A team of researchers from Germany managed to jailbreak a Tesla Model 3, unlocking free access to in-car features that are normally paid upgrades.
The white hat hackers, three of which are are students at Technische Universität Berlin in Germany, told TechCrunch they found a way to hack the hardware powering the Tesla Model 3’s infotainment system, essentially jailbreaking the car.
One of the students said that while the attack required physical access to the car, it is exactly the scenario where their jailbreak would be useful – i.e. for an owner who is not willing to pay extra for upgrades that are already built into their vehicle, such as the heated rear seats.
“We are not the evil outsider, but we’re actually the insider, we own the car. And we don’t want to pay these $300 bucks for the rear heated seats,” Christian Werling told TechCrunch in an interview ahead of the Black Hat cybersecurity conference in Las Vegas next week where the team will present their research.
It’s worth noting that newer Tesla Model 3 vehicles feature heated rear seats as standard, which likely means the team worked on an older model.
22 Photos
Werling said they used a technique called “voltage glitching” to jailbreak the Tesla. He explained that they “fiddled around” with the supply voltage of the AMD processor that runs the infotainment system.
“If we do it at the right moment, we can trick the CPU into doing something else. It has a hiccup, skips an instruction, and accepts our manipulated code. That’s basically what we do in a nutshell,” he noted.
Using the same technique, the researchers claimed they were able to extract the encryption key used to authenticate the car to Tesla’s network. While this could potentially open the door to a series of other attacks, they said they still have to explore the possibilities in this scenario.
Still, extracting the encryption key allowed them to pull critical personal information from the car including contacts, call logs, recent calendar appointments, locations the car visited, Wi-Fi passwords, and session tokens from email accounts, among other things. This type of data could be attractive to people who don’t own a particular Tesla Model 3 vehicle, but still have physical access to it, the researchers said.
They noted that the only way Tesla can defend against this type of hardware-based attack is to replace the hardware in question.
