Device Identification , Endpoint Security , Governance & Risk Management

Gone in 120 Seconds: Flaws Enable Theft of Tesla Model X

Electric Car Manufacturer is Pushing Over-the-Air Updates to Patch Software Flaws
Gone in 120 Seconds: Flaws Enable Theft of Tesla Model X
Spot the would-be car thief: Researchers cloned a Tesla key fob, in part by lingering near a victim, as dramatized in this video still (Source: KU Leuven)

Tesla Model X electric vehicle owners can opt to pay extra for a model with "ludicrous performance." But unfortunately, researchers have found that no matter the trim level, the Model X hasn't been providing ludicrously good security.

See Also: OnDemand | 2023 OT Cybersecurity Year in Review: Lessons Learned from the Frontlines

Indeed, with an investment of about $300, researchers from Belgium's University of Leuven - aka KU Leuven - found that they could actively clone a Tesla Model X driver's wireless key fob, and about two minutes later, drive away with the car. A demonstration video posted by the researchers also suggests such an attack could be stealthy, potentially leaving a stolen car’s owner unaware.

KU Leuven has issued a press release about the attack, but it only outlines the bare bones. A Wired report, however, provides more details, although notes that full details of the attack haven’t been released, as Tesla is in the process of deploying over-the-air updates.

Call the success of the attack ironic: Tesla apparently had all of the security components in place that it would have needed to block such an exploit. But Tesla didn't correctly implement the required features, including validating firmware signatures, the researchers say.

The new research comes two years after KU Leuven researchers successfully cloned a key fob for a Tesla Model S in seconds using a relay attack. Tesla updated its software to mitigate the attack.

Firmware Signatures Need Verifying

The researchers - part of KU Leuven’s Computer Security and Industrial Cryptography, aka COSIC, group - are due to present their findings at the Real World Crypto Symposium, to be held virtually beginning on Jan. 11, 2021.

They say the attack centers on the unlocking mechanism used by a Tesla Model X. The vehicle can be unlocked in one of two ways: approaching the vehicle while carrying a wireless fob keyed to the vehicle, which communicates with the car via Bluetooth Low Energy - aka BLE; or by using a smartphone app that can communicate with the vehicle via BLE.

The fob can accept over-the-air updates to its BLE chip, and researchers say that is where the vulnerability began.

Security researchers have long warned that a firmware best practice is to always ensure that any firmware updates get digitally signed, and to have hardware processes in place that verify that the signature is legitimate. Such checks help block the potential for attackers to push rogue firmware code and surreptitiously take control of the hardware.

But the KU Leuven researchers reverse-engineered the key fob and found that Tesla was not checking the firmware’s signature to ensure that any code updates were legitimate.

In this dramatization, a Tesla Model X's key is cloned and then eventually used to 'steal' the car.

Enter the researchers' proof-of-concept attack: Using a modified Body Control Module from a salvaged Tesla Model X, the researchers found that they could force a fob - which might be in a driver's pocket at the time - to wake up. To be successful, they needed to be within about 15 feet of someone in possession of a legitimate fob.

Once the fob was awake, the second stage of the attack involved pushing custom firmware onto the device, which researchers said could be done from up to 90 feet away from a fob.

“As this update mechanism was not properly secured, we were able to wirelessly compromise a key fob and take full control over it,” Lennert Wouters, a doctoral student at COSIC, says in a news release. “Subsequently, we could obtain valid unlock messages to unlock the car later on.”

Unlocking a Second Flaw

Tesla Model X

More specifically, Wired reports that via their malicious firmware, the researchers were able to query a secure enclave on the fob that generates an unlock code for the car, and then to unlock the vehicle.

But researchers were able to then go one step further: By unlocking the car, they gained physical access to its diagnostic port, located near the front screen inside the vehicle. Subsequently, the researchers found another vulnerability, this time in the vehicle's Bluetooth pairing protocol. By exploiting the flaw, the researchers report that they could then match their modified fob to the car, start the vehicle, and drive it away.

The total cost to boost a Tesla Model X would be around $300. The full list of required ingredients: a Raspberry Pi computer, which costs $35; a CAN shield for $30; a LiPo battery that cost $30; a Body Control Module - the researchers obtained theirs for $100 on eBay; and a key fob to modify, which would also be available via eBay and cost around $100.

For would-be attackers with malicious intent, such an outlay wouldn't represent a poor return on investment. A Tesla Model X sport utility vehicle retails for $80,000, or close to $100,000 for models featuring enhanced trim levels, including "ludicrous performance" mode.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.