A Belgian security researcher has discovered a method to overwrite and hijack the firmware of Tesla Model X key fobs, that allows him to steal any car that does not have the latest software updated in it.
Lennert Wouters, a PhD student at the Computer Security and Industrial Cryptography (COSIC) group at the Catholic University of Leuven (KU Leuven) in Belgium, managed to hack the car in just few minutes and does not require any expensive gears to do so.
This is the third Tesla hack by Wouters’ and he has published two other Tesla attacks in 2018 and 2019.
Wouters stated that this hack was possible due to a flaw in the firmware update process of Tesla Model X key fobs.
The flaw can be exploited using an electronic control unit (ECU) recovered from an older Model X vehicle, that can be obtained easily from online sites like eBay or any stores that sells used Tesla car parts.
The researcher stated that attackers can modify the older ECU to trick a victim’s key fob into believing the ECU belonged to its paired vehicle and then push a malicious firmware update to the key fob via the BLE (Bluetooth Low Energy) protocol.
Since this update mechanism was not properly secured, he was able to wirelessly compromise a key fob and take complete control over it. Eventually they got valid unlock messages to unlock the car later.
Below are the steps of the attack in detail
- An attacker approaches the owner of Tesla Model X vehicle. The attacker had to be at least as close as 5 meters to the victim to allow the older modified ECU to wake up and capture the victim’s key fob.
- The attacker now pushes the malicious firmware update to the victim’s key fob. It takes around 1.5 minutes to execute, but the range also goes up to 30 meters, allowing the attacker to distance themselves from the targeted Tesla owner.
- After the key fob is hacked, the attacker extracts car unlock messages from the key fob.
- The attacker uses these unlock messages to enter the victim’s car.
- The attacker connects the older ECU to the hacked Tesla car’s diagnostics connector which is usually used by Tesla technicians to service the car.
- The attacker uses this connector to pair their own key fob to the car, which is used by them later to start the vehicle. This part also takes a few minutes to execute.
The only drawback of this attack is the relatively bulky attack rig, which could be easily spotted if not kept inside a bag, or another car.
However, the attack rig is not expensive. It requires a Raspberry Pi computer ($35) with a CAN shield ($30), a modified key fob, an older ECU from a salvaged vehicle ($10) on eBay, and a LiPo battery ($30).
The demo video of the entire attack steps and the attack rig is given below
Wouters found the bug earlier this summer and reported it to Tesla’s security team in mid-August. He had published his findings today after Tesla began rolling out an over-the-air software update to all its Model X cars this week.
This bug has been fixed in the software update 2020.48.
Photo Credits : Tesla