Information Security Specialist Showed How to Steal a Tesla Car

steal a Tesla car

Sultan Qasim Khan, a security consultant of the NCC Group, has disclosed a vulnerability that allows attackers to enter the salon and steal a Tesla car.

The vulnerability consists of the redirection of communication between the Tesla owner’s smartphone or key fob and the car itself.

During the demonstration, the specialist used two small repeaters purchased for $100 from a regular online store and a laptop with special software.

An attacker can approach any Tesla car parked on the street, place the necessary equipment and carry out an attack if the phone or key fob of the owner of the car is at home. As soon as the repeater is installed next to the key fob or phone, the attacker will be able to send commands to them from anywhere in the world.Khan said in an interview with Bloomberg.

The vulnerability is unique to specific Tesla models – Bloomberg highlighted the Model 3 and Model Y.

Sultan Qasim Khan
Sultan Qasim Khan

Let me remind you that we wrote that Researchers made Tesla’s autopilot work without a driver, and also that Teen gets remote access to 25 Tesla cars.

It is not yet clear if the vulnerability shown by Sultan Qasim Khan has been used to steal electric cars in the past.

According to Sultan Qasim Khan, to fix this bug, the automaker will need to change their equipment and change the keyless entry system. Khan said that he had informed Tesla about the vulnerability, but company representatives in their response to the specialist called the problem not significant enough to make the necessary hardware changes.

The connection between the smartphone or key fob and the car is established using Bluetooth Low Energy (BLE) technology. According to Khan, this protocol has been used by hackers in the past to gain access to phones and laptops. The vulnerability shows that hackers can easily exploit smart home devices and even cars.

Luckily, Tesla has “PIN to Drive,” a password-protected ignition lock that can protect the car from thieves. However, it is not known how many electric car owners use this feature.

Smart locks Kwikset Corp. Kevos that use keyless systems with iPhone or Android phones are affected by the same issue.Sultan Qasim Khan also said.

Kwikset, for its part, said that customers who use an iPhone to access the lock can enable two-factor authentication in the lock app. A Kwikset spokesperson also added that iPhone-controlled locks have a 30-second timeout to help protect against intrusion. Kwikset will update its Android app “during the summer,” the company said.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

View all of Vladimir Krasnogolovy's posts.

Leave a comment

Your email address will not be published.