A serious vulnerability existed in the Tesla Model X key fob that could allow anyone to break into the car. Exploiting the vulnerability, the researchers hacked the Tesla Model X to demonstrate the attack.
Tesla Model X Hacked
Researchers from the (COSIC) group at the University of Leuven (KU Leuven) in Belgium have shared another interesting experiment on Tesla’s cars. This time, they have hacked the Tesla Model X by exploiting a vulnerability in the keyless entry system.
Sharing their findings via a press release, the researchers revealed a couple of issues that triggered the attack. They reverse-engineered the Tesla Model X key fob to find those issues.
Describing the beginning of the attack, they stated,
Using a modified Electronic Control Unit (ECU), obtained from a salvage Tesla Model X, we were able to wirelessly (up to 5m distance) force key fobs to advertise themselves as connectable BLE devices. By reverse engineering the Tesla Model X key fob we discovered that the BLE interface allows for remote updates of the software running on the BLE chip.
Specifically, the first vulnerability existed in the way Tesla upgraded the key fob firmware. This allowed the attackers to compromise the key fob. By gaining full control of it, the researchers could also unlock the car.
Once done, they found another issue that existed with the pairing protocol implementation. Exploiting this vulnerability allowed them to pair a modified key fob to the car, which allows stealing the car right away.
Attack Demo
To conduct the attack, they merely had to wait for an approaching victim to wake up the key fob. They could easily do so from a distance of 5 meters as well.
Then, they could compromise the key fob via a malicious update, and proceed with the attack. Taking over the key fob took only about 1.5 minutes and could work from even 30 meters. After that, they simply had to steal the unlock messages to unlock the car later.
The entire process simply required a few components to build a rig under $200. Specifically, the researchers used “a Raspberry Pi computer ($35) with a CAN shield ($30), a modified key fob and ECU from a salvage vehicle ($100 on eBay), and a LiPo battery ($30).”
The following video demonstrates the attack scenario.
Tesla Rolled Out The Fix
Upon discovering the vulnerability , the researchers reported the matter to Tesla in August 2020. The tech giant confirmed the bug and released a fix with the 2020.48 over-the-air software update.
Since the updates are already out, users need not worry about their cars being stolen. Though, ensuring an update is necessary.
Previously, in 2018, the same team hacked the Tesla Model S to demonstrate the vulnerability.