Two weaknesses exposed
“To summarize, we can steal a Tesla Model X vehicle by first approaching a victim key fob within about 5 meters to wake up the key fob. Afterwards we can send our own software to the key fob in order to gain full control over it. This process takes 1.5 minutes but can be easily performed over a range of more than 30 meters. After compromising the key fob, we can obtain valid commands that will allow unlocking the target vehicle. After approaching the vehicle and unlocking it we can access the diagnostic connector inside the vehicle. By connecting to the diagnostic connector, we can pair a modified key fob to the car. The newly paired key fob allows us to then start the car and drive off. By exploiting these two weaknesses in the Tesla Model X keyless entry system we are thus able to steal the car in a few minutes”, says Dr. Benedikt Gierlichs, researcher at COSIC.
The proof of concept attack was realized using a self-made device (see the video) built from inexpensive equipment: a Raspberry Pi computer ($35) with a CAN shield ($30), a modified key fob and ECU from a salvage vehicle ($100 on eBay) and a LiPo battery ($30).
The Belgian researchers first informed Tesla of the identified issues on the 17th of August 2020. Tesla confirmed the vulnerabilities, awarded their findings with a bug bounty and started working on security updates. As part of the 2020.48 over-the-air software update, that is now being rolled out, a firmware update will be pushed to the key fob.
