A team of students at the Technical University of Berlin has found a way to unlock premium Tesla features behind a paywall, including Full Self-Driving (FSD) and heated rear seats.
The hardware exploit relies on a vulnerability in AMD-based vehicle infotainment systems that allows hackers to unlock restricted vehicle features.
The researchers have devised a technique allowing to bypass AMD Secure Processor (ASP), a dedicated security processor that validates code before it is executed to help ensure data and application integrity. According to the researchers, they used a voltage fault injection attack against the MCU-Z.
By using this method they were able to gain root access, run arbitrary software on the MCU-Z (MCU 3) and unlock some premium in-vehicle features.
“Our gained root permissions enable arbitrary changes to Linux that survive reboots and updates. They allow an attacker to decrypt the encrypted NVMe storage and access private user data such as the phonebook, calendar entries, etc. On the other hand, it can also benefit car usage in unsupported regions. Furthermore, the ASP attack opens up the possibility of extracting a TPM-protected attestation key Tesla uses to authenticate the car. This enables migrating a car's identity to another car computer without Tesla's help whatsoever, easing certain repairing efforts,” the researchers wrote.
Currently, it’s unclear which paid features can be accessed via the jailbreak. According to the researchers, not all software upgrades are accessible. Depending on the model and year, upgrades can range from extras like heated rear seats to acceleration boosts and full self-driving capabilities.
The team will present their findings at the BlackHat conference in Las Vegas on August 9, 2023.
