Upstream’s 1000th Automotive Cybersecurity Incident: Use NFC Card to Gain Control in 130 Seconds

As a part of Upstream’s ongoing effort to monitor, analyze the cyber threat landscape and assess the impact of automotive-related cybersecurity incidents and vulnerabilities, we recently marked an important milestone with the 1000th incident tracked by Upstream’s cyber threat intelligence team on the AutoThreat® platform.

On June 8, 2022, Martin Herfurt, a security researcher in Austria, demonstrated how he could manipulate a Tesla NFC card to unlock vehicles and potentially steal the vehicle.

This feature update was introduced by Tesla in August, making it easier to start vehicles after being unlocked with their NFC key cards. The intention behind this update was simple: enable a smooth experience for drivers using NFC cards to unlock and start their vehicles, within a timeframe of 130 seconds, without the need to use the NFC card twice.

But the researcher noticed that within the 130-second timeframe, it was also possible to accept entirely new keys with no additional authentication and zero indication by the in-car display.

“The authorization given in the 130-second interval is too general… it’s not only for drive,” Herfurt said in an online interview. “This timer has been introduced by Tesla… in order to make the use of the NFC card as a primary means of using the car more convenient. What should happen is that the car can be started and driven without the user having to use the key card a second time. The problem: within the 130-second period, not only the driving of the car is authorized, but also the [enrolling] of a new key.”

The vulnerability lies in Tesla’s keyfob technology, which relies on Bluetooth Low Energy (BLE). Most devices and vehicles that rely on this kind of proximity-based authentication are designed to protect against a range of relay attacks. Yet, researchers at U.K.-based NCC Group say they have developed a tool for conducting a new type of BLE link-layer relay attack that bypasses existing mitigations, theoretically enabling attackers to remotely unlock and operate vehicles.

Upstream offers the first and only threat intelligence offering purpose-built for the automotive ecosystem, providing dedicated automotive-specific intelligence, incident tracking, vehicle-relevant vulnerability detection, threat impact analysis, mitigation suggestions, support in prioritization, exposure analysis and threat propagation.

AutoThreat® PRO was created to empower automotive stakeholders to identify vulnerabilities and manage risks to their assets via threat intelligence data and insights. Upstream’s AutoThreat® PRO offers a purpose-built service with dedicated CTI analysts that includes ongoing threat reports, customized queries, deep and dark web investigations, and tailor-made threat models based on customer-specific assets, needs, and business models.