HEXACON2024 – 0-click RCE on Tesla Model 3 through TPMS Sensors by David Berard & Thomas Imbert

**Summary:**
The video discusses a detailed analysis of vulnerabilities in the Tesla Model 3’s VCC (Vehicle Control Computer) ECU by security researchers David Bar and his team. This research focuses on a specific exploitation involving the Tire Pressure Monitoring System (TPMS). Through reverse engineering, they discovered a security flaw that could allow for remote code execution.

**Keypoints:**

The research team includes David Bar and fellow security experts working on Tesla vulnerabilities.

Previous exploits included attacks via Wi-Fi and Bluetooth, affecting the infotainment system and security gateway.

In April 2023, the team focused on remote entry points in the Tesla Model 3, specifically within the VCC ECU.

The VCC ECU manages physical access to the vehicle and incorporates the TPMS implementation.

TPMS transmits data regarding tire pressure and temperature, now leveraging Bluetooth Low Energy (BLE) for communication.

A vulnerability was found in the TPMS enrollment message, allowing unauthorized access to the ECU.

Reverse engineering commenced on VCC firmware obtained from the Tesla infotainment file system.

The vulnerability permitted remote code execution by exploiting insufficient checks on the TPMS certificate.

The team successfully demonstrated exploitation by interacting with the vehicle’s CAN bus, opening and starting the car.

Tesla released a patch addressing the discovered vulnerabilities, implementing further security measures.

Researchers emphasize the critical nature of the VCC ECU and its role in vehicle security.