Tesla is currently pushing a new security patch after receiving news of a key cloning relay attack that was successfully demonstrated on a Model X vehicle. This exploit is most commonly used in Europe to steal Teslas and none of the vehicles stolen using this method have been recovered yet.
Recent Tesla security updates include a key fob with improved cryptography and an optional “PIN to Drive” feature. The new exploit takes advantage of weaknesses in these updates, according to security researcher Lennert Wouters at Belgian university KU Leuven.
The university explained in a piece for Wired that Wouters was able to unlock the Model X in less than 90 seconds by exploiting the key fob’s ability to receive updates over a Bluetooth connection. That got him into the car. To actually drive it, he had to take the second step of plugging his own computer into the car’s computer using a port under the panel.
He used the connection to make modifications to the computer’s keyless entry system code, which Tesla officially calls the body control module (BCM), to fool the Model X into believing that a fake key fob was its genuine key fob in less than a minute. Wouters could then drive the car away. Key fobs that are similar to the ones used by Tesla vehicles can be bought on eBay for $50 to $100.
Wouters also discovered another big weakness in Tesla vehicle security in readily available information printed on the car’s windshield. The key fob derives the unique identifier that is used to authenticate the fob from the last five digits of the car’s VIN.
A determined car thief could easily copy that information and, with a little knowledge of the inner workings of a Tesla computer, use it to effectively “reverse engineer” the code used to authenticate the fob. This, of course, would work best if the thief is familiar with the car owner’s daily or weekly driving routine, such as which parking garage he or she usually parks in before going to work.
All this, of course, required a level of sophistication that many car thieves don’t possess and two and a half minutes can seem like a really long time when the owner might have stepped away for just a minute and could be back at any time. They might not even be able to do it that fast.
Wouters has also not released the code that made it possible for him to trick the computer into accepting the fake key fob. He said, however, that it’s not that hard to reverse-engineer the process if a sophisticated thief can gain access to the firmware.
“You end up with a BCM that thinks it belongs to the target vehicle,” Wouters says. “I can then force that BCM to instruct key fobs that have the same identifier as that car to wake up, basically.”
If car thieves can pull it off, however, it would be highly tempting to target Tesla vehicles because they tend to depreciate at a slower rate than most cars. They would effectively gain a new Tesla at the price of a key fob purchased on eBay.
The university informed Tesla of the hack in August. Perhaps they simply agreed to keep quiet about it until Tesla was nearly ready to release a patch for the issue. Tesla has not responded to requests for comment on the issue.
Official statements from Tesla simply say that owners of its vehicles should be sure to download new updates in the coming weeks because they will probably include the new security patch. Getting the PIN to Drive feature is also a good idea in case the vehicle does get stolen.