Blog: Automotive Security

Tesla Killer: The Fuzzed and the Furious

Ken Munro 16 May 2019

The Tesla doesn’t have a conventional OBDII port (onboard diagnostics) as such. There’s a connector, but it’s just provided with +12V/ground in order to power things like insurance telematics dongles.

Instead, there’s the Tesla diagnostics connector (X427) which is where things get a bit weird. That connector has access to all five CANbuses on the vehicle. Yes really. Sound unwise to anyone?

Now, as conventional OBDII modules don’t work, the inquisitive among us will often connect an ELM327 Bluetooth module to analyse the traffic and read CAN messages. Like this:

It’ll give you power / battery status / temperatures / voltages, the fun stuff that you never really need to know, but is interesting all the same.

HOWEVER, all the ELM327 modules we’ve looked at have a static, unchangeable Bluetooth PIN of 1234.

Lots of Tesla drivers who have the modules leave them plugged in all the time so they can read stats on their phones. See where this is going yet?

So, to demonstrate what’s achievable against owners cars where the Bluetooth module is left connected, we went for a drive

We fuzzed the CAN hard, essentially replicating existing messages but with random length and content. What happened?

Very quickly we got a LOT of error messages, culminating in the front, then rear motors going offline and then lost all power.

Tesla KILLED

However, all credit to Tesla: the steering and brakes remained operational through the whole process.

The vehicle also came back to life after a full reboot. That’s impressive – other vehicle brands may not have coped so well with the traffic. Brick, anyone?

Still quite scary on a fast road / motorway / freeway though.

We don’t know what ‘Dyno Mode’ is though – big red letters popping up whilst injecting CAN message are very cool. We can’t find anything online about it. A new Easter egg perhaps?

Conclusion

We are working on refining this demo: fuzzing is rather a crude vector, but we have already managed to identify CAN traffic to kill the battery contactor.

Don’t leave unsecured interfaces to your Tesla (or any vehicle) open, Bluetooth or otherwise