PT-2022-24044 · Tesla · Tesla Model 3+1

Jun Lu

Published

2022-09-16

Updated

2025-03-24

CVE-2022-37709

CVSS v3.1

5.3

Medium

Vector

AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Tesla Model 3 version V11.0(2022.4.5.1 6b701552d7a6) Tesla mobile app version v4.23

Description The issue allows attackers to bypass authentication by spoofing, specifically targeting the Phone Key authentication in the Tesla Model 3. This is vulnerable to Man-in-the-middle attacks in the BLE channel, enabling attackers to gain unauthorized access to open the door and drive the car away by leveraging access to a legitimate Phone Key.

Recommendations For Tesla Model 3 version V11.0(2022.4.5.1 6b701552d7a6), consider disabling the Phone Key authentication feature until a patch is available. For Tesla mobile app version v4.23, restrict access to the BLE channel to minimize the risk of exploitation.

Exploit

Fix

Authentication Bypass by Spoofing

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-290

Related Identifiers

CVE-2022-37709

Affected Products

Tesla Model 3

Tesla Mobile App

PT-2022-24044 · Tesla · Tesla Model 3+1

CVE-2022-37709

Weakness Enumeration

Related Identifiers

Affected Products

References · 6