Vehicles are rapidly being upgraded with new and advanced tech as we are now entering an era of driverless vehicles and flying cars. New cars are also getting upgraded features and Tesla is a company that’s well known for offering advanced tech capabilities in its fully electric cars. However, the Tesla Model X, which starts at €88,990, was hacked into by researchers over at the COSIC, an imec research group at the University of Leuven in Belgium.
The security researchers used two weaknesses in Tesla Model X’s modern system to gain full access to the car and drive away. They used a self-made kit that costs around €168. Do note that the researchers notified Tesla of the weakness and the company is pushing a patch as part of the 2020.48 over-the-air (OTA) software update that fixes the exploits.
Hacking into a tesla in less than 2 minutes
The researchers over at COSIC previously hacked into the Tesla Model S keyless entry system. This time, they discovered some new flaws in the keyless entry system of the Tesla Model X. The car allows its users to automatically unlock when they are approaching the vehicle, or by pressing a button on the wireless key fob that uses Bluetooth Low Energy (BLE) protocol. Additionally, a smartphone app by the company can also be used to unlock the car, and it also uses BLE to communicate with the car.
The BLE protocol gave researchers a way to break into Tesla Model X’s security. Using a modified Electronic Control Unit (ECU) from a salvaged Model X, they wirelessly forced key fobs to be discovered as BLE devices from a distance of up to 5 meters. Reverse
engineering the Tesla Model X key fob, they also found that the BLE interface allows installing remote software updates and this mechanism is said to have been lacking in security.
The researchers were able to wirelessly compromise a key fob and take full control over it. And they could also obtain valid unlock messages to unlock the car later on. “With the ability to unlock the car we could then connect to the diagnostic interface normally used by service technicians. Because of a vulnerability in the implementation of the pairing protocol, we can pair a modified key fob to the car, providing us with permanent access and the ability to drive off with the car”, says Lennert Wouters, PhD student at the COSIC research group.
“To summarise, we can steal a Tesla Model X vehicle by first approaching a victim key fob within about 5 meters to wake up the key fob. Afterwards we can send our own software to the key fob in order to gain full control over it. This process takes 1.5 minutes but can be easily performed over a range of more than 30 meters. After compromising the key fob, we can obtain valid commands that will allow unlocking the target vehicle,” says Dr Benedikt Gierlichs, a researcher at COSIC.
“After approaching the vehicle and unlocking it we can access the diagnostic connector inside the vehicle. By connecting to the diagnostic connector, we can pair a modified key fob to the car. The newly paired key fob allows us to then start the car and drive off. By exploiting these two weaknesses in the Tesla Model X keyless entry system we are thus able to steal the car in a few minutes”, says Dr Benedikt Gierlichs, a researcher at COSIC,” he adds.
Self-made hacking kit cost around €168
The researchers over at COSIC made their own kit to hack into the Tesla Model X. It consisted of a portable Raspberry Pi computer that was equipped with a CAN shield. They also obtained a modified key fob and ECU from a salvage vehicle from eBay and a LiPo battery powered the circuit. Overall, the kit cost them around €168.
The Belgian researchers informed Tesla about the identified vulnerabilities on the 17th of August 2020. Tesla confirmed the issues and awarded the team’s findings under its bug bounty programme and started working on security updates. As part of the 2020.48 OTA software update, which is now rolling out, a firmware update will be pushed to the key fob to patch the flaw.
Image credits: Tesla