Unpatchable AMD Chip Flaw Unlocks Paid Tesla Feature Upgrades
Sorry Elon, but this appears to be unpatchable.
Teslas are among the most popular electric cars on the market, which makes them an easy target for hackers. Now, a team of security researchers from TU Berlin has found a way to exploit the MCU found in modern Tesla vehicles to unlock paid features and more. To execute the attack, the researchers exploited a known flaw in AMD's processor that controls Tesla's MCU.
In Tesla parlance, MCU stands for Media Control Unit, and it controls the touch screen, navigation, and entertainment systems. MCU0/1 refers to the first generation (Nvidia Tegra-based), while MCU2 is the second generation (Intel Atom). MCU-Z refers to the third generation based on a custom AMD Ryzen SoC. MCU-Z is the subject of the researchers' attention.
According to the researchers, they used a voltage fault injection attack (a certain class of attacks) against the MCU-Z. This class of attacks is also known as 'voltage glitching,' and is a known attack vector for Zen 2- and Zen 3-based processors; it also affects the Ryzen SoC used in Tesla's MCU-Z. Utilizing multiple connections to the power supply, BIOS SPI chip, and SVI2 bus, the researchers performed a voltage fault injection attack on the MCU-Z's Platform Security Processor. With a successful attack, objects stored in the Trusted Platform Module (TPM) can be decrypted.
"Our gained root permissions enable arbitrary changes to Linux that survive reboots and update," the researchers explain. "They allow an attacker to decrypt the encrypted NVMe storage and access private user data such as the phonebook, calendar entries, etc."
Unsurprisingly, this exploit can provide access to various Tesla subsystems and even optional content usually locked behind a paywall. Depending on the Tesla vehicle in question, some features are software locked and can be purchased and enabled after delivery using the vehicle's touch screen system or via the Tesla app.
"Hacking the embedded car computer could allow users to unlock these features without paying," the TU Berlin researchers add. For example, 2021 Model 3 SR+ vehicles can enable the Cold Weather Feature (heated steering wheel, heated rear seats) for an extra $300. This feature unlock is confirmed to work with the exploit.
Tesla Model Y Long Range owners can also pay $2,000 for Acceleration Boost, which decreases the 0-60 times of the vehicle from 4.8 seconds to just 4.2 seconds. Pricier options include Enhanced Autopilot, which costs $6,000, and Full Self-Driving, priced at an eye-searing $15,000. In an email to Tom's Hardware, one of the researchers clarified that not all Tesla software upgrades are accessible, so it remains to be seen if those premium options will also be ripe for picking.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
What's interesting to note about this flaw is that it is "unpatchable," meaning that Tesla has no known mitigation solutions to counter it. Another consequence is that the exploit can "extract an otherwise vehicle-unique hardware-bound RSA key used to authenticate and authorize a car in Tesla's internal service network."
What does that mean in English? Suppose a Tesla vehicle was totaled in a severe crash or flooded. It would be flagged in Tesla's system as such and would not be eligible for access to Tesla services, like the Supercharging network. However, this could allow a salvage-titled Tesla to access the Supercharging network, much to the chagrin of Tesla, which wouldn't want to risk damage to its charging hardware with a busted car.
The TU Berlin team (consisting of PhD students Christian Werling, Niclas Kühnapfel, and Hans Niklas Jacob, along with security researcher Oleg Drokin) will present their findings next week (August 9) at the Blackhat conference in Las Vegas, where we hope to hear more about all the feature upgrades that are accessible. Werling and Jacob were also on the team responsible for discovering the original faulTPM voltage fault injection attack.
**Updated August 3 @ 4:51 PM ET**
The article was updated with clarification from the TU Berlin researchers on which feature upgrades are confirmed to work with the exploit.
Brandon Hill is a senior editor at Tom's Hardware. He has written about PC and Mac tech since the late 1990s with bylines at AnandTech, DailyTech, and Hot Hardware. When he is not consuming copious amounts of tech news, he can be found enjoying the NC mountains or the beach with his wife and two sons.
-
Giroro You never own your Tesla, you merely pay for it.Reply
It's like I've been saying: we'll never fully win the Right to Repair until we reclaim our right to own. -
Endymio
In other words, you have ethics and morals -- except for people you don't like. Got it.hotaru251 said:Usually not a person who cheers this stuff, but its Tesla & musk...git rekt. -
Eximo A two sided problem.Reply
On the one hand, they only have to manufacture one vehicle type (simplifying here, I know there are several models and sub-models) and sell the same model at different prices to different people. So some people get savings and some people get the features.
On the other hand, the R&D is going to happen regardless. Why not let everyone have the feature if you went to the trouble of updating the software on the car in case they decided to pay. Even if they raised the price of the vehicles by 5%, people likely wouldn't notice or car that much and rather than getting $15,000 from 10000 people they could get $1500 from 100,000 people and then everyone would have the feature and the company wouldn't lose out on the profit.
I think it really comes to down to exclusivity marketing.
My car has at least one feature like that where I can pay extra for something the vehicle already has in hardware. In that case the R&D cost is literally zero, so that is really stupid. -
hotaru251
not reallyEndymio said:except for people you don't like.
even ppl I dont like i generally dont want to have bad thigns happen to.
Just tesla (its awful and started whole casr as a service thing) & Musk is constantly doing stupid crap.
profit.Eximo said:Why not let everyone have the feature if you went to the trouble of updating the software on the car in case they decided to pay.
Business has to be good for them to not change it. Meaning enough ppl pay to make it worth keeping.
Also some places don't let vendors change price of cars too much (iirc Canada has a law that limits it). -
TerryLaze
It's not just R&D , for example the completely self driving thing would need a lot of compute or at least support of some kind from the cloud, that's a lot of money tesla has to provide for that feature every month it's not a one and done thing.Eximo said:In that case the R&D cost is literally zero, so that is really stupid.
The higher acceleration probably kills the battery way sooner which is also a higher cost for tesla. -
Eximo
Obviously. A fine example of the old supply & demand A-B-C pricing.hotaru251 said:profit.
You can generate more profit selling the exact same thing at three different prices.
They made that illegal, and yet here we are... -
Eximo TerryLaze said:It's not just R&D , for example the completely self driving thing would need a lot of compute or at least support of some kind from the cloud, that's a lot of money tesla has to provide for that feature every month it's not a one and done thing.
The higher acceleration probably kills the battery way sooner which is also a higher cost for tesla.
I understand that the cloud services is the justification/loophole that the auto industry is using at the moment.
But the stupid examples like heated seats and changing a bit in a car to allow higher power output costs them nothing. Or that time Toyota accidentally disabled everyone's remote start on accident because remote start via app was tied to keyfob remote start.
I think it is GM that is basically killing On Star on vehicles after they are a certain age (might have to find that one again, it was really disappointing)
Assuming Tesla has any need to do a warranty battery replacement. I would be more worried about the motor controllers popping an IGBT. -
TerryLaze So basically every ps and xbox console is also possible to jailbreak right?!Reply
This could be really terrible for AMD, every big customer could stop using their APUs and it's the only thing that makes them money at times of low PC/GPU sales. -
Eximo TerryLaze said:So basically every ps and xbox console is also possible to jailbreak right?!
This could be really terrible for AMD, every big customer could stop using their APUs and it's the only thing that makes them money at times of low PC/GPU sales.
They don't use the same silicon, surely. Article is a little vague saying it is a flaw in Zen 2 and 3 cores though, so it might apply to anything with fTPM?