A Belgian researcher has figured out how to clone the EV’s key with about $300 in equipment, but he’s shared the information with Tesla and a fix is coming.
- A security researcher has detailed a pair of unintended flaws, known as “exploits,” that would allow a person to steal a Tesla Model X in minutes.
- The researcher carried off the feat with about $300 in computer hardware items, including a Tesla part found on eBay, as Wired first reported.
- Researcher Lennert Wouters told Tesla of the vulnerability back in August, and Tesla has told Wouters an over-the-air update will be sent out this week to fix the issue.
Automakers work hard to reduce the possibility that hackers can steal their cars. But, it’s an ongoing battle between the people who make the systems in vehicles and those who want to exploit them. Fortunately for Tesla, the latest pair of unintended flaws—known to computer types as “exploits”—were found by a security researcher happy to share his findings, not a group of car thieves with a taste for falcon-winged EVs.
Wired reported about the security researcher, Lennert Wouters from KU Leuven university in Belgium. He discovered a pair of vulnerabilities that allow the researcher to not only get into a Model X, but also start it and drive away. Wouters disclosed the vulnerability to Tesla back in August, and the automaker has told Wouters that an over-the-air patch may take a month to be deployed to affected vehicles. For Wouters’s part, the researcher says that he won’t publish the code or technical details needed for anyone else to pull off this hack. He did post a video demonstration of the system in action.
To steal a Model X in minutes requires the exploitation of two vulnerabilities. Wouters started with a hardware kit costing roughly $300 that sits in a backpack and includes a Raspberry Pi low-cost computer and a Model X body control module (BCM) that he purchased off eBay. It’s the BCM that enables these exploits, even though it’s not from the target vehicle. It acts like a trusted piece of Tesla hardware that allows both exploits to be pulled off. With it, Wouters is able to hijack the Bluetooth radio connection that the key fob uses to open the vehicle using the VIN and coming within 15 feet of the target vehicle’s fob. At that point, his hardware system rewrites the target’s fob firmware and is able to access the secure enclave and get the code to unlock the Model X. He stores that code in his backpack rig and returns to the Model X, which opens up because it believes it’s connected to the original fob.
Essentially, Wouters is able to create a key for a Model X by knowing the last five digits of the VIN—which is visible in the windshield—and standing near the owner of that vehicle for about 90 seconds while his portable setup clones the key.
Once in the vehicle, Wouters has to use another exploit to get the vehicle started. By accessing the USB port hidden behind a panel under the display, Wouters is able to connect his backpack computer to the vehicle’s CAN (Controller Area Network) bus and tell the vehicle’s computer that his spoofed key fob is valid. With that done, the Model X believes a valid key is in the vehicle and willingly starts up and is ready to drive away.
The issue is that the key fob and BCM, while connecting to each other, don’t go the extra step of validating firmware updates to the key fob, giving the researcher access to the key by pretending to send over new firmware from Tesla. “The system has everything it needs to be secure,” Wouters told Wired. “And then there are a few small mistakes that allow me to circumvent all of the security measures.”
Wouters also noted that this type of exploit isn’t unique to Tesla. “They’re cool cars, so they’re interesting to work on,” Wouters told Wired. “But I think if I spent as much time looking at other brands, I would probably find similar issues.”
Tesla has a history of working with security researchers and even offers up a Model 3 every year to the Pwn2Own competition. Wouters won’t share the technical details of his exploit until January at the Real World Crypto conference.