without inconveniences. So I think Tesla did a very good job and made sure the technology works because people using that should have trust in it and not bother so much and I think they did a pretty good job with that. Of course on the other side of convenience and assurance, ensuring things there might be the security factor which is not as important at this stage of the product design. Maybe, you know, it's always hard to estimate or to assume how processes work in big companies like that. So I said the engineering looks very good and I think there's really good people working on the product. But my assumption is also that there's a high fluctuation in people that get to Tesla to really have high potential energy and then maybe they leave the company for whatever reason and a very good idea is not being finished.
Vamosi: So when you see a talk like this at CanSecWest, or any other conference, you're probably thinking oh wow, they probably just pulled that out of their back pocket and presented it No. In this case. It took several years for Martin to get to this point where he could report on this type of research.
Herfurt: So the research at all began earlier. I said it was June of 2019 That's when I started doing that Tesla radar. App, which does not really have to do with the research I was presenting at can sec. So the research for cancer kick started in June again or July of 2021. And you know the first impression was, well, there's this tool. Let's give it a try. I gave it a try. And I was disappointed. And on the other hand, I was really proud that this worked just out of the box. So I had two Raspberry Pi's. I did that kind of relay that's also visible in that YouTube video we did. And I was proud it worked or was happy it worked right out of the box. But then I was like leaving my key in the office with the one Raspberry Pi and I took the other one and also took my NFC Card with me of course for fallback and stuff. And I was hopping in the car and driving around right like quite a distance from the key. So at that point, I didn't know that they wouldn't even check the GPS location of the key versus the GPS location of the car, which was one of the ideas that I had later on for that Tesla key product.
Vamosi: So before he looked at the mobile keys the phone as a key option in Tesla's Martin created something he called the Tesla radar. It takes advantage of another issue, the fact that much of the car's data is broadcast out to the larger world. That is if you know how to listen.
Herfurt: The issue was in 2019. That's when I got my car in Europe that was like my was one of the first ones to actually have that model three, I pre ordered it and I wanted to have it. I was blinded by that low price tag. They were like in the media you know, they said it's gonna be 35,000. Well, I said I pre ordered well, and I ended up paying almost twice for that you know but that's how it goes if it was possible at the time and I'm not regretting it so it's a nice car. But I found out that this Bluetooth signal is following me all the time right so it's like the car is visible. It's blurting out his/her name and everybody who wanted to could see that right. So just imagine I'm self employed, but if you had an employer, you know, he or she wouldn't even have to have time tracking for you. Right? knows exactly when you're in the office or not. Your neighbor would know whether you're home or not. Burglars would know whether you're home or not. Things could get complicated and there are different technologies like I mentioned in the OTech yesterday as well. So the air tag had that stocking problem like in February this year, a big outcry. Why? Because people were giving or like putting these really small add air tags into purses and pockets of people they wanted to stop which is not okay. And Apple reacted immediately and everything was more or less fine. It's not really fine so it's still trackable. You can avoid this non tracking option. But there has been a big outcry. So what I do not get Apple did really a good job in obfuscating their address. So if you find an error tech, you could not say it's the same error tech that you saw earlier or not because only Apple is able to do that. And this is not true for Tesla, everybody who has a Bluetooth phone can see or a Bluetooth device can see this car and could recognize it the next day without even knowing some of the secrets. For the case of apple you would have to know that for the case of Tesla, you don't. So I thought that's a privacy issue. I'm not a lawyer. And that's actually a sentence you hear quite often in that IP security scene, but I'm not a lawyer as well. And I do not know how this is GDPR breach if this would even be a thing. I thought then. So maybe I tested the radar program and the guy who's collecting that data now maybe has a GDPR issue because I collected that data so I concentrated on it so maybe that's an issue now. But as long as nobody approaches me, I think it's fine. But showcasing that anyone or any organization with the means of having like several of these sensors that would sense Tesla cars coming by would be able to track one specific vehicle over an area and that could lead to a problem because usually the driver of a vehicle is almost always the same or belongs to a very small group. So it makes it personal, personable or personally identify. Yeah, I think in Berlin there was one of the things they had these Audi cars back then and actually in the government, right so every politician who was entitled, could have that service to be driven from one government building to another one, or like to two appointments and stuff and Audi as I said, has been this this company that did that cause or unable to cause for I think they had the connection. They said okay, if it's this Bluetooth address, I'm spotting, it's our it's Mrs. Merkel in the car, right? And so this became a problem. So this could become a problem again, in a different context. I'm pretty sure the German politicians would not drive a Tesla because it's not a German make right? They're pretty nationalistic there. And, but if you think about that, if if the incentive is high enough, so I could roll out one of these networks easily and not tell people and it's you know, the difference with Tesla radar. It's it's known to people who are interested, I'm not trying to hide it, but I could write that everybody could hide that, that kind of a system and could then spy out a certain group of people that own testlets just in very general terms.
