Belgian researchers have demonstrated a 3rd attack on the car manufacturer’s keyless entry system, this time to break into a Model X within just minutes.
Researchers have shown for the 3rd time how hacking into the key fob of a Tesla can let a thief access & steal the car in minutes. This new attack again reveals a security vulnerability in the keyless entry system of one of the most expensive electric vehicles (EVs) available.
Researchers from the Computer Security & Industrial Cryptography (COIC), an Imec research group at the University of Leuven in Belgium, have “discovered major security flaws” in the key fob of the Tesla Model X, the small device that allows someone to automatically unlock the car by approaching the vehicle or pressing a button.
The research team includes PhD student Lennert Wouters, who already has demonstrated 2 attacks on the keyless entry technology of the Tesla Model S that succeeded in unlocking & starting vehicles. Tesla sells some of the most state-of-the-art EVs available, ranging in cost from about £50,000 for the most basic models to more than £100,000 for a top-of-the-line Tesla Model X.
The key fob for the Model X key uses Bluetooth Low Energy (BLE) to interface with a smartphone app to allow for keyless entry, which is where the vulnerabilities lie, researchers said in a press release published online about the hack.
Indeed, the use of BLE is becoming more “prevalent” in key fobs so that the devices can communicate with people’s smartphones, researchers noted.
The team detailed the 2 stage proof-of-concept attack they staged using a self-made device built from widely available & fairly inexpensive equipment: a Raspberry Pi computer that they purchased for $35 accompanied by a $30 CAN shield; a modified key fob & Electronic Control Unit (ECU) from a salvage vehicle that they bought for $100 on eBay; & a LiPo battery that cost $30.
Tesla has already released an over-the-air software update to mitigate the flaws, researchers informed.
Electronic Control Unit (ECU)
In this attack’s 1st step, researchers used the ECU to force the key fobs to make themselves available as Bluetooth devices wirelessly, an action that can be achieved at up to 5 meters distance, Wouters commented.
“By reverse engineering the Tesla Model X key fob we discovered that the BLE interface allows for remote updates of the software running on the BLE chip,” he said in the release. “As this update mechanism was not properly secured, we were able to wirelessly compromise a key fob & take full control over it.”
It then took researchers about a minute & a half at a range of more than 30 meters to gain access to the key fob. Once it was compromised, researchers obtained valid commands to unlock the target vehicle & then gain access to the diagnostic connector inside the car, they observed.
“By connecting to the diagnostic connector, we can pair a modified key fob to the car,” explained Professor Benedikt Gierlichs, who led the research team. “The newly paired key fob allows us to then start the car & drive off. By exploiting these 2 weaknesses in the Tesla Model X keyless entry system we are thus able to steal the car in a few minutes.”
The hack is not the 1st time this team of researchers showed how Tesla key fobs can be hacked to access & steal a car.
They hacked into the key fob of a Passive Keyless Entry and Start (PKES) system of a Tesla Model S, & then devised another attack that was successful on the same model after Tesla updated the key fob to fix the flaw that had allowed earlier access.
Tesla cars also have shown other security issues in the past. In 2016, Chinese researchers hacked into several models of the Tesla S series, demonstrating how they could remotely brake the cars as well as freeze control panels, open the trunk while driving, & remotely turn on & off the windshield wipers.
Teslas are not the only cars with key fobs vulnerable to takeover that would allow someone to steal vehicles. In 2016, researchers claimed that Volkswagen’s keyless entry system left millions of Volkswagen, Ford & Chevrolet vehicles vulnerable to attack & theft.