Research Jailbreak Tesla’s Software-Locked Features Worth up to $15,000

Tesla has a reputation for having highly integrated and technologically advanced car computers, which can be used for everything from basic entertainment to completely autonomous driving.

Earlier in the BlackHat, an attack briefed against modern AMD-based infotainment systems (MCU-Z) was found on all current vehicles.

Researchers from the Technical University of Berlin have developed a means to jailbreak these systems and run any software they choose.

The hack also enables voltage glitching to activate software-locked features like seat heating and “Acceleration Boost,” which Tesla car owners typically have to pay for.

Tesla uses this hardware-bound RSA key for car authentication in its service network.

Security experts at TU Berlin claim that the software-locked features are worth $15,000 in Electrek’s report.

Method To Jailbreak The AMD-Based Infotainment Systems

The researchers were able to compromise the infotainment system by employing methods from their earlier AMD research, which exposed the possibility of ‘fault injection attacks’ that may steal information from the platform.

Tesla’s infotainment APU is built on a weak AMD Zen 1 CPU; therefore, the researchers might try to jailbreak the device by exploiting the previously identified flaws.

The researcher’s brief BlackHat report says, “For this, we are using a known voltage fault injection attack against the AMD Secure Processor (ASP), serving as the root of trust for the system.”

“First, we present how we used low-cost, off-the-self hardware to mount the glitching attack to subvert the ASP’s early boot code.”

“We then show how we reverse-engineered the boot flow to gain a root shell on their recovery and production Linux distributions.”

Furthermore, they could access and decrypt sensitive information saved on the car’s system, such as the owner’s personal data, phonebook, calendar entries, call logs, Spotify and Gmail session cookies, WiFi passwords, and places visited.

 The TPM-protected attestation key that Tesla employs to authenticate the vehicle and check the reliability of its hardware platform may be extracted by an attacker via the jailbreak and transferred to another vehicle.

Researchers mention that this might aid in running the car in unsupported zones, making independent repairs, and modifying it in addition to car ID impersonation on Tesla’s network.

According to one of the researchers, Christian Werling, a soldering iron and $100 worth of electrical components, such as the Teensy 4.0 board, should be sufficient to jailbreak Tesla’s infotainment system.

Christian Werling told BleepingComputer, “Tesla informed us that our proof of concept enabling the rear seat heaters was based on an old firmware version.”

“In newer versions, updates to this configuration item are only possible with a valid signature by Tesla (and checked/enforced by the Gateway).”

“So while our attacks lay some important groundwork for tinkering with the overall system, another software or hardware-based exploit of the Gateway would be necessary to enable the rear seat heaters or any other soft-locked feature.”

The researcher added that the key extraction attack is still functional in the most recent Tesla software update, indicating that the issue is still exploitable.

Also, it has been reported on certain news sites that the jailbreak can enable Full-Self Driving (FSD); however, the researcher has informed that this is untrue.

Keep yourself informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.