Upstream’s 1000th Automotive Cybersecurity Incident: Use NFC Card to Gain Control in 130 Seconds

ELAD ROBB

Director of Cyber Threat Intelligence

June 22, 2022

As a part of Upstream’s ongoing effort to monitor, analyze the cyber threat landscape and assess the impact of automotive-related cybersecurity incidents and vulnerabilities, we recently marked an important milestone with the 1000th incident tracked by Upstream’s cyber threat intelligence team on the AutoThreat® platform.


On June 8, 2022, Martin Herfurt, a security researcher in Austria, demonstrated how he could manipulate a Tesla NFC card to unlock vehicles and potentially steal the vehicle.

This feature update was introduced by Tesla in August, making it easier to start vehicles after being unlocked with their NFC key cards. The intention behind this update was simple: enable a smooth experience for drivers using NFC cards to unlock and start their vehicles, within a timeframe of 130 seconds, without the need to use the NFC card twice.

But the researcher noticed that within the 130-second timeframe, it was also possible to accept entirely new keys with no additional authentication and zero indication by the in-car display.

“The authorization given in the 130-second interval is too general… it’s not only for drive,” Herfurt said in an online interview. “This timer has been introduced by Tesla… in order to make the use of the NFC card as a primary means of using the car more convenient. What should happen is that the car can be started and driven without the user having to use the key card a second time. The problem: within the 130-second period, not only the driving of the car is authorized, but also the [enrolling] of a new key.”

The vulnerability lies in Tesla’s keyfob technology, which relies on Bluetooth Low Energy (BLE). Most devices and vehicles that rely on this kind of proximity-based authentication are designed to protect against a range of relay attacks. Yet, researchers at U.K.-based NCC Group say they have developed a tool for conducting a new type of BLE link-layer relay attack that bypasses existing mitigations, theoretically enabling attackers to remotely unlock and operate vehicles.


Upstream offers the first and only threat intelligence offering purpose-built for the automotive ecosystem, providing dedicated automotive-specific intelligence, incident tracking, vehicle-relevant vulnerability detection, threat impact analysis, mitigation suggestions, support in prioritization, exposure analysis and threat propagation.

AutoThreat® PRO was created to empower automotive stakeholders to identify vulnerabilities and manage risks to their assets via threat intelligence data and insights. Upstream’s AutoThreat® PRO offers a purpose-built service with dedicated CTI analysts that includes ongoing threat reports, customized queries, deep and dark web investigations, and tailor-made threat models based on customer-specific assets, needs, and business models.

Newsletter Icon

The After-Sales Quality Report, Zooming in on the Power of AI

Newsletter Icon

Subscribe
to our newsletter

Stay up-to-date on the latest trends, emerging risks, and updates

Rethinking the Perimeter: Excessive Data Exposure and the Outbound Blind Spot

As SOC executives transition to managing autonomous MCP servers on top of the existing complex cloud topologies and distributed microservices, we must acknowledge a critical…

Read more

Rethinking the Perimeter: The Hidden Blast Radius of “Harmless” Endpoints

As SOC executives navigate an era of autonomous AI agents, complex machine-to-machine integrations, and Model Context Protocol (MCP) servers, we must accept a harsh architectural…

Read more

Behavior and Kinetic Impact Define the New AI Security Paradigm

For decades, enterprise cybersecurity has been obsessed with lines in the sand. We built walls around networks, drew perimeters around systems, and gated access to…

Read more

Rethinking the Perimeter: BOLA and the Illusion of the Legitimate Request

As SOC executives navigating an era of autonomous AI agents, complex machine-to-machine integrations, and Model Context Protocol (MCP) servers, we must accept a harsh architectural…

Read more