Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Public Disclosure: Tesla Roadster PIN Vulnerabilities

markwj

Moderator, Asia Pacific
Apr 10, 2011
4,603
1,218
Hong Kong
On 3rd May 2017, I reported two vulnerabilities to Tesla regarding the PIN code on Tesla Roadster vehicles. As no fix has been forthcoming from Tesla in the past 18 months, and in accordance with standard industry practice, I now publicly disclose these below. The intent here is to raise awareness of the security issues and to encourage Tesla Roadster owners to take steps in order to avoid exploit and/or loss of their vehicle.

Short summary
  1. A convertible vehicle such as the Tesla Roadster does not always offer the same physical protections as a fully enclosed vehicle. In particular, access to the vehicle communication networks, and physical interior, may be easier (particularly in the case when the vehicle is parked with the roof off).

  2. The communication between the VDS (little display) and VMS (car computer) in the Tesla Roadster is not encrypted. This means that when you enter your PIN on the VDS, any system on the car network can see it in relatively plain text.

  3. There is no protection in the Tesla Roadster firmware against multiple PIN access attempts. This means that a malicious actor could brute-force guess the PIN in a relatively short time (less than one minute for a 4 digit PIN code).

  4. The same PIN code is used for both valet and car lock/unlock functions. The valet code (if known) can be used to unlock the vehicle.

  5. While vehicles outside North America are fitted with an immobiliser that helps mitigate this issue, North American Tesla Roadsters have no such immobiliser and the PIN can be used to both disarm the vehicle alarm and unlock the doors.

  6. While the full solution to these issues can only be implemented by Tesla via firmware update, owners can mitigate the impact by:
  • Using a strong 8 digit PIN, rather than the default 4 digit.
  • Ensuring that the vehicle is locked, with the roof on, when parked.
  • Being aware that valet parking attendants will have full unrestricted access to the vehicle, and time to determine the PIN and copy the physical vehicle key.
I hope that Tesla will address these issues by implementing firmware protection against multiple PIN access attempts (for example, 3 incorrect PIN attempts results in a 5 minute lock-out would be reasonable), and by encouraging owners to use strong 8 digit PINs.

A summary of the vulnerabilities is given below. For full details, refer to the links.

Tesla Roadster vulnerable to sniffing of security PIN code via CAN bus
Vulnerability Announcement: Tesla Roadster vulnerable to sniffing of security PIN code via CAN bus | Open Vehicles

The Tesla Roadster instrumentation CAN bus (running at 1MHz) supports a CAN bus message to lock/unlock the car as well as enable/disable valet mode and change the PIN. Authentication on this message is via simple user PIN code which is typically 4 digits (but can be up to 8 digits). This PIN code is usually entered on the VDS by the user, and then transmitted in plain text on the instrumentation CAN bus to the VMS.

Using a simple CAN bus tap, the 1MHz instrumentation CAN bus messages can be read. When the user enters the PIN code (for example to enable/disable valet mode), it is transmitted in plain text using a single CAN bus message. The instrumentation CAN bus is available at various points in the car, with the simplest being the engineering diagnostic connector in the passenger footwell of the vehicle.

The most likely exploit would come at a valet parking station where a vehicle key could be easily copied and with access to the vehicle, a CAN bus logger installed in the passenger footwell. When the user returns to retrieve their vehicle, they disable the valet mode (via entry of PIN code on the VDS screen). At this point, the valet has a copy of the physical key as well as the PIN code to arm/disarm the vehicle alarm on North American vehicles.​

Tesla Roadster vulnerable to brute-force unlock via CAN bus
Vulnerability Announcement: Tesla Roadster vulnerable to brute-force unlock via CAN bus | Open Vehicles

The Tesla Roadster instrumentation CAN bus (running at 1MHz) supports a CAN bus message to lock/unlock the car as well as enable/disable valet mode. Authentication on this message is via simple user PIN code which is typically 4 digits (but can be up to 8 digits). It appears that this is vulnerable to brute-force attack as there is no rate limiting on reception/interpretation of that message.

Transmitting at 100 messages / second, I tested PIN codes 0000 through 9999 in 100 seconds. Average PIN discovery time was thus approximately 50 seconds at this rate. The CAN-USB adaptor I used was limited to approximately 100 messages / second. A faster adaptor could seemingly brute force this with greater speed.​

For both vulnerabilities, the PIN code permits the following functions:
  • Enable valet mode
  • Disable valet mode
  • Lock the vehicle
  • Unlock the vehicle
  • Cancel the alarm (via unlocking the vehicle) in North American vehicles
  • Change the PIN code
On vehicles outside North America, a separate alarm system and immobiliser is used. That system is not affected by this PIN code, so functions 4 through 5 will have limited impact on these vehicles. There is a separate physical key used to start the vehicle, and unlock the steering wheel, that is not affected by this vulnerability.

Once the PIN code has been discovered, the greatest concerns are:
  • Cancelling a sounding alarm on North American vehicles
  • Providing access to the trunk and glove compartment of a locked vehicle
  • Malicious prank to enable valet mode
  • Malicious prank to change the PIN code (possibly after enabling valet mode)
While the full solution to these issues can only be implemented by Tesla via firmware update, owners can mitigate the impact by:
  • Using a strong 8 digit PIN, rather than the default 4 digit.
  • Ensuring that the vehicle is locked, with the roof on, when parked.
  • Being aware that valet parking attendants will have full unrestricted access to the vehicle, and time to determine the PIN and copy the physical vehicle key.
Reported: 3 May 2017
Classification: Sensitive Data Exposure > Critically Sensitive Data > Password Disclosure
Vendor Response: Declined to address, and no fix for more than 1 year, so public release
Public Release: 3 Dec 2018
 
Last edited:

markwj

Moderator, Asia Pacific
Apr 10, 2011
4,603
1,218
Hong Kong
My main concern is valets. But not sure if the low volume nature of the car would make it all that attractive a target. It is certainly trivial to exploit.

I'd also worry if the PIN is the same as used by the owner elsewhere (such as a gate/house/office keypad).

Bottom line is to use an 8 digit pin, and be aware of the issue.
 

About Us

Formed in 2006, Tesla Motors Club (TMC) was the first independent online Tesla community. Today it remains the largest and most dynamic community of Tesla enthusiasts. Learn more.

Do you value your experience at TMC? Consider becoming a Supporting Member of Tesla Motors Club. As a thank you for your contribution, you'll get nearly no ads in the Community and Groups sections. Additional perks are available depending on the level of contribution. Please visit the Account Upgrades page for more details.


SUPPORT TMC
Top