Vulnerability Announcement: Tesla Roadster vulnerable to brute-force unlock via CAN bus

SUMMARY

The Tesla Roadster instrumentation CAN bus (running at 1MHz) supports a CAN bus message to lock/unlock the car as well as enable/disable valet mode. Authentication on this message is via simple user PIN code which is typically 4 digits (but can be up to 8 digits).

It appears that this is vulnerable to brute-force attack as there is no rate limiting on reception/interpretation of that message.

TECHNICAL DETAILS

The CAN bus message is:

Vulnerability Announcement: Tesla Roadster vulnerable to sniffing of security PIN code via CAN bus

SUMMARY

The Tesla Roadster instrumentation CAN bus (running at 1MHz) supports a CAN bus message to lock/unlock the car as well as enable/disable valet mode and change the PIN. Authentication on this message is via simple user PIN code which is typically 4 digits (but can be up to 8 digits).

This PIN code is usually entered on the VDS by the user, and then transmitted in plain text on the instrumentation CAN bus to the VMS.

TECHNICAL DETAILS

The CAN bus message used to lock/unlock the car, and enable/disable valet mode is:

randomness