Canadian software developer discovers Bluetooth key vulnerability that allows anyone to unlock a Tesla, fix deployed through OTA update

Tesla mobile key vulnerability

A Canadian software developer has discovered a major vulnerability in Tesla’s Bluetooth key technology that allows anyone to unlock one of their vehicles.

The exploit was discovered by Quebec’s Shankar Gomare. In an exclusive interview with Drive Tesla, Gomare says he uncovered it while developing his ‘Voice for Tesla’ iOS app early last year.

The app, which you can download here, acts like Amazon Alexa by providing voice based reminders in the vehicle. The difference is that the app would provide ‘active assistance’, meaning it wouldn’t require a specific word or phrase to trigger it.

In his initial research to figure out a way to trigger the reminder, Gomare learned that Tesla vehicles use two different types of Bluetooth sensors or devices. The first is Bluetooth Basic Rate/Enhanced Data Rate (BR/EDR), which is used for things such as streaming music or syncing phone contacts with the car.

The second is Bluetooth Low Energy, or BLE, which Tesla uses for its phone key. This convenience feature allows owners to unlock their cars simply by being close to it with their connected mobile device.

The Exploit

Tesla vehicles are coded to look for the strongest Bluetooth signal for connected devices within range before deciding to unlock it. This is usually the owner’s mobile device that is paired with the car. When this occurs, the vehicle talks with the bluetooth device, says it is within proximity of the car and sends an unlock code.

This is where Gomare discovered the flaw in Tesla’s coding – BLE connections require no authentication to connect to the vehicle. As a result he could unlock any Tesla by masquerading as a phone key by forcing the car to request the unlock code from the actual mobile device when a door handle is pulled.

For the exploit to work, the owner’s mobile device still needs to be within BLE range (200m-400m) of the vehicle. A perfect example of this is having your phone in your house while your Tesla is parked in the driveway or on the street.

Gomare flaw Image via Shankar Gomare

The Fix

As soon as Gomare was able to confirm his findings, he contacted Tesla to notify them of the exploit. The automaker was able to validate it, and awarded him a prize on bugcrowd which placed him in the top 50 of the “Tesla Hall of Fame” for finding a P1, or critical vulnerability.

Given the critical nature of the exploit, Gomare was not able to disclose it until now. Tesla recently fixed the bug through an over-the-air (OTA) software update, but did not disclose in which version the patch was deployed.

Even though Gomare found a major vulnerability, he still believes Tesla vehicles are the most secure, especially because of their ability to apply fixes OTA.

“Tesla vehicles are undoubtedly the most secure vehicles available in the market, what makes them even better is Tesla’s openness to work with the global community of developers, programers and researchers, I am glad that my small contribution will help to make these even stronger,” said Gomare.

You can watch Gomare’s explanation of the exploit in the video below, shared exclusively with Drive Tesla.

About Darryn John 2945 Articles
Founder and Editor-in-chief of Drive Tesla Canada | Darryn@DriveTeslaCanada.ca Have a Tesla tip? Email tips@driveteslacanada.ca, or DM us on Twitter @DriveTeslaca