Jailbreaking Tesla Infotainment Systems

With newer cars being computers on wheels, some manufacturers are using software to put features behind a paywall or thwarting DIY repairs. Industrious hackers security researchers have taken it upon themselves to set these features free by hacking a Tesla infotainment system. (via Electrek)

The researchers from TU Berlin found that by using a voltage fault injection attack against the AMD Secure Processor (ASP) at the heart of current Tesla models, they could run arbitrary code on the infotainment system. The hack opens up the double-edged sword of an attacker gaining access to encrypted PII or a shadetree mechanic “extracting a TPM-protected attestation key Tesla uses to authenticate the car. This enables migrating a car’s identity to another car computer without Tesla’s help whatsoever, easing certain repairing efforts.” We can see this being handy for certain other unsanctioned hacks as well.

The attack is purported as being “unpatchable” and giving root access that survives reboots and updates of the system. Since AMD is a vendor to multiple vehicle companies, the question arises as to how widely applicable this hack is to other vehicles suffering from AaaS (Automotive as a Service).

Longing for a modern drivetrain with the simplicity of yesteryear? Read our Minimal Motoring Manifesto.

22 thoughts on “Jailbreaking Tesla Infotainment Systems

  1. Do they have to cut a trace to voltage glitch the secure processor?
    I’d assume AMD/Tesla didn’t make it easy…I expect an internal voltage cap and internal clock on a secure chip, all potted in. Not like voltage and clock glitches are new.

    Assuming ‘pants on head’ from AMD and/or Tesla.
    I assume timing from reset is critical.
    Perhaps 555 involved. Unlikely. Still not something you can do with a knockoff OBD dongle.

    1. My sister has one (Model S) and it’s pretty comfy. Build quality is terrible though, everything squeeks and rattles. Build quality of my Toyota is much much much better. Also, designs are boring (ok except for the Cybertruck I love that design). I wish I had the money to buy a Cybertruck and put a Hemi in it.

      I’d love to own an NA miata. Sadly, I don’t fit. I’d have to drive it with the top down so I can look over the windshield. Even the ND is too small. Even tried to sit in someones NA with modified rails so the seats are lower and I’m still too tall for it. I would have bought one years ago if I could fit

      1. I am guessing you haven’t tried losing the seat entirely and making a micro bead foam insert? Seems the next logical move. Although I hear 1st gen Lotus Elise had a very minimal seat (source: Project Mosquito on Youtube)

    1. I still find it strange that people buy cars that can upload telemetry of every place that the car has been, ever time it was accelerated, which roads were used and probably how many passengers including a photo (Cabin Camera).

        1. That is funny. I used to use my Android with no location data. Google maps did /not/ like that. It was doing hundreds of checks per second for GPS data. I would just look out of the windows and see where I was and use Google Maps as a map. They either fixed it or silently started scraping WiFi hotspots for my location 🤷‍♂️

      1. Until it’s used for something negative, no-one cares. I won’t use the “reduce your insurance premium” apps which upload driving stats, for obvious reasons, but I know plenty of people who do in order to save 20 a year. Crazy. Fortunately, in Europe, you can only use the data for the reasons expressly stated – if you collect that stuff and then use it to penalise someone, it would be illegal and open you up to some spectacular fines.

  2. If I might reference Jenny lists minimalist motering manifesto and clusterfuck automotive constructions.
    I had an interior light “dome light” fails to turn off issue recently occur.
    After re-slamming the doors and tickling the switches, I opted to pull the associated fuse, lest the lamps melt the plastic fixtures and cause other fun with excess heating.
    After pulling the fuse I found that this also disables the spedometer (and apparently) the break/wheel rotation sensors….. seriously….? wtf?
    But then I had another vehical that the brake lights and windshield wipers were on the same fuse as the cigar lighter was.
    Yep, lots of fun to learn that one from another driver in rush hour traffic.

    1. Still better than headlights on a Chevy Blazer, had a bi-metallic “breaker” in the plastic headlight switch. Problem was due to the plastic the strips didn’t maintain good contact, so they overheated and tripped due to their own self generated heat.

      If you ever run into this there is a terminal each side of the bi-metallic, and you can move the wire in the harness side to bypass the ‘feature’.

      I would respect Chevy more if they didn’t even try and just shipped it. But every half baked fix they do is worse than just leaving it alone. Like making and installing a little plastic funnel on the block under the oil filter. Sounds like a good idea. But the oil goes uphill, behind the funnel and into a wiring loom and drips out 2′ away! Would have been better to save the engineering and injection mold money.

    1. Yeah, pulling the bulbs was my first thought, but almost need a tool to get the all of interior ones out now , lest you(l) crack the glass envelope.
      Then the outside cargo lights are in fixtures with screw secured cover.
      (rainy day, arthritis and fingers are getting bit tougher to reconcile anymore too. :(

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.