The Tesla cash offer for hacking their Model 3 car at Pwn2Own was introduced last January. A new press release now underlines the existence of serious flaws in the more recent Tesla Model X keyless entry software.
Belgian security analysts from imec-COSIC at the University of Leuven showcase security flaws of Tesla Model X
The issues were brought forward by teams from KU Leuven and Imec research group Computer Security and Industrial Cryptography.
COSIC researchers have hacked Tesla Model S keyless systems in the past. Now they have found out how to gain access to the recent $100,000+ Tesla Model X. This was possible in mere minutes.
How the Tesla Model X Was Hacked
BLE or Bluetooth Low Energy is slowly becoming the method that automakers are using for users to gain access to their vehicles. This phone-as-key method however has shown security vulnerabilities.
The COSIC group was able to wirelessly reverse engineer the communication with the vehicle and tap into updating the software for the key fob. The group found that the software was unsecured, exploited the vulnerability, and was able to take full control of the key.
Furthermore, the group was able to gain access to the diagnostics system which is normally accessible only by technicians, and modify the key fob so that permanent access is granted.
Security researcher Lennert Wouters from the Belgian University KU Leuven stated that by knowing the last five digits of the VIN of the car (visible on the windshield) and standing near to the owner of the car for 90 seconds he was able to clone the key.
Tesla Model X Hacked With Cheap Components
This hack was applied using a device made by the researchers in-house. This consisted of a LiPo battery ($30), a modified key fob, and ECU from a reclaim vehicle ($100). Finally, a CAN shield ($30) and a Raspberry Pi computer ($35) were needed.
The Belgian research group already informed Tesla about the security issue on the 17th of August 2020. This pushed Tesla to work on security updates.
Tesla is currently pushing out an over-the-air software update. They are also working on pushing a firmware update (2020.48) for the key fob to permanently remove the issue.
Unsafe Key-fobs in The Luxury Auto Industry
Security vulnerabilities apparently plague not only Tesla but also other luxury automobiles these days. Start systems and passive keyless entry used mostly in luxury vehicles have not had many issues other than relay attacks. Following recent research, the process of reverse engineering has revealed vulnerabilities.
Specifically, the issue is with 40-bit keys, problems with authentication in challenge-response, and lack of firmware readout protection feature as well as unimplemented security partitioning.
Automakers like Karma, McLaren, and even Triumph motorcycles use a system developed by Pektron. The Pektron system is susceptible to modification and cloning.