- cross-posted to:
- tesla
- news
- [email protected]
- [email protected]
- cross-posted to:
- tesla
- news
- [email protected]
- [email protected]
A group of hackers have exposed an exploit that can unlock Tesla’s software-locked features worth up to $15,000.
Free heated seats and Full Self-Driving package, anyone?
Software-locked features that need to be activated by the owner paying or subscribing to a service are becoming increasingly popular in the auto industry.
Tesla has been on board that trend very early since it produced virtually all its vehicles with the same hardware and owners can unlock features later through software updates.
This includes features like heated seats, acceleration boost, and even Tesla’s Full Self-Driving package, which costs $15,000.
It creates a market for people trying to get around the software lock.
A group of security researchers (aka hackers) at TU Berlin announced that they managed to exploit a weakness in the onboard computer to unlock these features:
Tesla has been known for their advanced and well-integrated car computers, from serving mundane entertainment purposes to fully autonomous driving capabilities. More recently, Tesla has started using this well-established platform to enable in-car purchases, not only for additional connectivity features but even for analog features like faster acceleration or rear heated seats. As a result, hacking the embedded car computer could allow users to unlock these features without paying.
They plan to unveil the result of their exploit in a presentation called “Jailbreaking an Electric Vehicle in 2023 or What It Means to Hotwire Tesla’s x86-Based Seat Heater” next week.
The hack requires physical access to the car, and it involves a “voltage fault injection attack” on the AMD-based infotainment system:
For this, we are using a known voltage fault injection attack against the AMD Secure Processor (ASP), serving as the root of trust for the system. First, we present how we used low-cost, off-the-self hardware to mount the glitching attack to subvert the ASP’s early boot code. We then show how we reverse-engineered the boot flow to gain a root shell on their recovery and production Linux distribution.
The group of hackers claims that their “Tesla Jailbreak” is “unpatchable” and allows to run “arbitrary software on the infotainment.”
Good for them. I doubt it’s truly unpatchable though.
Edit: thank you for the replies, I clearly made an uneducated guess.
Eh, when you’re glitching hardware preboot and attacking root-of-trust it’s very possibly unpatchable. Just ask Nintendo.
The patch probably involves changing the exploitable hardware to a non exploitable one, and you can’t do that with software updates
It very well could be.
My guess is they are bypassing some integrity check on signed code by glitching logic in the ASP bootrom. If it’s true then it is very possible there are no fuse banks prepped to patch the bootrom. Which I have seen used to make bootroms patchable.
It’s very hard to protect against glitch attacks. And typically that sort of measure needs to be engineered into the design itself.