Tesla infotainment jailbreak unlocks paid features, extracts secrets
Researchers from the Technical University of Berlin have developed a method to jailbreak the AMD-based infotainment systems used in all recent Tesla car models and make it run any software they choose.
Additionally, the hack allows the researchers to extract the unique hardware-bound RSA key that Tesla uses for car authentication in its service network, as well as voltage glitching to activate software-locked features such as seat heating and 'Acceleration Boost' that Tesla car owners normally have to pay for.
The German researchers shared the full details of their hack with BleepingComputer, which will be published in an upcoming BlackHat 2023 presentation scheduled for August 9, 2023, titled 'Jailbreaking an Electric Vehicle in 2023 or What It Means to Hotwire Tesla's x86-Based Seat Heater.'
The researchers were able to hack the infotainment system using techniques based on the team's previous AMD research, which uncovered the potential for fault injection attacks that can extract secrets from the platform.
Tesla's infotainment APU is based on a vulnerable AMD Zen 1 CPU; hence the researchers could experiment with the exploitation of the previously discovered weaknesses to achieve jailbreak.
"For this, we are using a known voltage fault injection attack against the AMD Secure Processor (ASP), serving as the root of trust for the system," explains the researcher's BlackHat brief summary.
"First, we present how we used low-cost, off-the-self hardware to mount the glitching attack to subvert the ASP's early boot code."
"We then show how we reverse-engineered the boot flow to gain a root shell on their recovery and production Linux distribution."
By gaining root permissions, the researchers were free to perform arbitrary changes that survive infotainment system reboots and Tesla's 'over-the-air' updates.
Moreover, they could access and decrypt sensitive information stored on the car's system, such as the owner's personal data, phonebook, calendar entries, call logs, Spotify and Gmail session cookies, WiFi passwords, and locations visited.
The jailbreak enables an attacker to extract the TPM-protected attestation key that Tesla uses to authenticate the car and verify its hardware platform's integrity, and migrate it to another car.
Besides car ID impersonation on Tesla's network, this could also help in using the car in unsupported regions or performing independent repairs and modding, explain the researchers.
As for what tools are needed to jailbreak Tesla's infotainment system, one of the researchers Christian Werling, explains that a soldering iron and $100 worth of electronic equipment, like the Teensy 4.0 board, should be enough to do the trick.
Werling also told BleepingComputer that they responsibly disclosed their findings to Tesla, and the carmaker is in the process of remediating the discovered issues.
"Tesla informed us that our proof of concept enabling the rear seat heaters was based on an old firmware version."
"In newer versions, updates to this configuration item are only possible with a valid signature by Tesla (and checked/enforced by the Gateway)."
"So while our attacks lay some important groundwork for tinkering with the overall system, another software or hardware-based exploit of the Gateway would be necessary to enable the rear seat heaters or any other soft-locked feature." - Christian Werling.
However, the key extraction attack still works in the latest Tesla software update, so the problem remains exploitable for now, Werling told BleepingComputer.
Finally, some news outlets have claimed that the jailbreak can unlock Full-Self Driving (FSD), but the researcher told us this is false.