Sept. 13, 2022 10:43 am EST Christopher Lyzcen/Shutterstock We may just have a bit of unsettling news if you happen to own a Tesla Model Y. In a recent white paper by IOActive security consultant Josep Pi Rodriguez titled "NFC Relay Attack On Tesla Model Y," the researchers discovered a new attack that enables a thief (or thieves, we'll get to that later) to unlock and steal a Model Y electric car. This latest vulnerability comes after a software update eliminates the need for Tesla owners to place their NFC key card in the console between the front seats to shift into D and drive off. The update has enabled owners to drive the car by engaging the brake pedal within two minutes after unlocking the vehicle. But according to a report by Ars Technica, the update came with a flaw: The car could accept new keys within two minutes after unlocking, and the new keys could unlock and start the vehicle without requiring further authentication. It takes two to tango Christopher Lyzcen/Shutterstock The latest Tesla relay attack is a two-person operation. There are three ways to unlock and start a Tesla: Using the key fob, your smartphone, or the standard NFC key card. The latter requires owners to place or tap the NFC card near the embedded NFC reader in the driver's side B-pillar. Tesla recommends always carrying the keycard for backup if your smartphone gets lost, stolen, or runs out of juice. With that in mind, IOActive and Rodriguez reverse-engineered Tesla's NFC protocol to discover a potential weak point in the Model Y's security. The hack involves a person near the car and an accomplice positioned near the owner's NFC card or Tesla key-enabled smartphone. The hacker near your Model Y uses a Proxmark RDV4.0 RFID tool and places it near the NFC reader in the side pillar. The vehicle responds and transmits a "challenge" that the key card needs to "answer." In this case, the Proxmark tool sends the challenge using Bluetooth or Wi-Fi to a smartphone or tablet held by the second hacker lurking near your table at a restaurant or while jogging in the park. The idea is for the accomplice's smartphone to pick up the keycard's response and send it back to the Proxmark tool, and voilà! The thief could unlock the car and drive off. Never too far away