TL;DR
Researchers have identified a vulnerability in Tesla Wall Connectors that allows bypassing the firmware ratchet, enabling downgrades despite security measures. This could impact device security and update integrity.
Researchers have demonstrated a method to bypass the firmware ratchet in Tesla Wall Connectors, enabling the installation of older firmware versions despite built-in security checks. This development could impact the device’s security model and update process.
The vulnerability was identified through reverse engineering of the firmware update process, specifically targeting the routine 0x201, which enforces the ratchet check. The ratchet prevents downgrades by verifying a version or security level stored in persistent memory (PSM), which is updated only when a higher-ratchet firmware is activated.
The bypass exploits the fact that the bootloader and firmware update routines rely on a partition table and certain routines to validate firmware images, but do not verify the ratchet in the bootloader itself. By inserting a signed, older firmware into the passive slot and manipulating the partition table, an attacker can set the old firmware as active for the next boot without triggering the ratchet check.
This process involves bypassing routine 0x201, which normally validates the firmware’s version and ratchet level before switching slots. Since the ratchet is stored in persistent storage and not checked by the bootloader directly, the device can boot with an older firmware image that appears valid but is actually downgraded.
Why It Matters
This vulnerability undermines the security model of Tesla Wall Connectors, which relies on the firmware ratchet to prevent downgrades that could reintroduce vulnerabilities or weaken security. If exploited, attackers could install older firmware versions, potentially reintroducing bugs or security flaws that were fixed in newer releases. It also raises concerns about the integrity of the update process and the effectiveness of Tesla’s current security measures.
TAPTES Charger Wall Holder Mount/Cable Organizer Wall Connector Adapter for Tesla Motors, Electric Vehicle Charger Wall Mount for Telsa Model 3 Model Y Model S Model X Accessories 2017-2026
Custom Design: TAPTES cable organizer is especially designed for tesla, the charger wall mount customized for American Versions…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
Tesla’s Wall Connectors use firmware update routines that involve multiple steps, including preparing passive slots, verifying firmware signatures, and updating partition tables. The firmware images contain embedded version and ratchet information, but the bootloader itself does not enforce ratchet checks during boot. Prior to this discovery, the ratchet was believed to be a strong barrier against downgrades. The vulnerability was uncovered through reverse engineering after analyzing firmware update routines and the boot process.
“The ratchet check can be bypassed because the bootloader does not verify the ratchet during boot, only the firmware signature and CRC.”
— Security researcher
“Tesla continuously updates and secures its devices; any vulnerabilities are addressed promptly.”
— Tesla spokesperson (unconfirmed)
Under Dash Cover Emergency Speaker Connector Pigtail Harness Repair Kit Compatible with Tesla 2017-2022 Model 3, 2020-2022 Model Y
Compatible with 2017-2022 Tesla Model 3, 2020-2022 Tesla Model Y
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
It is not yet confirmed whether Tesla plans to patch this vulnerability or if it has already been addressed in recent firmware updates. The full scope of the exploit’s impact across all Tesla Wall Connector models remains unclear. Details about potential malicious use or how widespread the vulnerability is are still emerging.
Tesla Remote Meter – Enables Dynamic Power Management in Wall Connector (NACS EV Charger) – for Small Electrical Panels
Compatible with Tesla Wall Connector (NACS) and Tesla Universal Wall Connector (NACS + J1772). Safely charge your Tesla…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Tesla is likely to investigate the vulnerability further and may release firmware updates to patch the bypass. Researchers and security analysts will monitor for official responses and potential fixes. Users are advised to stay informed about firmware updates and security advisories from Tesla.
X AUTOHAUX Security Gateway Bypass Cable Diagnostic Tool Adapter Connector Cable for Dodge for RAM 1500 2500 2018-2020
By using the OBD interface of the car to connect with the computer(OBD interface cannot be directly connected…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
Can this vulnerability be exploited remotely?
No, exploitation requires physical access to the device and the ability to perform firmware updates or manipulate partition tables directly.
Does this affect all Tesla Wall Connectors?
The vulnerability was identified in specific firmware versions; its applicability to all models and firmware versions is still being assessed.
Will Tesla release a fix for this vulnerability?
It is uncertain; Tesla has not publicly announced a patch, but it is likely they will address the issue in upcoming firmware updates.
What are the risks of exploiting this vulnerability?
Exploitation could allow installation of outdated firmware, potentially reintroducing security flaws or reducing device security integrity.
