The same researchers hacked the Tesla Model S keyless entry system and now detail how the security measures implemented in the more recent Tesla Model X can be bypassed. They demonstrate how the battery powered Tesla Model X priced at over $100.000 US can be stolen in a few minutes. Tesla has released an over-the-air software update to mitigate these issues.
The Tesla Model X key fob allows the owner to automatically unlock their car by approaching the vehicle, or by pressing a button. To facilitate the integration with phone-as-key solutions, which allow a smartphone APP to unlock the car, the use of Bluetooth Low Energy (BLE) is becoming more prevalent in key fobs. The Tesla Model X key fob is no different and uses BLE to communicate with the vehicle.
“Using a modified Electronic Control Unit (ECU), obtained from a salvage Tesla Model X, we were able to wirelessly (up to 5m distance) force key fobs to advertise themselves as connectable BLE devices. By reverse engineering the Tesla Model X key fob we discovered that the BLE interface allows for remote updates of the software running on the BLE chip. As this update mechanism was not properly secured, we were able to wirelessly compromise a key fob and take full control over it. Subsequently we could obtain valid unlock messages to unlock the car later on”, says Lennert Wouters, PhD student at the COSIC research group.
“With the ability to unlock the car we could then connect to the diagnostic interface normally used by service technicians. Because of a vulnerability in the implementation of the pairing protocol we can pair a modified key fob to the car, providing us with permanent access and the ability to drive off with the car”, Wouters adds.
Two weaknesses exposed
“To summarize, we can steal a Tesla Model X vehicle by first approaching a victim key fob within about 5 meters to wake up the key fob. Afterwards we can send our own software to the key fob in order to gain full control over it. This process takes 1.5 minutes but can be easily performed over a range of more than 30 meters. After compromising the key fob, we can obtain valid commands that will allow unlocking the target vehicle. After approaching the vehicle and unlocking it we can access the diagnostic connector inside the vehicle. By connecting to the diagnostic connector, we can pair a modified key fob to the car. The newly paired key fob allows us to then start the car and drive off. By exploiting these two weaknesses in the Tesla Model X keyless entry system we are thus able to steal the car in a few minutes”, says Dr. Benedikt Gierlichs, researcher at COSIC.
The proof of concept attack was realized using a self-made device (see the video) built from inexpensive equipment: a Raspberry Pi computer ($35) with a CAN shield ($30), a modified key fob and ECU from a salvage vehicle ($100 on eBay) and a LiPo battery ($30).
The Belgian researchers first informed Tesla of the identified issues on the 17th of August 2020. Tesla confirmed the vulnerabilities, awarded their findings with a bug bounty and started working on security updates. As part of the 2020.48 over-the-air software update, that is now being rolled out, a firmware update will be pushed to the key fob.
Imec (imec-int.com) is a world-leading research and innovation hub in nanoelectronics and digital technologies. The combination of our widely acclaimed leadership in microchip technology and profound software and ICT expertise is what makes us unique. By leveraging our world-class infrastructure and local and global ecosystem of partners across a multitude of industries, we create groundbreaking innovation in application domains such as healthcare, smart cities and mobility, logistics and manufacturing, energy and education.
As a trusted partner for companies, start-ups and universities we bring together more than 4,000 brilliant minds from over 97 nationalities. Imec is headquartered in Leuven, Belgium and has distributed R&D groups at a number of Flemish universities, in the Netherlands, Taiwan, USA, and offices in China, India and Japan. In 2018, imec's revenue (P&L) totaled 583 million euro.
Imec is a registered trademark for the activities of IMEC International (a legal entity set up under Belgian law as a "stichting van openbaar nut”), imec Belgium (IMEC vzw supported by the Government of Flanders), imec the Netherlands (Stichting IMEC Nederland, part of Holst Centre which is supported by the Dutch Government), imec Taiwan (IMEC Taiwan Co.), imec China (IMEC Microelectronics (Shanghai) Co. Ltd.), imec India (Imec India Private Limited) and imec Florida (IMEC USA nanoelectronics design center).
About KU Leuven
KU Leuven (kuleuven.be) is Europe’s most innovative university. Located in Belgium, it is dedicated to research, education, and service to society. KU Leuven is a founding member of the League of European Research Universities (LERU) and has a strong European and international orientation. Our scientists conduct basic and applied research in a comprehensive range of disciplines. University Hospitals Leuven, our network of research hospitals, provides high-quality healthcare and develops new therapeutic and diagnostic insights with an emphasis on translational research. The university welcomes more than 50,000 students from over 140 countries. The KU Leuven Doctoral Schools train approximately 4,500 PhD students.