Modern connected vehicles rely on persistent LTE connectivity to enable remote diagnostics, over-the-air (OTA) updates, and critical safety services. While mobile network vulnerabilities are well documented in the smartphone ecosystem, their impact in safety-critical automotive settings remains insufficiently examined. In this work, we conduct a black-box, non-invasive security analysis of LTE connectivity in Tesla vehicles, including the Model 3 and Cybertruck, revealing systemic protocol weaknesses and architectural misconfigurations. We find that Tesla's telematics stack is susceptible to IMSI catching, rogue base station hijacking, and insecure fallback mechanisms that may silently degrade service availability. Furthermore, legacy control-plane configurations allow for silent SMS injection and broadcast message spoofing without driver awareness. These vulnerabilities have implications beyond a single vendor as they challenge core assumptions in regulatory frameworks like ISO/SAE 21434 and UN R155/R156, which require secure, traceable, and resilient telematics for type approval of modern vehicles.

翻译：现代联网汽车依赖持续的LTE连接实现远程诊断、空中（OTA）更新及关键安全服务。尽管移动网络漏洞在智能手机生态系统中已有充分记录，但其在安全关键型汽车环境中的影响仍未得到充分研究。本研究对特斯拉汽车（包括Model 3和Cybertruck）的LTE连接进行黑盒非侵入式安全分析，揭示了系统性协议缺陷与架构配置错误。我们发现特斯拉远程信息处理系统存在IMSI捕获风险、伪基站劫持漏洞以及可能静默降低服务可用性的不安全回退机制。此外，遗留的控制平面配置允许在驾驶员无感知的情况下进行静默短信注入和广播消息伪造。这些漏洞的影响超越单一厂商范畴，它们对ISO/SAE 21434和UN R155/R156等监管框架的核心假设提出了挑战——这些规范要求现代车辆类型认证必须具备安全、可追溯且具备韧性的远程信息处理能力。