Unpatchable AMD Chip Flaw Unlocks Paid Tesla Feature Upgrades

Brandon Hill

August 3, 2023 at 1:42 PM·4 min read

Teslas are among the most popular electric cars on the market, which makes them an easy target for hackers. Now, a team of security researchers from TU Berlin has found a way to exploit the MCU found in modern Tesla vehicles to unlock paid features and more. To execute the attack, the researchers exploited a known flaw in AMD's processor that controls Tesla's MCU.

In Tesla parlance, MCU stands for Media Control Unit, and it controls the touch screen, navigation, and entertainment systems. MCU0/1 refers to the first generation (Nvidia Tegra-based), while MCU2 is the second generation (Intel Atom). MCU-Z refers to the third generation based on a custom AMD Ryzen SoC. MCU-Z is the subject of the researchers' attention.

According to the researchers, they used a voltage fault injection attack (a certain class of attacks) against the MCU-Z. This class of attacks is also known as 'voltage glitching,' and is a known attack vector for Zen 2- and Zen 3-based processors; it also affects the Ryzen SoC used in Tesla's MCU-Z. Utilizing multiple connections to the power supply, BIOS SPI chip, and SVI2 bus, the researchers performed a voltage fault injection attack on the MCU-Z's Platform Security Processor. With a successful attack, objects stored in the Trusted Platform Module (TPM) can be decrypted.

"Our gained root permissions enable arbitrary changes to Linux that survive reboots and update," the researchers explain. "They allow an attacker to decrypt the encrypted NVMe storage and access private user data such as the phonebook, calendar entries, etc."

Unsurprisingly, this exploit can provide access to various Tesla subsystems and even optional content usually locked behind a paywall. Depending on the Tesla vehicle in question, some features are software locked and can be purchased and enabled after delivery using the vehicle's touch screen system or via the Tesla app.

"Hacking the embedded car computer could allow users to unlock these features without paying," the TU Berlin researchers add. For example, 2021 Model 3 SR+ vehicles can enable the Cold Weather Feature (heated steering wheel, heated rear seats) for an extra $300. This feature unlock is confirmed to work with the exploit.

Tesla Model Y Long Range owners can also pay $2,000 for Acceleration Boost, which decreases the 0-60 times of the vehicle from 4.8 seconds to just 4.2 seconds. Pricier options include Enhanced Autopilot, which costs $6,000, and Full Self-Driving, priced at an eye-searing $15,000. In an email to Tom's Hardware, one of the researchers clarified that not all Tesla software upgrades are accessible, so it remains to be seen if those premium options will also be ripe for picking.

What's interesting to note about this flaw is that it is "unpatchable," meaning that Tesla has no known mitigation solutions to counter it. Another consequence is that the exploit can "extract an otherwise vehicle-unique hardware-bound RSA key used to authenticate and authorize a car in Tesla's internal service network."

What does that mean in English? Suppose a Tesla vehicle was totaled in a severe crash or flooded. It would be flagged in Tesla's system as such and would not be eligible for access to Tesla services, like the Supercharging network. However, this could allow a salvage-titled Tesla to access the Supercharging network, much to the chagrin of Tesla, which wouldn't want to risk damage to its charging hardware with a busted car.

The TU Berlin team (consisting of PhD students Christian Werling, Niclas Kühnapfel, and Hans Niklas Jacob, along with security researcher Oleg Drokin) will present their findings next week (August 9) at the Blackhat conference in Las Vegas, where we hope to hear more about all the feature upgrades that are accessible. Werling and Jacob were also on the team responsible for discovering the original faulTPM voltage fault injection attack.

**Updated August 3 @ 4:51 PM ET**
The article was updated with clarification from the TU Berlin researchers on which feature upgrades are confirmed to work with the exploit.

