LAS VEGAS–A successful hack of a Tesla Model 3’s electronics yielded an unusual real-world benefit: warmer backsides in the back seat.
In a talk Tuesday at the Black Hat security conference here, a team of German researchers explained how they were able to stage a voltage-glitch attack to defeat the boot-integrity defenses on that battery-electric car. That then let them activate its rear-seat warmers for free instead of paying the $300 (since lowered to $200) Tesla had charged to activate that feature.
“You just want to activate some features you’d normally have to pay for,” explained Christian Werling, a PhD student at Technical University Berlin.
But Tesla did not make that easy, as he and his colleagues in this project found out when they investigated the multiple layers of defense Tesla has erected–somewhat like the boot-integrity measures on an iPhone–to ensure that only its code runs on its cars.
“What you see here is a chain of trust,” Werling said as a slide showed the series of code checkpoints a Tesla goes through at each startup, beginning with software embedded in its AMD Secure Processor.
Those defenses thwarted the group’s attempts to insert their own code at later stages of the bootup process, so they instead began researching glitching attacks–in which a precisely timed electrical or electromagnetic disruption interrupts a processor’s operation enough to scramble its output.
To administer the electric-voltage glitch, the team built a “teensy microcontroller,” as researcher Niclas Kühnapfel described it, that would drop the voltage going to the AMD chip at the right instant and then inject the desired code. A video showed this failing more than 10 times in a row before succeeding, at which point the audience applauded at the sight of a Tesla touch screen showing rear seat warmers active.
Recommended by Our Editors
The presenters then showed how they used the same technique, combined with leveraging previous research into defeating AMD’s trusted platform module security, to expose encrypted stores of data in the vehicle that hold Tesla-managed credentials as well as driver-specific data.
Researcher Hans Niklas Jacob noted that the group’s voltage-glitching attack can’t be patched with software, although it did disclose its findings to both AMD and Tesla. He suggested that using this technique to expose previously secret vehicle data could help Tesla owners exercise the right to repair: “Hopefully this will be of use to independent repairing people.”
The researchers did not discuss the dollar value of the time put into this effort, but it clearly exceeded $300. But at any price, this issue isn’t going away. Other manufacturers such as BMW are also moving to offer more car features as paid software upgrades, and many car buyers seem hesitant about going down that road.
Get Our Best Stories!
Sign up for What’s New Now to get our top stories delivered to your inbox every morning.