Vamosi: Martin also found that there's something to do with proximity. In other words, he had a unit in the wrong place in the car and it didn't open the car. The Raspberry Pi was not in the right place. However, if it was logically near a door if it was near where a passenger might actually be getting into the car. It did work.
Herfurt: Yeah, I think Tesla upped their game when it comes to device detection and especially where the device is located and I think it has to do also with developments going on for the Roadster because the Roadster doesn't have door handles. So on the one hand, it's really cool because it's really flat doors and people are puzzled by that. To the other hand. Yeah, door handle. I like it. But that's just me. But the thing is, you approach your car with your phone in the pocket, and the car knows which door to open right? And that's why they have to have this kind of high resolution location, whatever you want to call it. And I know that Tesla has also introduced Ultra wideband in their pet Payton patterns and also like Dr. Avize, I think they are experimenting with Ultra wideband which is also used for add tags by the way, and because the location resolution would be higher. So I think in order to to exactly tell where the device is, that would help but the thing you are referring to is that when I was doing my experiments, my Raspberry Pi had a really strong Bluetooth dongle on it and it was located in the in the trunk of my car because there was a battery with that and that and a GSM device and I was able to talk to it. But the thing was from one firmware version to the next one, they introduced this kind of signal checking. And of course I was falling out of the clouds. Because my talk was accepted. So this would not have been a game stopper right. So I would still have been able to talk about that topic, but of course like the video and once you have that video and you show it and people like it you would have to say Yeah, but it's not working anymore. That would have been not so nice. So I was really happy to find out about that signal read out alert that they have so they would send a message to the phone which in a way is not really making sense a lot because the phone is there to unlock the car, but gets an alert now Hey, the signal readout is wrong to your phone. I do not unlock kind of doesn't make sense because usually it's a malicious device trying to do that and why should that get that information. So changing the dongle on my Raspberry Pi which was located in the trunk changed that because the signal read out was more normal again. So it's just that you can compare that to an ultra high intense light. And you would be blinded. Like all the sensors that present their signal readouts are blinded by that light right now I'm using a small LED instead. And the readout is making more sense and the car is now able to detect what door I would be at. Right so that was the moment where I was really scared that the talk wouldn't be happening as I was planning it.
Vamosi: Just before CanSecWest a British security group NCC announced a Bluetooth BLE vulnerability that was very similar to what Martin was going to talk about. NCC warned that the Tesla Model three and model Y employee Bluetooth low energy based passive entry key systems and this could allow a link layer relay attack conclusively that defeats existing applications a proximity authenticate according to NCC by forwarding the data from a baseband to the link layer. The hack gets past known relay attack protections, including encrypted BLE communications because it circumvents the upper layers of the Bluetooth stack and the need to decrypt that. This is very similar to what Martin was going to present.
Herfurt: Yeah, you know, like a friend posted that because before I left, we just met in Salzburg and and had a coffee and I was telling him about that talk I'm going to give it can segue and he was really into it and he sent me one day before I had the talk that article from bleeping computer I believe. And there this NCC crew presented exactly what I was going to tell people at the can SEC talk. They even did a video and the shock moment was there. Sure but then I thought, well, they just went the first step. Whereas I just went the whole way already in a way right? So I understood the VC SEC protocol, whatever. And they just did the first thing that I was doing last year. So I thought they explained it well. Why not use that or refer to that even because people should know about that. And I think showing that more than one group at the same time had success shows that there might be a few people not talking about that issue. Maybe taking advantage of that already. And for a longer time, maybe so I think it's a good thing after all, but it still occurs in that situation, but you have your talk. You don't want to hear that.
Vamosi: So Tesla got some of the things right. For example, the encryption is good, the cryptography is good. However, there's probably some more areas where they could have obfuscated the data better.
