Tesla, a pioneer in electric vehicles, has continuously innovated its cars’ safety, autonomy, and digital systems. Yet, like any complex system, vulnerabilities can emerge. A recent discovery by cybersecurity researchers David Berard and Thomas Imbert of Synacktiv at Pwn2Own 2024 has revealed a critical flaw within the Tesla Model 3, specifically in its Tire Pressure Monitoring System (TPMS). This vulnerability, which allowed the researchers to execute remote code on the vehicle’s immobilizer system, raises concerns about the security of modern connected cars and their communication networks.
The Discovery: A Kill Chain Targeting Tesla Model 3
Berard and Imbert showed how they were able to exploit the wireless communication of the Tesla Model 3’s TPMS to execute remote code on the immobilizer’s ECU, a critical component named VCSEC. This unit controls key vehicle functions like interfacing with smartphones to unlock and start the car, while also coordinating TPMS functions.
The vulnerability lies in the multiple communication interfaces that the VCSEC incorporates. Both TPMS sensors and smartphones use Bluetooth Low Energy (BLE) to communicate with the ECU, which presents an attack surface for potential intrusions. Additionally, smartphones can employ the Ultra Wide Band (UWB) interface for enhanced communication with the vehicle. The ability to exploit the wireless TPMS system and breach the immobilizer’s ECU showcases the intricate and interconnected nature of modern vehicles.
The research was part of the highly regarded Pwn2Own hacking competition held in January 2024, where vulnerabilities in various technologies are discovered and responsibly disclosed to manufacturers. The full research from Synacktiv is not yet public, but they have provided insights into how these breaches occur and their potential implications for car owners and manufacturers.
The TPMS Breach: What Does It Mean?
The Tire Pressure Monitoring System (TPMS) in Tesla cars plays a crucial role in driver safety, constantly monitoring tire pressure and warning drivers of any abnormalities. What makes this vulnerability alarming is how something seemingly harmless like the TPMS, a routine feature in modern cars, can be exploited for malicious purposes. In this case, hackers could use the wireless communication of the TPMS as a gateway to attack other vital systems in the vehicle, ultimately gaining control over the immobilizer and other core functions.
The Tesla Model 3, which relies heavily on sophisticated ECUs to manage its systems, presents a higher attack surface due to its connected nature. The research demonstrated how attackers could potentially unlock and control key features of the car remotely. While no such malicious incidents have been reported, this discovery is a reminder of the importance of securing all components in connected cars, no matter how benign they may seem at first glance.
Tesla’s Security Challenges
This isn’t the first time Tesla’s systems have faced security scrutiny. David Colombo, a cybersecurity researcher known as the “Tesla Hacker,” was featured in the first episode of Left to Our Own Devices, the Product Security Podcast where he discussed a major vulnerability he uncovered in Tesla vehicles. Colombo’s research revolved around the TeslaMate logging tool, which allowed him to gain access to several Tesla vehicles remotely by exploiting unencrypted API keys.
Colombo’s experiment involved running unauthorized commands on Tesla vehicles, such as manipulating the stereo volume, opening doors, or even enabling the “Keyless Driving” feature—all without the driver’s knowledge. The vulnerability stemmed from a flaw in the open-source TeslaMate tool, which stores Tesla’s API keys unencrypted, making them accessible to anyone with malicious intent. Colombo’s research revealed how a minor flaw in a third-party tool could lead to significant security breaches in connected cars.
In his official disclosure to Tesla, Colombo shared that he found more than 25 vehicles across 13 countries in just a few hours, including nations like the U.S., Germany, and Canada. The discovery prompted Tesla to revoke thousands of API keys, underscoring the magnitude of the vulnerability.
While Colombo’s breach exploited a third-party tool, Berard and Imbert’s research highlights the potential risks within Tesla’s own communication systems. Both breaches underscore the critical need for automakers to continuously evaluate and improve their cybersecurity measures, especially as vehicles become more connected and dependent on software.
The Importance of Securing Connected Vehicles
With the rise of electric vehicles (EVs) and autonomous driving technologies, cars are becoming more like computers on wheels. As such, they are increasingly vulnerable to cybersecurity threats. While convenience and innovation are central to this technological revolution, it comes with the inherent challenge of securing an expanding attack surface.
Berard and Imbert’s discovery of the TPMS vulnerability in the Tesla Model 3 brings attention to the importance of thoroughly vetting all systems in a connected car, even ones that might seem non-essential to cybersecurity, like the TPMS. Connected vehicles communicate over various wireless interfaces, including BLE, UWB, and Wi-Fi, providing ample opportunities for hackers to exploit weak points. Securing these channels is crucial for preventing remote code execution and maintaining control over critical systems like the immobilizer.
Tesla has a strong track record of addressing vulnerabilities once they are identified, with proactive measures like over-the-air (OTA) software updates that can fix issues remotely. However, as demonstrated by the TeslaMate incident and now the TPMS vulnerability, the challenge for Tesla and other automakers is to stay one step ahead of hackers who are constantly seeking new ways to breach vehicle systems.
Looking Forward: The Road Ahead
As the research from Berard, Imbert, and Colombo shows, connected cars represent both a tremendous leap forward in technology and a significant cybersecurity challenge. Automakers must ensure that security is built into every layer of their vehicles’ systems, from external communication protocols to internal components like the TPMS.
For Tesla, whose brand is synonymous with cutting-edge innovation, these vulnerabilities serve as a reminder that security must always evolve alongside technology. By addressing these issues, Tesla and other automakers can continue to build trust with their customers while protecting them from potential harm.
As the automotive industry continues its digital transformation, the security of connected vehicles will remain a top priority. The research shared by Berard and Imbert is a wake-up call for automakers to double down on cybersecurity efforts. Meanwhile, researchers like David Colombo will continue to push the boundaries of automotive security, ensuring that vulnerabilities are discovered and patched before they can be exploited by malicious actors.