Hackers can remotely unlock Tesla by exploiting a Bluetooth vulnerability


Threat actors can conduct a relay attack to unlock and operate Tesla Model 3 or Model Y without the car owner’s permission.

The Tesla Model 3 and Model Y employ a Bluetooth Low Energy (BLE) based passive entry system, allowing users with an authorized mobile device or key fob within a short range of the vehicle to unlock and operate it with no user interaction required.

NCC Group researchers found that cars with similar technology can be unlocked remotely, meaning that threat actors can break into and operate the vehicles even when authorized devices are out of range.

Researchers were able to unlock and drive a 2020 Tesla Model 3 using a small relay device designed to bridge the gap between the Tesla and its owner’s phone.

NCC Group used a 2020 Tesla Model 3 and an iPhone 13 mini for their experiment.

“In the test setup, the iPhone was placed on the top floor at the far end of a home, approximately 25 meters away from the vehicle, which was in the garage at ground level. The phone-side relaying device was positioned in a separate room from the iPhone, approximately 7 meters away from the phone. The vehicle-side relaying device was able to unlock the vehicle when placed within a radius of approximately 3 meters from the vehicle,” the research reads.

NCC Group has not tested this relay attack against a Model Y. However, given the use of similar technologies, it expects the same type of relay attack would be possible.

NCC Group informed Tesla Product Security of its findings.

“Users should be educated about the risks of BLE relay attacks and encouraged to use the PIN to Drive feature. Consider also providing users with an option to disable passive entry. To reduce opportunities for relay attacks, consider disabling passive entry functionality in the mobile app when the mobile device has been stationary for more than a minute. Also, consider having the mobile application report the mobile device’s last known location during the authentication process with the vehicle so that the vehicle can detect and reject long-distance relay attacks,” NCC Group recommended.