Yahoo Sports
Dolphins owner Stephen Ross reportedly declined $10 billion for team, stadium and F1 race
The value of the Dolphins and Formula One racing is enormous.
Yahoo Sports
PGA Championship: Will Zalatoris says group of players considered asking for postponement after death, Scottie Scheffler arrest
It was a surreal day at the PGA Championship.
Yahoo Finance
Housing experts revise mortgage rate forecasts for remainder of 2024
Experts are revising their forecasts about mortgage rates and home prices for the rest of the year.
Yahoo Sports
Oleksandr Usyk defeats Tyson Fury by split decision to become first undisputed heavyweight champion in 24 years
Boxing hadn't had an undisputed heavyweight king since 2000.
Yahoo Sports
Preakness Stakes 2024 winner, payouts, results: Seize the Grey wins at Pimlico, Mystik Dan finishes 2nd, ending Triple Crown bid
Live updates from the 149th Preakness Stakes at Pimlico Race Course in Baltimore
Yahoo Sports
The Mavericks' major gambles pay off as Luka Dončić, Kyrie Irving lead charge to West finals
Shrewd moves and timely deals have the aggressive Mavericks moving on in the postseason — and perhaps to an even better tomorrow.
Yahoo Sports
Report: Fanatics files lawsuit against Cardinals rookie WR Marvin Harrison Jr. for breach of contract
Marvin Harrison Jr., Fanatics said, “rejected or ignored every request” from the company while refusing to fulfill obligations of their contract that was signed last May.
Yahoo Sports
UFC Vegas 92: Piera Rodríguez DQ'd for multiple illegal headbutts vs. Ariane Carnelossi
Rodríguez was warned by the ref to watch her head. She responded by headbutting her opponent even harder.
Yahoo Sports
2024 NBA Mock Draft 7.0: Who will the Hawks take at No. 1? Our projections for every pick with lottery order now set
With the lottery order set, here's a look at Yahoo Sports' projections for both rounds of the 2024 NBA Draft.
Engadget
Apple will reportedly offer higher trade-in credit for old iPhones for the next two weeks
According to Bloomberg’s Mark Gurman, Apple will be offering a little more than usual for some trade-ins starting next week in the US and Canada. That's as long as you're getting one of the iPhone 15 models.
Yahoo Sports
The top RBs for 2024 fantasy football, according to our experts
The Yahoo Fantasy football analysts reveal their first running back rankings for the 2024 NFL season.
Yahoo Sports
NBA Draft Combine reactions: Edey oh my, Bronny James is ready & whose stock is rising? | On the Clock with Krysten Peek
Yahoo Sports NBA draft expert Krysten Peek is back for another season of On the Clock with Krysten Peek. Krysten just spent the week in Chicago at the NBA Draft Combine and kicks off draft season joined by CBS Sports' Kyle Boone.
Yahoo Sports
Caitlin Clark, Fever facing plenty of growing pains early after another blowout loss in home debut
The atmosphere was electric for Clark's home debut and there were brief flashes from the Fever, but it's clear they've got plenty to work on before they can compete with the WNBA's elite teams.
Yahoo Sports
Your favorite WNBA rookies didn’t make the cut. So what’s their path back to the league?
For rookies who were waived, the climb to their pro dreams is steeper, but the path ahead is well-worn with trail markers of established success.
Yahoo Sports
Tyson Fury vs. Oleksandr Usyk full results: Usyk stays undefeated, becomes undisputed with split decision win
Fury and Usyk finally fought for all of the heavyweight titles Saturday with the Ukrainian fighter coming out on top.
Yahoo Finance
Amid uncertainty around Social Security, here's what financial advisers are telling clients
One of the biggest retirement fears is a reduction in Social Security benefits. Here's what advisers say to do to prepare.
Yahoo Sports
Attorneys say Scottie Scheffler likely won't face felony conviction: 'Probably about a zero percent chance'
Scottie Scheffler will likely avoid the most serious charges filed against him stemming from Friday morning's altercation with police.
Yahoo Sports
2024 Wide Receiver rankings for fantasy football
The Yahoo Fantasy football analysts reveal their first wide receiver rankings for the 2024 NFL season.
Yahoo Sports
Indy 500 qualifying: Kyle Larson locks into the field; Rinus Veekay recovers from early crash to get into top 12
Kyle Larson not only qualified for the 1008th running of the Indianapolis 500, he’ll start in one of the first four rows.
Yahoo Sports
PGA Championship: Logjam atop the leaderboard sets up fantastic Sunday
Collin Morikawa and Xander Schauffele are tied for the lead in the 2024 PGA Championship heading into Sunday's final round.

News

Life

Entertainment

Finance

Sports

New on Yahoo

Unpatchable AMD Chip Flaw Unlocks Paid Tesla Feature Upgrades

Recommended Stories

Dolphins owner Stephen Ross reportedly declined $10 billion for team, stadium and F1 race

PGA Championship: Will Zalatoris says group of players considered asking for postponement after death, Scottie Scheffler arrest

Housing experts revise mortgage rate forecasts for remainder of 2024

Oleksandr Usyk defeats Tyson Fury by split decision to become first undisputed heavyweight champion in 24 years

Preakness Stakes 2024 winner, payouts, results: Seize the Grey wins at Pimlico, Mystik Dan finishes 2nd, ending Triple Crown bid

The Mavericks' major gambles pay off as Luka Dončić, Kyrie Irving lead charge to West finals

Report: Fanatics files lawsuit against Cardinals rookie WR Marvin Harrison Jr. for breach of contract

UFC Vegas 92: Piera Rodríguez DQ'd for multiple illegal headbutts vs. Ariane Carnelossi

2024 NBA Mock Draft 7.0: Who will the Hawks take at No. 1? Our projections for every pick with lottery order now set

Apple will reportedly offer higher trade-in credit for old iPhones for the next two weeks

The top RBs for 2024 fantasy football, according to our experts

NBA Draft Combine reactions: Edey oh my, Bronny James is ready & whose stock is rising? | On the Clock with Krysten Peek

Caitlin Clark, Fever facing plenty of growing pains early after another blowout loss in home debut

Your favorite WNBA rookies didn’t make the cut. So what’s their path back to the league?

Tyson Fury vs. Oleksandr Usyk full results: Usyk stays undefeated, becomes undisputed with split decision win

Amid uncertainty around Social Security, here's what financial advisers are telling clients

Attorneys say Scottie Scheffler likely won't face felony conviction: 'Probably about a zero percent chance'

2024 Wide Receiver rankings for fantasy football

Indy 500 qualifying: Kyle Larson locks into the field; Rinus Veekay recovers from early crash to get into top 12

PGA Championship: Logjam atop the leaderboard sets up fantastic Sunday