Tesla’s Model S is vulnerable to a key fob hack attack that could be used by car thieves to steal vehicles. In spite of having appropriate security measures to protect the driving systems of Tesla cars against cyber-attacks, a team of security researchers found a way to remotely hack a Tesla Model S luxury sedan in less than two seconds.
This astonishing discovery was made by the security researchers at Computer Security and Industrial Cryptography (COSIC) group of the Department of Electrical Engineering at the KU Leuven University in Belgium. They have demonstrated how they crack the encryption used in Tesla’s Model S wireless key fob.
The team was able to clone the key fob of Tesla’s Model S from a nearby Tesla owner’s fob using a device consisting of a Raspberry Pi 3 Model B+, Proxmark3, Yard Stick One and a USB battery pack which costs approximately $600. They were able to open the doors and drive away the car without any trace.
As in the case of most automotive keyless entry systems, Tesla Model S key fobs also work by sending an encrypted code to a car’s radios to trigger it to unlock the doors, enabling the car to start. But the researchers found that Tesla uses a keyless entry system built by a manufacturer called Pektron, which uses a weak 40-bit cipher to encrypt those key fob codes.
They then made a 6-terabyte table of all possible keys for any combination of code pairs, and then used the device to capture the required two codes. Using that table and those two codes, it could calculate the correct cryptographic key to spoof any key fob in just 1.6 seconds.
To know more, watch the proof of concept video demonstration which shows the hack in action.
The team had already reported the issue to Tesla last year, but the company addressed it in June 2018 by upgrading the weak encryption. Last month, they have also added an optional PIN as an additional defense.
Tesla was criticized on Twitter for using a weak cipher but a member of the KU Leuven team appreciated Tesla for quickly responding to their report and fixing the issue. Tesla paid the KU Leuven team a $10,000 bounty and plans to add the researchers’ names to its Hall of Fame.