Herfurt: So talking about obfuscation, you are referring to the code which I was decompiling from the official Tesla app. And talking about obfuscation, it's more or less a standard thing that makes decompiling Java code or Kotlin code in this respect. Hard. That means that variables and function names are reduced to like numbers and letters that do not really say anything. So if you read that, it's not a you know, if you think like in a function like get crypto key, that would be really just descriptive. But now it's called f 112 Whatever. So it's obfuscated. It's not encrypted or anything but it's really hard to understand. And of course, there are tools that help obfuscate that but it requires a lot of work and I think in the work I did for the test the app, the code base of the things I was interested in, was quite well separated from the rest of the code. And so the code base for doing the D obfuscation was really small, even though it's really getting to your nerves, if you want to try that and you have to note down and this is the signature of function they call these are the imports, and they all have just one letter. It's a dot Java because you end up getting Java, Java class files. And it's a lot of work which I do not like to do a lot. So it's like very, what's the word like? A no TDs
Vamosi: So the vehicle identification number it's kind of a unique ID to the car and yet it's not really that unique. There are certain elements kind of like a MAC address that are spelled out and they basically tell you where the car was made and when.
Herfurt: So the VIN is the vehicle identification number which is very, it is not very it is unique to the vehicle. And it encodes some information like the build date, the build location, the manufacturer and the model. And the thing is that this Vin is never transmitted via Bluetooth directly. So I thought you know, whenever you look for devices in your proximity, and your next to your Tesla, you will see a Bluetooth name that starts out with a capital S and then has some hex encoded data in there. And then it ends with a C A d a PR where nowadays you only would see the C detail. But these eight bytes in the middle that are hex encoded like 16 characters I was always curious about them what they really do, right so I did some cryptanalysis very early on right and I did not get the point that this was based on the wind which totally makes sense in a way if you think about that logically, of why should they have more than one identifier for a car right? But I didn't quite get it back then. But playing around you know, I was starting with Tesla key and it was and and cyber chef is one of the open source programs a lot of programmers use in order to try out stuff, write base 64 encode stuff for a test and maybe do a SHA hash, and I started playing around with the crypto keys and everything and suddenly I saw a part of that 16 Bytes signal signature that I was receiving from my car, but it was just a part of that SHA one hash, so I figured all right, they crop that SHA hash and just take the first eight bytes from the original 20 and they would use that as a VIN identifier. Because once I knew it's SHA one they use for hash I was looking in in the code base and some of these functions that are externally like the crypto library. You could tell there is a SHA going on because I think that function is called SHA one. Or maybe I don't really remember or maybe it was in the logging texts. You know, and in the logging texts, they were talking about that Vin identifier which of course makes total sense to have that green identifier which is not the VIN, but usually using a SHA one hash. This is a one way crypto function. So it's really hard to reverse that process. But you could and that's what I did to a rainbow table that means every possible when you pre calculate that hash and crop it the way Tesla does it, and then you have it in the database and then you can look it up right and doing this database of all possible wins is quite a research effort because you would have to find out well Gigafactory X does such and such amount of cars and Model X and Model S and Model three model Y. You have to break that down and kind of come up with numbers that make sense. Luckily I had a lot of data retrieved from different people participating in Tesla radar, so I had a lot of these hashes lying around in my database. So I could just give it a try and see whether this would fail or succeed to become a winner again. And so the hit rate at the moment is pretty high. Of course that's an effort you would have to keep up in order to get new winning numbers, incorrect assumptions about the cereal and the number of cars they produce per year at a certain location. But I think I liked that very much. And it enabled the app to be able to tell whether this is a model three or model Y and I also added a twitter bot. That is like whenever a user sees a car for the very first time, it will not tweet about the VIN number itself but it would say use a x y Zed spotted of 2021 model three dual motor in whatever area so it's that's what Tesla radar does. And so I think that's like a constant stream of events that hopefully makes people use the app because it's kind of you know, I put time in there and I would like people to have fun with that
Vamosi: So we've identified the flaws, what possible attacks could you possibly see from something like this.
Herfurt: So the texts that become possible are all related to the fact that somebody with a legitimate key is using the car in front of the attacker. So this is like the premise or the free requisite for the attacks to work. And that's also the reason why pone to own for example, we had CanSecWest consider these attacks that I was going to show out of scope and which is sad a little bit because I put so much time in it. So if I summed up all the time it's been like a lot of evenings because I use my private time for that. And of course whenever there was a project for the company for my company where I do security audits for small and medium sized companies in Salzburg. Of course this has priority, right? And then it's like one two weeks' pause. And then the hard part is to get back to the research and find the way to find the point where you wanted to continue. And that made it a little challenging for kids. It's been a long time and I thought well, that would have been really cool if I would have gotten whatever like 100,000 You know, just to break even.
Vamosi: So Martin was communicating this with Tesla and Tesla was basically saying we know this is an issue, but they didn't really do anything about it.
