Tesla Model X key fobs could be hacked to steal cars, fix released

Researchers at the University of Leuven in Belgium found vulnerabilities in the keyless entry system of the Tesla Model X that would have allowed attackers to steal the $100,000 car within just a few minutes.

The security bugs allowed taking full control of the key fob and of the car by remotely updating the Tesla Model X's BLE chip with specially crafted firmware.

Once the key fob was compromised, the researchers were able to capture valid unlock messages which allowed them to unlock the car at any time.

"With the ability to unlock the car we could then connect to the diagnostic interface normally used by service technicians," Lennert Wouters, a PHD student at the Computer Security and Industrial Cryptography (COSIC) group explained.

"Because of a vulnerability in the implementation of the pairing protocol we can pair a modified key fob to the car, providing us with permanent access and the ability to drive off with the car."

How to take control of a Tesla Model X

To successfully exploit the flaws, attackers would need to get close to the targeted car (under 5 meters), use a modified Electronic Control Unit (ECU) to wake up the key fob, deliver the firmware update to gain full control (from over 30 meters), and unlock the car.

"After approaching the vehicle and unlocking it we can access the diagnostic connector inside the vehicle. By connecting to the diagnostic connector, we can pair a modified key fob to the car," Wouters added.

"The newly paired key fob allows us to then start the car and drive off. By exploiting these two weaknesses in the Tesla Model X keyless entry system we are thus able to steal the car in a few minutes."

The researchers' proof of concept attack used a device built only with low-priced equipment including a Raspberry Pi ($35) with a CAN shield ($30), a modified key fob, an ECU from a salvage vehicle (sold for less than $100 on eBay), and a LiPo battery ($30).

Tesla is rolling security updates

The Belgian researchers reported the security issues to Tesla in August 2020 and the company is now rolling over-the-air firmware update to address the issues affecting the SUV's key fob.

The same researchers have also found flaws in the Tesla Model S key fob and Passive Keyless Entry and Start (PKES) system.

The University of Leuven researchers also provide a demonstration video showing the entire process and the tools they needed to take full control of the Tesla Model X.

The company's Tesla Model 3 car Chromium-based infotainment system was hacked during last year's Pwn2Own competition by Fluoroacetate's Amat Cama and Richard Zhu.

Two years ago, Tesla also amended its responsible disclosure guidelines with clarifications welcoming registered researchers to carry out security tests probing the company's cars for bugs as part of the official vulnerability reporting program.

Related Articles:

Anycubic 3D printers hacked worldwide to expose security flaw

CISA urges software devs to weed out SQL injection vulnerabilities

Windows 11, Tesla, and Ubuntu Linux hacked at Pwn2Own Vancouver

GitHub’s new AI-powered tool auto-fixes vulnerabilities in your code

Ivanti fixes critical Standalone Sentry bug reported by NATO