Imec researchers unveil flaw in Tesla’s Keyless Entry System
Tesla’s Model X key allows the owner to unlock his car automatically by approaching the vehicle or pressing a button. In order to facilitate integration with Phone-as-as-key solutions that allow a smartphone app to unlock the car, the use of Bluetooth Low Energy (BLE) in key fobs is becoming increasingly common. The Tesla Model X key fob also uses this technology to communicate with the vehicle.
The researchers from Belgium took a closer look at the Tesla wireless locking system. Using a modified electronic control unit (ECU) from another vehicle of the same type, the researchers were able to wirelessly force key fobs to register themselves as connectable BLE devices at a distance of up to 5 meters. By reverse engineering the Tesla Model X key fob, the experts discovered that the BLE interface allows remote updates of the software running on the BLE chip. However, this update mechanism was not sufficiently secured. Thus, the researchers succeeded in wirelessly compromising a key ring and taking full control of it. “We were then able to obtain valid release messages to release the car later,” says Lennert Wouters, a PhD student in the COSIC research group.
With the ability to unlock the car, they could then connect to the OBD diagnostic interface normally used by service technicians. Due to a weakness in the implementation of the pairing protocol, they could pair a modified key fob with the car, which would then even give them permanent access and the ability to drive off with the car at any time – and thus gain much more control over the vehicle than was the case with the known weakness of conventional keyless entry systems, at least until recently – which normally cannot be restarted after the car is parked.
The proof-of-concept attack was implemented with a homemade device built from low-cost equipment: A Raspberry pi-computer ($35) with a CAN protection shield ($30), a modified keychain, an ECU from a recovery vehicle ($100 on eBay) and a LiPo battery ($30).
The Belgian researchers informed Tesla on August 17, 2020 about the problems. Tesla confirmed the weaknesses, rewarded their findings with an error bonus and began work on security updates. As part of the 2020.48 software update that is now being released, a firmware update will be downloaded to the keychain.
The same research group had previously hacked the keyless entry system of the Tesla Model S. In the Model X, the carmaker had strengthened the security measures – with limited success, as has now been shown.
More information: www.imec-int.com
Bluetooth LE-based passive keyless entry locks out car thieves
Car designers stress security at developers meeting
BMW, NXP launch next-generation digital car key
NXP, Volkswagen demo UWB application fields in the car
Honda-funded project attacks keyless entry security issue