One flaw made Tesla’s autos easy to steal

Physical keys are so 20th century.

Many carmakers are doing away with keys, instead opting for digital systems that allow you to start a vehicle with a push of a button, a voice command, a key card, or even an app on your smartphone.

But with new technology comes new problems. And that is what happened with a Tesla NFC card. An NFC card (Near Field Communication card), a key fob, or a phone app all unlock a Tesla.

Last year, Tesla rolled out an update for its NFC card entry system. The new card allowed the user to unlock the car, and the vehicle would automatically start within 130 seconds, allowing the user could drive without using the card a second time. The problem: It also put the car into a state to accept entirely new digital keys — a thief’s dream. If a hacker could enroll a new key, they’d be able to access and start up the vehicle at any time.

The security weaknesses were uncovered by Martin Herfurt, a researcher based in Austria. Martin found that once a Tesla was unlocked with an NFC card, anyone with the correct Bluetooth Low Energy device could enroll an unconnected key simply by communicating directly with the car. The Tesla’s owner would receive no alerts or warnings. It’s unknown if hackers had previously exploited this flaw. But if so, stealing Tesla vehicles would have been relatively easy.

If the owner used the Tesla phone app rather than the keycard, they were still protected. The app only allows keys connected to the owner’s account to enroll.

Tesla is far from the only automaker doing away with traditional keys, and automakers have favored physical keys with embedded chips.