A Belgian security researcher has discovered a method to overwrite and hijack the firmware of Tesla Model X key fobs, allowing him to steal any car that isn't running on the latest software update.
The attack, which only takes a few minutes to execute and requires inexpensive gear, was put together by Lennert Wouters, a PhD student at the Computer Security and Industrial Cryptography (COSIC) group at the Catholic University of Leuven (KU Leuven) in Belgium.
This is Wouters' third Tesla hack in as many years, with the researcher publishing two other Tesla attacks in 2018 and 2019, respectively.
According to a report published today, Wouters said this third attack works because of a flaw in the firmware update process of Tesla Model X key fobs.
The flaw can be exploited using an electronic control unit (ECU) salvaged from an older Model X vehicle, which can be easily acquired online on sites like eBay or any stores or forums selling used Tesla car parts.
Wouters said attackers can modify the older ECU to trick a victim's key fob into believing the ECU belonged to its paired vehicle and then push a malicious firmware update to the key fob via the BLE (Bluetooth Low Energy) protocol.
"As this update mechanism was not properly secured, we were able to wirelessly compromise a key fob and take full control over it," Wouters said. "Subsequently we could obtain valid unlock messages to unlock the car later on."
The steps of the attack are detailed below:
The only downside of this attack is the relatively bulky attack rig, which would be easy to spot unless concealed inside a backpack, bag, or another car.
Nonetheless, the attack rig isn't expensive, requiring a Raspberry Pi computer ($35) with a CAN shield ($30), a modified key fob, an older ECU from a salvaged vehicle ($100 on eBay, and a LiPo battery ($30).
Below is also a video of the entire attack steps and the attack rig.
Wouters said he discovered the bug earlier this summer and reported it to Tesla's security team in mid-August.
The researcher has published his findings today after Tesla began rolling out an over-the-air software update to all its Model X cars this week. The software update where this bug has been fixed is 2020.48, according to Wouters.