Upstream’s 1000th Automotive Cybersecurity Incident: Use NFC Card to Gain Control in 130 Seconds


Head of Cyber Threat Intelligence

June 22, 2022

As a part of Upstream’s ongoing effort to monitor, analyze the cyber threat landscape and assess the impact of automotive-related cybersecurity incidents and vulnerabilities, we recently marked an important milestone with the 1000th incident tracked by Upstream’s cyber threat intelligence team on the AutoThreat® platform.

On June 8, 2022, Martin Herfurt, a security researcher in Austria, demonstrated how he could manipulate a Tesla NFC card to unlock vehicles and potentially steal the vehicle.

This feature update was introduced by Tesla in August, making it easier to start vehicles after being unlocked with their NFC key cards. The intention behind this update was simple: enable a smooth experience for drivers using NFC cards to unlock and start their vehicles, within a timeframe of 130 seconds, without the need to use the NFC card twice.

But the researcher noticed that within the 130-second timeframe, it was also possible to accept entirely new keys with no additional authentication and zero indication by the in-car display.

“The authorization given in the 130-second interval is too general… it’s not only for drive,” Herfurt said in an online interview. “This timer has been introduced by Tesla… in order to make the use of the NFC card as a primary means of using the car more convenient. What should happen is that the car can be started and driven without the user having to use the key card a second time. The problem: within the 130-second period, not only the driving of the car is authorized, but also the [enrolling] of a new key.”

The vulnerability lies in Tesla’s keyfob technology, which relies on Bluetooth Low Energy (BLE). Most devices and vehicles that rely on this kind of proximity-based authentication are designed to protect against a range of relay attacks. Yet, researchers at U.K.-based NCC Group say they have developed a tool for conducting a new type of BLE link-layer relay attack that bypasses existing mitigations, theoretically enabling attackers to remotely unlock and operate vehicles.

Upstream offers the first and only threat intelligence offering purpose-built for the automotive ecosystem, providing dedicated automotive-specific intelligence, incident tracking, vehicle-relevant vulnerability detection, threat impact analysis, mitigation suggestions, support in prioritization, exposure analysis and threat propagation.

AutoThreat® PRO was created to empower automotive stakeholders to identify vulnerabilities and manage risks to their assets via threat intelligence data and insights. Upstream’s AutoThreat® PRO offers a purpose-built service with dedicated CTI analysts that includes ongoing threat reports, customized queries, deep and dark web investigations, and tailor-made threat models based on customer-specific assets, needs, and business models.

Newsletter Icon

Upstream’s 2024 Global Automotive Cybersecurity Report

Newsletter Icon

to our newsletter

Stay up-to-date on the latest trends, emerging risks, and updates

Upstream Adds the TISAX Certification, Accelerating Customer Onboarding & Ensuring Data Protection

In the fast-evolving landscape of the automotive industry, ensuring robust information security practices is paramount. Recognizing the significance of TISAX, the Trusted Information Security Assessment…

Read more

Revving Up Safety: UN Regulation R155 Now Covers Motorcycles

On Jan. 26, the UNECE decided to include motorcycles, scooters, and electric bicycles in the scope of UNECE WP.29 R155. With this move, the UNECE…

Read more

NIS2 Directive’s Impact on the Smart Mobility Ecosystem

The NIS2 Directive, expected to become mandatory in October 2024, aims to significantly enhance the cybersecurity framework within the European Union. It broadens the scope…

Read more

CEO View: Yoav Levy on Future of Automotive Cybersecurity

DLD 2024 (Digital-Life-Design) is a world-renowned innovation conference, that provides a platform for people eager to change the world in the digital era. Yoav Levy,…

Read more