“Jailbraking” or “rooting” your car could become a new trend in hacking, like what some smart guys are already doing with smartphones by exploiting flaws, for example to unlock more functions. Thus, hackers from the Technical University of Berlin (TU Berlin) managed to unlock functions normally hidden behind a paywall.
Indeed, a growing number of manufacturers allow you to unlock additional functions after buying your car. They are sometimes available by subscription, or even with a trial period. These may be purely software options, or even functions whose technical elements are installed on board all models, whether they have been configured with this option or not.
To access certain functions illegally, hackers exploited a known vulnerability, the Zenbleed flaw in the AMD chip, which equips the third generation of Tesla hardware (MCU-Z). All recent Teslas are therefore affected by this vulnerability, which requires physical access to the vehicle to be exploited, via a technique of glitching voltage. “First, it enables Tesla’s first non-patchable AMD-based jailbreak, allowing us to run arbitrary software on the infotainment system.”explain the hackers. “Second, it will allow us to extract a hardware-bound RSA key, otherwise unique to the vehicle, used to authenticate and authorize a car in Tesla’s internal service network.” This second consequence would therefore make it possible to give a new identity to a car destined for destruction following a serious accident, for example, in order to continue to be able to access the manufacturer’s services, such as Superchargers, in complete discretion.
Paid functions made accessible
Among the functions that the hackers were able to access, we note for example the icy pack of a Model 3 “SR +” (standard autonomy plus) from 2021. It includes heated rear seats and steering wheel and is sold for € 300 by Tesla. Other more interesting functions can be purchased after receiving your car, such as improved acceleration of Model Y Long Autonomy and especially more advanced versions of Autopilot. For now, access to these functions via this jailbreak is not confirmed.
Finally, the permissions obtained also allow “to decrypt encrypted NVMe storage and access user’s private data, such as phonebook, calendar entries, etc.”
We are waiting to know Tesla’s reaction to jailbroken cars. The manufacturer could indeed withdraw their guarantee, see them prohibit access to Superchargers, for example.