Herfurt: The key thing Yeah, that was disappointing because they said yeah, we know about that. It's a known limitation. That's the words they were using off that system. And that kind of you know, until that point in time, I was really I'd say I'm still but back then it was more. I was a big fan of Tesla and said they make things the way I would probably do it if I had the means, you know like an ideal. They did cool stuff, modern technology, all the things that I like as a technical person, right? And they were combining it into a car even better and I needed a car back then because my old car is old enough. And so all these factors made me a Tesla fan, but seeing how they would go along with these kinds of threads. You know, like I paid twice as much money as I wanted to originally and then thinking that somebody could take advantage of my car and steal it or just unmount the rearview mirrors, you know, would be really detrimental. But that was a very disappointing moment. And so I thought well, I will ask Tesla about it if they know about it, if they are aware and the answer I got kind of demotivated me and motivated me at the same time because what Tesla said, alright, we know about that. We think you should use pinto drive and that's what we recommend to all our customers. So we are aware of no bug bounty, whatever. So that means all the time that you put in there as a researcher is devalued in a way because if you do it for the back bounty you are really dependent on whatever this guy at Tesla thinks about that. And so my feeling about bug bounties is that a lot of time is kind of wasted by the bug bounty companies. They profit from that. And I'm not really certain that this is the way to go. In general.
Vamosi: Martin's research continues.
Herfurt: Yeah. You know that there's one thing that I'm going to present at the Recon in Montreal. I'm not going to talk about that because I promised it to the organizer. Same thing like back then and then what the heck. And because it has to be something novel, right? And it's also something that is a really common situation that gets exploited. And I'm not even sure if I'm bothering contacting Tesla about that beforehand, because what's going to happen is alright, we know already, but it delays my work process, right because it's maybe taken two weeks and the conference starts in two weeks. And to the other hand, there's no real downside to not communicating with Tesla. Yeah, so I got a little disappointed with the process that Tesla has there, because I always get to hear the same thing. Oh, thanks for your contribution. Not interested, but thanks. Yeah.
Vamosi: This sort of sounds like apple before the bug bounty program there. If you approached apple with a vulnerability, they wouldn't necessarily respond. Maybe they'd fix it. Maybe they wouldn't. It was a black box. They sure as hell weren't going to acknowledge that you had found the problem in their problem. And sometimes even revoked the developers licenses to individuals who did find flaws. Charlie Miller.
Herfurt: Why the companies are doing that, you know, they have to because they in the first step did a bug bounty program in order to look cool, right. So that's the price they have to pay now. Now they have to have an answering machine. Yeah. And, of course, to them, it's a lot of financial benefit, because they do not have to pay all the research time which flows into that kind of process. Of course, having your own researchers does not make a lot of sense because they are not really objective anymore, because they paid by you. And now they are causing problems. Only big companies like Google which Google X is doing that right. Google zero not Google X is different. Projects, zero, I'm referring to, and they do that. But Google is a different company. And I think that Apple and Tesla just want to it's what would be the word it's not greenwashing. But it's like, secure washing themselves with bug bounty program
Vamosi: So instead of paying people to find vulnerabilities and report them to the bug bounty program, companies are instead minimizing the findings and then denying the researchers the money that they deserve.
Herfurt: Oh, maybe it's been found by somebody else. That's also possible, but they wouldn't tell me because they don't have to. And if it's like speaking with an Oracle, maybe, maybe something comes out and maybe it's good. Yeah, and I'm not happy with that. But I'm not the only one. So I'm curious to see what the industry comes up with next because back bounties maybe are like, over who knows. So there's a good chance if you're like, getting into the profession, you want to play some games with a product and maybe win some money, but it's not for paying your daily expenses, right, that you have to rely on. So it's not a secure income, so to say when somebody a Tesla decides no, for right now I'm starving to death.
Vamosi: I'd really like to thank Martin Herfurt for coming on the show and talking about the Bluetooth research he's done on Tesla. The Tesla key application will be released in q3 2022 and it will be available for both iPhone and Android. You can get on the waiting list now at Tesla teslakee.com. With digital convenience, there's often a price and if it means a bad actor can create a wireless key for your new Tesla. That price is pretty steep. Fortunately, there are some good guys like Martin who are looking out for all of us.
Hey, if you enjoy this podcast, tell a friend. I bet there are others who like commercial free narrative information security podcasts. I have so many stories about hackers who are making a positive difference in the world. I don't want you to miss out. Let's keep this conversation going. DM me at Robert Vamosi on Twitter or join me on Discord. You can find the deets at The Hacker Mind.com
The Hacker Mind is brought to you every two weeks commercial free by ForAllSecure.
For The Hacker Mind, I remain the Bluetooth-enabled Robert Vamosi