A hacker managed to develop a new key cloning relay attack for Tesla vehicles and demonstrated it on a Tesla Model X.
Tesla was informed of the new attack and it is reportedly pushing a new patch for it.
Thefts of Tesla vehicles are quite rare in North America, but in Europe, they have some more sophisticated thieves that managed a string of Tesla vehicle thefts through relay attacks, and most vehicles haven’t been recovered.
Now Lennert Wouters, a security researcher at Belgian university KU Leuven, claims to have put together a new series of hacks that can get around the new improved cryptography in the key fob.
He explained to the first part of the hack to Wired:
“Wouters’ technique takes advantage of a collection of security issues he discovered in the Model X’s keyless entry system—both major and minor—that together add up to a method to fully unlock, start, and steal a vehicle. First, the Model X key fobs lack what’s known as “code signing” for their firmware updates. Tesla designed its Model X key fobs to receive over-the-air firmware updates via Bluetooth by wirelessly connecting to the computer inside a Model X, but without confirming that the new firmware code has an unforgeable cryptographic signature from Tesla. Wouters found that he could use his own computer with a Bluetooth radio to connect to a target Model X’s keyfob, rewrite the firmware, and use it to query the secure enclave chip inside the fob that generates an unlock code for the vehicle. He could then send that code back to his own computer via Bluetooth. The whole process took 90 seconds.”
Once he is inside the vehicle, there’s a second part to the hack in order to be able to drive away with the Tesla vehicle:
“Even all that clever hacking, however, only got Wouters as far as unlocking the car. To unlock and drive it, he had to go one step further. Once inside the Model X, Wouters found that he could plug his own computer into a port that’s accessible via a small panel under the display. He says this can be done in seconds, without tools, by pulling off a small storage container on the dash. That port lets the computer send commands to the car’s network of internal components, known as a CAN bus, which includes the BCM. He could then instruct the Model X’s actual BCM to pair with his own key fob, essentially telling the car his spoofed key is valid. Though each Model X key fob contains a unique cryptographic certificate that should have prevented the car from pairing with a rogue key, Wouters found the BCM didn’t actually check that certificate. That allowed him—with just a minute of fiddling under the dash—to register his own key to the vehicle and drive it away.”
However, it’s unclear if this second part can be avoided simply by using Tesla’s previously mentioned PIN-to-Drive feature, which requires any driver to enter a PIN to put the vehicle in drive regardless of the key fob.
Nonetheless, Tesla saw some value to Wouters’ hack, which they were informed of back in August according to the hacker.
He says that Tesla told him they are starting to push a software update to patch his hack this week.
Here’s a video demonstration of the hack on a Tesla Model X:
As we previously reported, Tesla has a good relationship with whitehat hackers.
The automaker increased its max payout per reported bug to $15,000 in 2018, and it has ramped up its security team as well as its relationship with hackers through participation in hacking conferences.
Over the last few years, Tesla has brought its cars as targets in the popular Pwn2Own hacking competition.
Cybersecurity has been a top priority at Tesla. You can read more about it in our article: The Big Tesla Hack: A hacker gained control over the entire fleet, but fortunately he’s a good guy.
Looking to outfit your new Tesla with the best gear?
- Best SSD/USB storage for Tesla Model 3
- Best USB hubs for Tesla Model 3
- Best wireless smartphone chargers for Tesla Model 3
FTC: We use income earning auto affiliate links. More.
Subscribe to Electrek on YouTube for exclusive videos and subscribe to the podcast.