A Belgian security researcher has discovered a method that hijacks the firmware of the key fobs of the Tesla Model X, allowing it to steal any car that does not "work" with the latest software update.
The attack, which takes place in just a few minutes and requires cheap equipment, was carried out by Lennert Wouters, a PhD student in the Computer Security and Industrial Cryptography (COSIC) team at the Catholic University of Leuven (KU Leuven) in Belgium.
This is the third Tesla hack performed by Wouters, with researcher to have carried out two more attacks on Tesla vehicles in 2018 and 2019, respectively.
The attack exploits an error in the basic fob info system
According to a post published today, Wouters said that this third attack is due to a defect in the firmware update process of Tesla Model X key fobs.
The defect can be exploited using a electronic control unit (ECU) from an older Model X vehicle, which can easily be purchased at Internet on sites like eBay or in stores or forums that sell used Tesla car parts.
Wouters said attackers could modify the older ECU to defraud a key fob victim to believe that the ECU belongs to his vehicle and then push a malicious firmware update to the key fob via the BLE (Bluetooth Low Energy) protocol.
The steps of the attack are described below:
- The assailant approaches the owner of the Tesla Model X vehicle. The assailant must approach the victim within 5 meters to allow the older modified ECU to "wake up" and trap the victim's key.
- The attacker then pushes the malware update to the victim's key fob. This part takes about 1,5 minutes to run, but the range is up to 30 meters, allowing the intruder to get away from the Tesla owner.
- Once a key fob is broken, the attacker extracts various "car unlock messages" from the key fob.
- The attacker uses these unlock messages to enter the victim's car.
- The attacker connects the older ECU to the "diagnostics connector" of the hacked Tesla - commonly used by technicians Tesla for car maintenance.
- The intruder uses this connector to connect his own key fob to the car, which he later uses to start the vehicle. Execution of this part takes only a short time.
Wouters said he discovered the bug over the summer and reported it to Tesla Security in mid-August.
The researcher published the foundings of today after Tesla this week released a software update on all Model X cars software update where this error has been corrected is 2020.48, according to Wouters.