Researchers have demonstrated for the third time how hacking into the key fob of a Tesla can allow someone to access and steal the car in minutes. The new attack again shows a security vulnerability in the keyless entry system of one of the most expensive electric vehicles (EVs) on the market.
Researchers from the Computer Security and Industrial Cryptography (COIC), an Imec research group at the University of Leuven in Belgium, have “discovered major security flaws” in the key fob of the Tesla Model X, the small device that allows someone to automatically unlock the car by approaching the vehicle or pressing a button.
The research team includes PhD student Lennert Wouters, who already has demonstrated two attacks on the keyless entry technology of the Tesla Model S that succeeded in unlocking and starting vehicles. Tesla sells some of the most state-of-the-art EVs available, ranging in cost from about $40,000 for the most basic models to more than $100,000 for a top-of-the-line Tesla Model X.
The key fob for the Model X key uses Bluetooth Low Energy (BLE) to interface with a smartphone app to allow for keyless entry, which is where the vulnerabilities lie, researchers said in a press release published online about the hack. Indeed, the use of BLE is becoming more “prevalent” in key fobs so that the devices can communicate with people’s smartphones, researchers noted.
The team detailed the two-stage proof-of-concept attack they staged using a self-made device built from widely available and fairly inexpensive equipment: a Raspberry Pi computer that they purchased for $35 accompanied by a $30 CAN shield; a modified key fob and Electronic Control Unit (ECU) from a salvage vehicle that they bought for $100 on eBay; and a LiPo battery that cost $30. Tesla has already released an over-the-air software update to mitigate the flaws, researchers said.
In the attack’s first step, researchers used the ECU to force the key fobs to make themselves available as Bluetooth devices wirelessly, an action that can be achieved at up to five meters distance, Wouters said.
“By reverse engineering the Tesla Model X key fob we discovered that the BLE interface allows for remote updates of the software running on the BLE chip,” he said in the release. “As this update mechanism was not properly secured, we were able to wirelessly compromise a key fob and take full control over it.”
It then took researchers about a minute and a half at a range of more than 30 meters to gain access to the key fob. Once it was compromised, researchers obtained valid commands to unlock the target vehicle and then gain access to the diagnostic connector inside the car, they said.
“By connecting to the diagnostic connector, we can pair a modified key fob to the car,” said Professor Benedikt Gierlichs, who led the research team. “The newly paired key fob allows us to then start the car and drive off. By exploiting these two weaknesses in the Tesla Model X keyless entry system we are thus able to steal the car in a few minutes.”
The hack is not the first time this team of researchers demonstrated how Tesla key fobs can be hacked to access and steal a car. They previously hacked into the key fob of a Passive Keyless Entry and Start (PKES) system of a Tesla Model S, and then devised another attack that was successful on the same model after Tesla updated the key fob to fix the flaw that allowed earlier access.
Tesla cars also have shown other security issues in the past. In 2016, Chinese researchers hacked into several models of the Tesla S series, demonstrating how they could remotely brake the cars as well as freeze control panels, open the trunk while driving, and remotely turn on and off the windshield wipers.
Teslas aren’t the only cars with key fobs vulnerable to takeover that would allow someone to steal vehicles. In 2016, researchers claimed that Volkswagen’s keyless entry system left millions of Volkswagen, Ford and Chevrolet vehicles vulnerable to attack and theft.