Electric automaker Tesla has rolled out an over-the-air patch for its Model X vehicles after being informed of a serious vulnerability in its keyless entry system, identified by Belgian academics, which could have enabled criminals to circumvent the $100,000 (£82,000/€83,500) car’s onboard security systems.
The Tesla Model X’s key fob lets its owners automatically unlock their car when approaching it, or by pressing a button, using the Bluetooth Low Energy (BLE) communications standard to talk to the car via a smartphone app.
This process was bypassed by PhD student Lennert Wouters of the University of Leuven’s Computer Security and Industrial Cryptography (Cosic) research group in a proof of concept using a self-made device built from a Raspberry Pi, a modified key fob and engine control unit (ECU) from a salvaged Model X, and other components costing a total of $195 (£144/€162).
“Using a modified ECU, obtained from a salvage Tesla Model X, we were able to wirelessly – up to 5m distance – force key fobs to advertise themselves as connectable BLE devices,” said Wouters.
“By reverse engineering the Tesla Model X key fob, we discovered that the BLE interface allows for remote updates of the software running on the BLE chip. As this update mechanism was not properly secured, we were able to wirelessly compromise a key fob and take full control over it. Subsequently, we could obtain valid unlock messages to unlock the car later on.”
To exploit the vulnerability, a car thief would have needed to get within about 5m of their victim’s key fob to wake it, and then send their own software to it to gain full control. According to Cosic, this process takes about 90 seconds.
Following this, the thief could obtain valid commands allowing them to unlock the vehicle. After gaining access to the onboard diagnostic connector used by service technicians, they would then have had to pair a modified key fob to the vehicle, at which point they could start the vehicle and drive off.
This is the third time in as many years that Wouters has successfully broken into a Tesla vehicle by exploiting its keyfob. In both prior instances, he was able to effectively “clone” the device to gain access.
Erich Kron, security awareness advocate at KnowBe4, said Wouters’ disclosure played an important role in highlighting how increasing the number of internet connections in homes and vehicles in the name of convenience was creating much larger attack surfaces that are cheap to attack, especially compared with the sticker price of a Tesla.
However, he said, this particular vulnerability was not necessarily one for Tesla drivers to be too worried about.
Eric Kron, KnowBe4
“There are a number of steps that need to take place in order to pull it off – while not difficult, it could raise some suspicion if done in a public parking lot or other populated public space,” he said.
“Tesla did a great job quickly fixing the issue with an over-the-air update and the researcher showed responsible reporting ethics by notifying Tesla and allowing it to develop the fix before publicly releasing the vulnerability and the exploit.
“Publicly reporting vulnerabilities like this will help secure vehicles and devices of all manufacturers across many industries and applications,” said Kron.
Jacob Wilson, senior security consultant at Synopsys, added: “Automotive key fob attacks are real-world threats with significant impacts for automobile manufacturers, law enforcement, vehicle financers and drivers.
“With consumer demand for Bluetooth and internet-connected vehicle functionality on the rise, it’s more important than ever to ensure these technologies are secure. Wouters’ Tesla Model X research demonstrates the impacts of security requirements and security features not having proper validation. Having thorough software composition analysis and fuzz testing performed against embedded electronics provides a higher level of confidence to thwart these attacks.”