Information security specialist Lennert Wouters from the Catholic University of Leuven showed how to steal a Tesla Model X. He discovered a bug that allowed hacking and changing the firmware of the Tesla Model X smart key fob. As a result, this attack made it possible to steal someone else’s car in a few minutes.
The new attack works thanks to a bug found in the process of updating the firmware of Tesla Model X key fobs. The vulnerability can be exploited using an old ECU (electronic control unit) left over from another Model X. Such an ECU can be easily purchased online, including on eBay or in stores that specialize in selling used Tesla parts.
Wouters writes that attackers can modify the old ECU in such a way as to trick the victim’s key fob into believing that it is connecting to a paired vehicle. After that, all that remains is to send a malicious firmware update to the key fob via BLE (Bluetooth Low Energy).
As a result, the attack looks like this:
- the attacker approaches the owner of the Tesla Model X car (at least 5 meters so that the old modified ECU can catch the victim’s key fob signal);
- The attacker sends a malicious firmware update to the key fob. It will take about 1.5 minutes to complete the attack, but the hacker can move to a distance of about 30 meters, which will allow him to distance himself sufficiently from the victim and not attract attention;
- after hacking the key fob, the intruder retrieves the vehicle unlock messages;
- these unlock messages are used for breaking into the victim’s car;
- in the car, the attacker connects the old ECU to the car’s diagnostic connector (it is usually used by Tesla technicians to service the car);
- This connector is used to pair the hacker’s own key fob with the car, which will later be used to start the engine. This attack phase also takes several minutes to complete.
The only drawback of this approach is the relatively bulky hardware required for hacking. However, all equipment can be hidden in a backpack, bag or in other car.
Wouters also emphasizes that the attack does not require any expensive components. You only need: Raspberry Pi ($35) and CAN-shield ($30), modified key fob, old ECU ($100 on eBay) and LiPo battery ($30).
The researcher discovered this bug this summer and then notified Tesla engineers about the problem. The bug report was published after Tesla released a patch for all of its Model X cars last week. According to Wouters, firmware update 2020.48 corrects the issue that he discovered.
Let me remind you that I also wrote about the IS researcher, who found that the Tesla Model 3 interface is vulnerable to DoS attacks.