[Fixed] Is Pin To Drive Really Securing Your Vehicle?

Written by Lex Nastin

It's not as safe as you might've first thought...

Note, I'll be referring to "Pin To Drive" as P2D throughout this article

TL;DR

The P2D feature of Tesla's is (as of 10/July/2022) insecure, and with possession of a key that can add new keys to the car, such as a key card, P2D can be bypassed.

Affected Vehicles

  • Tesla Model 3/Y
  • Tesla Model S/X Refresh

Picture This

You give your key card or keyfob, to some person you think you can trust, for them to bring something from your car. You have P2D enabled, so no worries, right? Well, you might be wrong, as with a bit of code, you can make a program that bypasses it, which the person with your keyfob just so happened to make, and drove away your car.

How It Works

Tesla's VCSEC (Vehicle Control Secondary), is responsible for Bluetooth Phone Key, and a few other minor things. It has been reverse engineered by me and ArchGryphon9362, and well documented by me, to the extent where you can create an almost perfect clone of how Tesla uses it. It allows you to do many things, such as: unlocking and locking your car, opening and closing the charge port, opening (and closing on most models) the trunk, opening the frunk, and one that particularly stands out, is remote start! The problem here, is that it doesn't require sending over the P2D pin or anything else. You simply have to use a key card or keyfob linked to the car to add your own Bluetooth key, with which you then simply remote start the car, and there you go. Using some code, and a key card/keyfob, you got around P2D.

More Technical Description

For people who have used, or understand the workings of VCSEC, here's a more detailed explanation.

  1. First find the vehicle's BluetoothLE iBeacon, and connect to it
  2. Send a key whitelist request, and use the key card/keyfob to authenticate the request
  3. Generate a message with an RKE_ACTION_REMOTE_DRIVE RKE Action request
  4. Send the message to the car
  5. Within the next 2 minutes, press the brake pedal to start the car, and drive away

How This Could Be Made More Dangerous

Trifinite's Project TEMPA introduces an attack, called Tesla Authorization Timer Attack, which has discovered, that if the car has been unlocked via NFC within the last 130 seconds, it's authorized to add it's own key. A recommended protection measure against someone driving away your car using that exploit, was to enable P2D. Sadly though, since a key has already been added, you are now able to bypass P2D, and drive away the car at a later time, when the owner is gone.

Note, the authorization timer attack has now been fixed by Tesla

What Can You Do?

The best things that you can do, are probably to:

  • Not give your key card to people who you don't trust 100%
  • Not unlock your car with your key card (although Phone Key can also be exploited in a slight way, although P2D probably can't be bypassed with this)
  • Worst case, you can just use the web API, by disabling the phone key feature, preventing all publicly known exploits from working
  • Of course still keep P2D on!

Potential Fixes By Tesla

There are a few things that Tesla could do in order to fix this. The best solution for everyone, would be for them to require a remote start request to be accompanied with the P2D pin code, so that the car can still be remote started over Bluetooth, but more securely. Another solution could be to entirely remove this feature, but that would limit the possibilities of developers trying to create Bluetooth Phone Key based automations. I was told that either these changes could impair the functionality of the summon over Bluetooth (such as with the newer keyfobs) as they rely on this feature to start the car. The simplest solution for that would probably be to create a command specifically for initiating summon.

Try it yourself

I have created an Android app, called P2DB (Pin To Drive Bypass), which allows you to choose your car, press "Hack", tap the key card, and drive away, for educational purposes. Be warned though, don't use this on any car other than your own. Also, the app was made in a slight rush and has a few glitches, if within a few seconds of pressing "Hack", it doesn't ask you to tap the key card; simply restart the app and try again. It might take a few tries as Android is a bit fussy with BluetoothLE.

You can find it on GitHub:

Credit

Tesla has been notified over 4 months ago (was notified on 08/March/2022), and has responded saying that the issue is known, but not yet addressed, but they stayed silent on the issue ever since.

Edit: Tesla has finally replied (22/July/2022), this bug has been fixed in 2022.16.1.2 and upwards! So update if you have an update and this problem should be mitigated. Now P2D should keep you safe. (sadly all they did was remove the command, rather than replace it with something a bit more useful :/)