Saturday, June 22, 2024

Research Jailbreak Tesla’s Software-Locked Features Worth up to $15,000

Tesla has a reputation for having highly integrated and technologically advanced car computers, which can be used for everything from basic entertainment to completely autonomous driving.

Earlier in the BlackHat, an attack briefed against modern AMD-based infotainment systems (MCU-Z) was found on all current vehicles.

Researchers from the Technical University of Berlin have developed a means to jailbreak these systems and run any software they choose.

The hack also enables voltage glitching to activate software-locked features like seat heating and “Acceleration Boost,” which Tesla car owners typically have to pay for.

Tesla uses this hardware-bound RSA key for car authentication in its service network.

Security experts at TU Berlin claim that the software-locked features are worth $15,000 in Electrek’s report.

Method To Jailbreak The AMD-Based Infotainment Systems

The researchers were able to compromise the infotainment system by employing methods from their earlier AMD research, which exposed the possibility of ‘fault injection attacks’ that may steal information from the platform.

Tesla’s infotainment APU is built on a weak AMD Zen 1 CPU; therefore, the researchers might try to jailbreak the device by exploiting the previously identified flaws.

The researcher’s brief BlackHat report says, “For this, we are using a known voltage fault injection attack against the AMD Secure Processor (ASP), serving as the root of trust for the system.”

“First, we present how we used low-cost, off-the-self hardware to mount the glitching attack to subvert the ASP’s early boot code.”

“We then show how we reverse-engineered the boot flow to gain a root shell on their recovery and production Linux distributions.”

Furthermore, they could access and decrypt sensitive information saved on the car’s system, such as the owner’s personal data, phonebook, calendar entries, call logs, Spotify and Gmail session cookies, WiFi passwords, and places visited.

 The TPM-protected attestation key that Tesla employs to authenticate the vehicle and check the reliability of its hardware platform may be extracted by an attacker via the jailbreak and transferred to another vehicle.

Researchers mention that this might aid in running the car in unsupported zones, making independent repairs, and modifying it in addition to car ID impersonation on Tesla’s network.

According to one of the researchers, Christian Werling, a soldering iron and $100 worth of electrical components, such as the Teensy 4.0 board, should be sufficient to jailbreak Tesla’s infotainment system.

Christian Werling told BleepingComputer, “Tesla informed us that our proof of concept enabling the rear seat heaters was based on an old firmware version.”

“In newer versions, updates to this configuration item are only possible with a valid signature by Tesla (and checked/enforced by the Gateway).”

“So while our attacks lay some important groundwork for tinkering with the overall system, another software or hardware-based exploit of the Gateway would be necessary to enable the rear seat heaters or any other soft-locked feature.”

The researcher added that the key extraction attack is still functional in the most recent Tesla software update, indicating that the issue is still exploitable.

Also, it has been reported on certain news sites that the jailbreak can enable Full-Self Driving (FSD); however, the researcher has informed that this is untrue.

Keep yourself informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.


Latest articles

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from for...

Beware Of Illegal OTT Platforms That Exposes Sensitive Personal Information

A recent rise in data breaches from illegal Chinese OTT platforms exposes that user...

Beware Of Zergeca Botnet with Advanced Scanning & Persistence Features

A new botnet named Zergeca has emerged, showcasing advanced capabilities that set it apart...

Mailcow Mail Server Vulnerability Let Attackers Execute Remote Code

Two critical vulnerabilities (CVE-2024-31204 and CVE-2024-30270) affecting Mailcow versions before 2024-04 allow attackers to...

Hackers Attacking Vaults, Buckets, And Secrets To Steal Data

Hackers target vaults, buckets, and secrets to access some of the most classified and...

Hackers Weaponizing Windows Shortcut Files for Phishing

LNK files, a shortcut file type in Windows OS, provide easy access to programs,...

New Highly Evasive SquidLoader Attacking Employees Mimic As Word Document

Researchers discovered a new malware loader named SquidLoader targeting Chinese organizations, which arrives as...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles