The report mentions that this hack also allowed the researchers to extract the unique hardware-bound RSAkey.
This key is used by Tesla cars for authentication in its service network. Moreover, researchers were also able to use this key for voltage glitching to activate software-locked features such as seat heating and ‘Acceleration Boost’ that Tesla car owners usually have to pay for.
How researchers hacked AMD-based infotainment systems in Tesla cars
The researchers were able to hack the infotainment system using techniques based on the team’s previous AMD research. Earlier, the team discovered that AMD-based systems have the potential for fault injection attacks that can extract secrets from the platform.
Tesla’s infotainment APU is based on a vulnerable AMD Zen 1 CPU. This helped the researchers to experiment with the exploitation of the previously discovered weaknesses to successfully jailbreak the systems.
In a report, the researchers explained: “For this, we are using a known voltage fault injection attack against the AMD Secure Processor (ASP), serving as the root of trust for the system. First, we present how we used low-cost, off-the-shelf hardware to mount the glitching attack to subvert the ASP’s early boot code. We then show how we reverse-engineered the boot flow to gain a root shell on their recovery and production Linux distribution.”
After gaining root permissions, the researchers were able to perform arbitrary changes that can survive infotainment system reboots and Tesla’s ‘over-the-air’ updates. Apart from this, the researchers were also able to access and decrypt sensitive information stored on the car’s system. This includes personal data like phonebooks, calendar entries, call logs, Spotify and Gmail session cookies, WiFi passwords as well as locations visited.
How this vulnerability can affect users
Such a jailbreak will allow attackers to extract the TPM-protected attestation key. Tesla uses this key to authenticate the car and verify its hardware platform’s integrity. These keys are also used to migrate the verification process to another car.
The researchers also explained that besides car ID impersonation on Tesla’s network, this vulnerability can also help attackers to use the car in unsupported regions or perform independent repairs and modding.
One of the researchers, Christian Werling, has also outlined the tools that are needed to jailbreak Tesla’s infotainment. Werling claims that soldering iron and some other electronic equipment worth $100 will be enough for the hack.