We select and review products independently. When you purchase through our links we may earn a commission. Learn more.

New Tesla Key Card Vulnerability Lets Hackers Silently Steal Your Ride

Tesla interior and display

It’s no secret that Tesla has endured its share of potential problems regarding hackers accessing vehicles. However, a new report out of Austria shows a big vulnerability with Tesla’s NFC key cards that could let a hacker add a new card, then steal your car.

Last year, Tesla issued several updates around the key cards to improve usage and security. The update made it easier to start a vehicle after unlocking the doors with the digital key card, as the key didn’t need to be placed in the center console to shift out of park and drive off. Unfortunately, that change also left a significant vulnerability wide open.

For those unaware, Tesla’s NFC key card is one of three ways to unlock a vehicle, with the other two being the physical key fob or the Tesla phone app.

According to a security researcher in Austria named Martin Herfurt, Tesla made several changes to the time limit when using NFC key cards. Last year’s update allows a 130-second window between when owners unlocked the door and put the car in drive to roll off down the road.

Unfortunately, that change allows new Tesla key cards to be added, without any authentication required, during the same timeframe. Even worse, there’s no in-car or in-app notification that a new card got added. It just happens silently in the background.

Here’s a video of the key card vulnerability in action.

From here, the researcher created a proof of concept that essentially hacks a new Tesla key card. As long as a thief is within range of the car after it was unlocked with the digital key, the hacker could then add and enroll their own key to the vehicle during those 130 seconds. Think of it like spoofing a set of car keys.

Later, that same hacker and thief could use his newly authenticated key card to access a Tesla vehicle, open the doors, then quickly drive off. Yikes.

Hefurt says he has successfully demonstrated the vulnerability on Tesla’s Model 3 and Model Y, but it’ll likely work on other vehicles in the lineup. From here, we imagine Tesla will be making some changes soon to prevent this situation.

In the meantime, owners can use the “PIN to Drive” feature, which will at least deter thieves from driving off, even if they get the doors open.

via DriveTeslaCanada

Cory Gunther Cory Gunther
Cory Gunther has been writing about phones, Android, cars, and technology in general for over a decade. He's a staff writer for Review Geek covering roundups, EVs, and news. He's previously written for GottaBeMobile, SlashGear, AndroidCentral, and InputMag, and he's written over 9,000 articles. Read Full Bio »