How to steal a Tesla Model S in seconds

An attack technique has been revealed which allows threat actors to unlock a Tesla vehicle in no time at all.
Written by Charlie Osborne, Contributing Writer

Researchers have demonstrated an attack technique which could allow criminals to unlock a Tesla Model S vehicle in only two seconds.

The problem lay in the wireless key fobs of Tesla Model S sedans. Researchers at the KU Leuven University in Belgium discovered that the fobs, which can be used to unlock vehicles, came with poor cryptographic and encryption standards.

As reported by Wired, by using roughly $600 in radio and PC equipment, the team were able to read the signals from a Tesla key fob, clone the key, open the car and drive away in no time at all.

KU Leuven researcher Lennert Wouters said the attack takes only a "matter of seconds" to perform.

According to the team, the Tesla Model S key fobs send out an encrypted signal, based on a cryptographic key, to a vehicle's radio system in order to initiate the lock/unlock process. However, the academics discovered that the fobs -- manufactured by Pektron -- only use 40-bit ciphers to encrypt messages.

In cryptographic circles, this indicates very weak encryption which is easy to crack.

The researchers were able to compute all possible keys for code pairs and created a 6TB table of possible combinations. Once codes were cloned from a nearby key fob using the radio kit, they were able to spoof keys in only 1.6 seconds, the publication reports.

The academic researchers presented their findings at the Cryptographic Hardware and Embedded Systems conference on Monday. Their findings can be found here.

The automaker was made aware of the research in August last year. After confirming the security problem, Tesla paid the academics $10,000 as a bug bounty. However, the encryption issue could not be fixed until June this year due to security patch tests and complexities in the manufacturing process.

Vehicles sold from June this year are not believed to be vulnerable.

See also: LuckyMouse uses malicious NDISProxy Windows driver to target gov't entities

Tesla said in a statement to Wired:

"Due to the growing number of methods that can be used to steal many kinds of cars with passive entry systems, not just Teslas, we've rolled out a number of security enhancements to help our customers decrease the likelihood of unauthorized use of their vehicles."

The spokesperson added that Tesla has worked with their supplier to boost the cryptographic standards of key fobs from June, and a corresponding software update will allow owners of vehicles built prior to this month to switch to new key fobs if they so choose.

TechRepublic: Tesla's Autopilot: Cheat sheet

Earlier this month, Tesla modified its security and testing guidelines to make research into vulnerabilities impacting the automaker's products easier -- and safer -- to accomplish.

CNET: 2018 Tesla Model 3 Performance review

Under the new rules, security experts can register with the company "in good faith" to bug hunt, with their vehicles becoming "research-registered."

This will ensure Tesla will provide assistance and over-the-air (OTA) updates to cars should their software become damaged during testing.

In related news, last week a woman from Utah launched a court case against Tesla, demanding $300,000 in damages over a crash. The woman, who crashed into a fire truck, claims that her Tesla Model S's Autopilot feature "failed to engage as advertised" by not stopping before the colliding with the obstacle.

Top accessories to make your car smarter

Previous and related coverage

Editorial standards