On 3rd May 2017, I reported two vulnerabilities to Tesla regarding the PIN code on Tesla Roadster vehicles. As no fix has been forthcoming from Tesla in the past 18 months, and in accordance with standard industry practice, I now publicly disclose these below. The intent here is to raise awareness of the security issues and to encourage Tesla Roadster owners to take steps in order to avoid exploit and/or loss of their vehicle.
Short summary
I hope that Tesla will address these issues by implementing firmware protection against multiple PIN access attempts (for example, 3 incorrect PIN attempts results in a 5 minute lock-out would be reasonable), and by encouraging owners to use strong 8 digit PINs.
A summary of the vulnerabilities is given below. For full details, refer to the links.
Tesla Roadster vulnerable to sniffing of security PIN code via CAN bus
Vulnerability Announcement: Tesla Roadster vulnerable to sniffing of security PIN code via CAN bus | Open Vehicles
Tesla Roadster vulnerable to brute-force unlock via CAN bus
Vulnerability Announcement: Tesla Roadster vulnerable to brute-force unlock via CAN bus | Open Vehicles
For both vulnerabilities, the PIN code permits the following functions:
Once the PIN code has been discovered, the greatest concerns are:
Classification: Sensitive Data Exposure > Critically Sensitive Data > Password Disclosure
Vendor Response: Declined to address, and no fix for more than 1 year, so public release
Public Release: 3 Dec 2018
Short summary
- A convertible vehicle such as the Tesla Roadster does not always offer the same physical protections as a fully enclosed vehicle. In particular, access to the vehicle communication networks, and physical interior, may be easier (particularly in the case when the vehicle is parked with the roof off).
- The communication between the VDS (little display) and VMS (car computer) in the Tesla Roadster is not encrypted. This means that when you enter your PIN on the VDS, any system on the car network can see it in relatively plain text.
- There is no protection in the Tesla Roadster firmware against multiple PIN access attempts. This means that a malicious actor could brute-force guess the PIN in a relatively short time (less than one minute for a 4 digit PIN code).
- The same PIN code is used for both valet and car lock/unlock functions. The valet code (if known) can be used to unlock the vehicle.
- While vehicles outside North America are fitted with an immobiliser that helps mitigate this issue, North American Tesla Roadsters have no such immobiliser and the PIN can be used to both disarm the vehicle alarm and unlock the doors.
- While the full solution to these issues can only be implemented by Tesla via firmware update, owners can mitigate the impact by:
- Using a strong 8 digit PIN, rather than the default 4 digit.
- Ensuring that the vehicle is locked, with the roof on, when parked.
- Being aware that valet parking attendants will have full unrestricted access to the vehicle, and time to determine the PIN and copy the physical vehicle key.
A summary of the vulnerabilities is given below. For full details, refer to the links.
Tesla Roadster vulnerable to sniffing of security PIN code via CAN bus
Vulnerability Announcement: Tesla Roadster vulnerable to sniffing of security PIN code via CAN bus | Open Vehicles
The Tesla Roadster instrumentation CAN bus (running at 1MHz) supports a CAN bus message to lock/unlock the car as well as enable/disable valet mode and change the PIN. Authentication on this message is via simple user PIN code which is typically 4 digits (but can be up to 8 digits). This PIN code is usually entered on the VDS by the user, and then transmitted in plain text on the instrumentation CAN bus to the VMS.
Using a simple CAN bus tap, the 1MHz instrumentation CAN bus messages can be read. When the user enters the PIN code (for example to enable/disable valet mode), it is transmitted in plain text using a single CAN bus message. The instrumentation CAN bus is available at various points in the car, with the simplest being the engineering diagnostic connector in the passenger footwell of the vehicle.
The most likely exploit would come at a valet parking station where a vehicle key could be easily copied and with access to the vehicle, a CAN bus logger installed in the passenger footwell. When the user returns to retrieve their vehicle, they disable the valet mode (via entry of PIN code on the VDS screen). At this point, the valet has a copy of the physical key as well as the PIN code to arm/disarm the vehicle alarm on North American vehicles.
Using a simple CAN bus tap, the 1MHz instrumentation CAN bus messages can be read. When the user enters the PIN code (for example to enable/disable valet mode), it is transmitted in plain text using a single CAN bus message. The instrumentation CAN bus is available at various points in the car, with the simplest being the engineering diagnostic connector in the passenger footwell of the vehicle.
The most likely exploit would come at a valet parking station where a vehicle key could be easily copied and with access to the vehicle, a CAN bus logger installed in the passenger footwell. When the user returns to retrieve their vehicle, they disable the valet mode (via entry of PIN code on the VDS screen). At this point, the valet has a copy of the physical key as well as the PIN code to arm/disarm the vehicle alarm on North American vehicles.
Tesla Roadster vulnerable to brute-force unlock via CAN bus
Vulnerability Announcement: Tesla Roadster vulnerable to brute-force unlock via CAN bus | Open Vehicles
The Tesla Roadster instrumentation CAN bus (running at 1MHz) supports a CAN bus message to lock/unlock the car as well as enable/disable valet mode. Authentication on this message is via simple user PIN code which is typically 4 digits (but can be up to 8 digits). It appears that this is vulnerable to brute-force attack as there is no rate limiting on reception/interpretation of that message.
Transmitting at 100 messages / second, I tested PIN codes 0000 through 9999 in 100 seconds. Average PIN discovery time was thus approximately 50 seconds at this rate. The CAN-USB adaptor I used was limited to approximately 100 messages / second. A faster adaptor could seemingly brute force this with greater speed.
Transmitting at 100 messages / second, I tested PIN codes 0000 through 9999 in 100 seconds. Average PIN discovery time was thus approximately 50 seconds at this rate. The CAN-USB adaptor I used was limited to approximately 100 messages / second. A faster adaptor could seemingly brute force this with greater speed.
For both vulnerabilities, the PIN code permits the following functions:
- Enable valet mode
- Disable valet mode
- Lock the vehicle
- Unlock the vehicle
- Cancel the alarm (via unlocking the vehicle) in North American vehicles
- Change the PIN code
Once the PIN code has been discovered, the greatest concerns are:
- Cancelling a sounding alarm on North American vehicles
- Providing access to the trunk and glove compartment of a locked vehicle
- Malicious prank to enable valet mode
- Malicious prank to change the PIN code (possibly after enabling valet mode)
- Using a strong 8 digit PIN, rather than the default 4 digit.
- Ensuring that the vehicle is locked, with the roof on, when parked.
- Being aware that valet parking attendants will have full unrestricted access to the vehicle, and time to determine the PIN and copy the physical vehicle key.
Classification: Sensitive Data Exposure > Critically Sensitive Data > Password Disclosure
Vendor Response: Declined to address, and no fix for more than 1 year, so public release
Public Release: 3 Dec 2018
Last edited:
