Security Researchers Discover Exploit in Tesla’s Infotainment System Allowing Root Access to The Device

Key Points
  • Researchers from TU Berlin demonstrate an attack against Tesla’s newer AMD-based infotainment systems, unlocking unpatchable Tesla Jailbreak capabilities.
  • The vulnerability allows unauthorized access to run arbitrary software on the infotainment system and extract a unique hardware-bound RSA key.
  • Low-cost, off-the-shelf hardware is used to mount the voltage fault injection attack against the AMD Secure Processor (ASP) to gain root permissions on the Linux distribution.
  • The gained root access enables decryption of encrypted NVMe storage, access to private user data, and potential benefits for unsupported regions.
  • The attack also opens the possibility of extracting a TPM-protected attestation key, enabling identity migration to another car computer without Tesla’s involvement.

Tesla’s advanced and well-integrated car computers have been highly regarded for their entertainment and autonomous driving capabilities. However, recent developments have revealed a potential vulnerability in the automaker’s infotainment systems that could have significant repercussions. Researchers from TU Berlin have unveiled an attack against newer AMD-based infotainment systems, exposing what they call the “Tesla Jailbreak”.

This newfound vulnerability allows unauthorized users to exploit the infotainment system, granting access to run arbitrary software on the platform and extract a unique hardware-bound RSA key used for internal authentication and authorization in Tesla’s service network.

The researchers, Christian Werling, Niclas Kühnapfel, Hans Niklas Jacob, and Oleg Drokin, will present their findings in a 40-minute briefing at the South Pacific F, Level 0 on Wednesday, August 9, at 11:20 am.

The attack leverages a known voltage fault injection technique against the AMD Secure Processor (ASP), which serves as the system’s root of trust. By subverting the ASP’s early boot code using low-cost, off-the-shelf hardware, the researchers gain root permissions on the recovery and production Linux distribution, providing them with unprecedented access to the infotainment system.

With root access, the attackers can make arbitrary changes to the Linux system, allowing them to decrypt the encrypted NVMe storage and access sensitive user data, such as the phonebook and calendar entries. Furthermore, the researchers noted that the vulnerability could also be used to unlock certain features like faster acceleration or rear heated seats without paying for them.

The ramifications of this vulnerability extend beyond just gaining unauthorized access to vehicle features. The attack opens up the possibility of extracting a TPM-protected attestation key used by Tesla to authenticate individual cars. This discovery could potentially enable identity migration to another car computer without any assistance from Tesla, facilitating certain repairing efforts.

Tesla owners and the automotive industry, in general, should take this discovery seriously, as it poses significant security implications for the brand and its customers. Tesla has been at the forefront of electric vehicle innovation, and with their cars increasingly relying on integrated technology, safeguarding against such exploits becomes crucial.

Tesla has not yet issued a statement regarding the vulnerability, but it is expected that the company’s security team will be working diligently to address and patch the issue to prevent any unauthorized access to their vehicles.

As the automotive industry continues to embrace technological advancements, ensuring the highest level of security for connected vehicles will be paramount. This incident serves as a wake-up call for manufacturers and researchers to collaborate in identifying and mitigating potential vulnerabilities in an ever-evolving landscape of digital innovation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here
Captcha verification failed!
CAPTCHA user score failed. Please contact us!