The Bleeping Computer website revealed that researchers at the Technical University of Berlin (Technical University of Berlin) have developed a new technology that can hack the AMD-based infotainment system used in all of Tesla's recently launched models and make it run including paid items. any software included.
During the experiment, the researchers extracted Tesla's unique hardware-bound RSA key used for car authentication in its service network, and activated paid features such as software-locked seat heating and "acceleration boost" through a voltage fault. The researchers shared many details of their experiments with Bleeping Computer and said they will present their research in a presentation at BlackHat 2023 on August 9, 2023. (Presentation titled "Electric Car Jailbreak in 2023 or Implications for Tesla's x86-Based Seat Heater Hot Start".
The researchers were able to hack infotainment systems using techniques based on the team's previous AMD research by discovering that a fault injection attack could extract secrets from the platform. Tesla's infotainment APU is based on a vulnerable AMD Zen 1 CPU, so researchers could try to jailbreak it using a previously discovered vulnerability.
The researchers further explained that this is using a known voltage fault injection attack on the AMD Secure Processor (ASP) as the system's root of trust. First, the researchers describe how low-cost off-the-shelf hardware can be used to install a flash attack to subvert ASP's early startup code. Then, shows how to reverse engineer the boot process to get a root shell on their recovery and production Linux distributions".
Thereafter, by gaining root privileges, the researchers were free to make arbitrary changes to survive infotainment system reboots and Tesla's "over-the-air" updates. The researchers were also able to access and decrypt sensitive information stored in the car's systems, such as the owner's personal data, phone book, calendar entries, call logs, Spotify and Gmail session cookies, WiFi passwords, and travel logs.
With the jailbreak, attackers were able to extract the TPM-protected attestation key that Tesla uses to authenticate the car, verify the integrity of its hardware platform, and migrate it to another car. The researchers emphasized that, in addition to simulating the car's ID on Tesla's network, this would also be useful for using the car in unsupported regions or for independent repairs and modifications.
As for what tools are needed to hack the Tesla infotainment system? Researcher Christian Werling points out that all you need is a soldering iron and $100 worth of electronics like a Teensy 4.0 circuit board.
It’s worth mentioning that the researchers have responsibly disclosed their findings to Tesla, and the automaker is working on remediation of the issues found. Tesla informed the researchers after being alerted that their proof-of-concept to enable rear seat heaters was based on an older version of the firmware, in newer versions only valid signatures were provided by Tesla (and checked/enforced by the gateway ), the configuration item can only be updated.
However, Werling told BleepingComputer that the key extraction attack still works in the latest Tesla software update, and that the vulnerability is still currently exploitable by potential attackers. Finally, for some news media claims that jailbreaking can unlock Tesla's full self-driving (FSD), the researchers said that this is false.