TOKYO—A security researcher has discovered that anybody with a smartphone or other Bluetooth-compatible device can pick the location of a Tesla Model 3 out of the ether. And he’s developed an app to prove it.
Bluetooth security expert Martin Herfurt, based near Salzburg, Austria, discovered what he describes as an “epic self-pwn” on Tesla’s part, in June, after purchasing a new black Model 3 sedan. (He named his after the famous robot-car KITT, the vehicle star of the Knight Rider TV show.)
While he was “playing around” with the car and its app, he noticed that by design, it constantly beams out an iBeacon unique identifying number over Bluetooth Low-Energy, or BLE. The identifier allows the Tesla app (for the Android or iOS mobile operating systems) to unlock and start the car whenever the phone is near the vehicle, without having to use the car’s physical key fob. Tesla calls the feature Phone Key. (A Tesla outage over Labor Day locked some Phone Key users out of their cars for a short time.)
READ MORE ON CAR HACKING
This hack could take control of your Ford
Hackable software in the driver’s seat: The current state of connected car security
How Uber drives a fine line on security and privacy
How to protect what your car knows about you (opinion)
How to balance safety and privacy with a car tracker
Uber, self-driving cars, and the high cost of connectivity (opinion)
When taking Uber or Lyft, is your ride-sharing data buckled up?
The convenience that Phone Key provides is coupled with a key personal-security and privacy vulnerability, Herfurt says: The identifier is not encrypted, or randomized, thus allowing the car to be tracked. By following the iBeacon of any Tesla with the feature—currently only in the Model 3 but, according to tweets in May 2018 by Tesla founder and CEO Elon Musk, soon coming to Model S and Model X vehicles—someone could track its whereabouts. And he cautions that if he can figure out how to track an individual Tesla by its BLE-beamed identifier, less scrupulous hackers can as well.
“There’s a protocol in place that [Tesla’s security team members] could use to randomize it,” Herfurt says, “but they haven’t.”
In July, after reaching out to Tesla’s product security team to raise his concerns, Herfurt received responses indicating that while the company understands that it could update the feature to more securely broadcast iBeacon, it has no plans to do so.
“BLE tracking is something we’ve discussed internally, and we revisited this discussion after receiving your report. However, our current assessment is that randomizing BLE identifiers would not result in significant privacy gains due to the ubiquity of automated license plate readers,” or ALPRs, a member of the team wrote in an email Herfurt shared with The Parallax. “We’ll likely revisit this issue periodically, as technology and ALPR regulations evolve.”
Herfurt, dissatisfied with Tesla’s response and determined to convince the company to change its mind, built an Android app called Tesla Radar to visualize and gamify Tesla tracking. With just his phone and the app, he’s able to locate all Tesla Model 3s within 50 meters, though he says the range can be easily extended with a directional antenna, possibly to reach up to a mile away. It also uses a leaderboard to track who’s spotted the most Tesla Model 3s, and it breaks down the results by app username, geographic region, and country. (As of this writing, Tesla Radar user Thomas’ app, based in the Netherlands, has picked up 1,952 Tesla Model 3 iBeacons.)
On a subway ride last week here to the Tokyo Motor Show, which among other things exhibited a hoverbike set to go on sale in 2020, a Toyota car that can adjust a ride based on a driver’s facial expressions, and a Mercedes-Benz that can drive 700 km on a single charge, Herfurt noted one big difference between ALPRs, which typically scan license plates at a single location, and BLE trackers.
With BLE tracking, “I know the exact location of any ID being spotted,” he says. And as a driver, he adds, “you can turn off sending data to Tesla, but you can’t disable broadcasting” the iBeacons.
Computer security expert Marc Rogers, who serves as Okta’s executive director of cybersecurity, also expressed skepticism of Tesla’s ALPR defense.
“Their ALPR argument is weak because ALPR only allows gated tracking—you have to drive past a sensor to log your position,” Rogers said in a text message. “Radio frequency-based tracking, however, can be done from a distance and largely only requires equipment and line of sight.”
Tesla did not return a request for comment.
In developing the Tesla Radar app, Herfurt took steps to obfuscate the data it collects. It hides the iBeacons from app users by replacing the string of numbers and letters with a different string, and it doesn’t let app users see the specific location of Tesla cars—only a generalized heat map of car locations.
“I know the exact location of any ID being spotted.”—Martin Herfurt, Bluetooth security expert.
Rogers cautions that BLE technology is only one of several methods to track modern cars. Tire pressure-detecting sensors and radio frequency identification (RFID) tags are just two of the trackable embedded technologies. He also notes that it isn’t yet clear whether the iBeacon could be used to offer benefits to drivers (such as location-based car summoning) beyond Phone Key. It could actually present additional risks, he adds, imagining a hacker spoofing a car’s iBeacon to gain access to it.
“The use of iBeacons as a security control in remotely interacting with the vehicle should probably be examined in detail,” Rogers said. “This is another, possibly easier way to track a connected vehicle (no indication it’s isolated to Tesla), which is a continuation in the trend for IoT devices to be trackable by their data exhaust.”
Connected-car security researcher Tim Brom of Grimm says that of the current ways to track a car, BLE is easier because it doesn’t require specialized hardware.
“It does lower the bar for making it easier for tracking the vehicles. It is a privacy concern, if you’re a high-value target of any kind” or worried about stalkers, Brom says.
Herfurt, who describes himself as a “fan” of Tesla and admires its “ambition,” says he’s concerned that the company might be against adding encryption to iBeacons broadcasting because it could “add complexity to the overall product.”
Like most tech companies today, he says, “They develop features first and security second.”