A Belgian security researcher has discovered a method to overwrite and hijack the firmware of Tesla Model X key fobs, allowing him to steal any car that isn't running on the latest software update.
The attack, which only takes a few minutes to execute and requires inexpensive gear, was put together by Lennert Wouters, a PhD student at the Computer Security and Industrial Cryptography (COSIC) group at the Catholic University of Leuven (KU Leuven) in Belgium.
This is Wouters' third Tesla hack in as many years, with the researcher publishing two other Tesla attacks in 2018 and 2019, respectively.
Attack exploits bug in key fob update system
According to a report published today, Wouters said this third attack works because of a flaw in the firmware update process of Tesla Model X key fobs.
The flaw can be exploited using an electronic control unit (ECU) salvaged from an older Model X vehicle, which can be easily acquired online on sites like eBay or any stores or forums selling used Tesla car parts.
Wouters said attackers can modify the older ECU to trick a victim's key fob into believing the ECU belonged to its paired vehicle and then push a malicious firmware update to the key fob via the BLE (Bluetooth Low Energy) protocol.
"As this update mechanism was not properly secured, we were able to wirelessly compromise a key fob and take full control over it," Wouters said. "Subsequently we could obtain valid unlock messages to unlock the car later on."
The steps of the attack are detailed below:
Attacker approaches the owner of Tesla Model X vehicle. The attacker needs to get as close as 5 meters to the victim in order to allow the older modified ECU to wake up and ensnare the victim's key fob.
The attacker then pushes the malicious firmware update to the victim's key fob. This part requires around 1.5 minutes to execute, but the range also goes up to 30 meters, allowing the attacker to distance themselves from the targeted Tesla owner.
Once a key fob has been hacked, the attacker extracts car unlock messages from the key fob.
The attacker uses these unlock messages to enter the victim's car.
The attacker connects the older ECU to the hacked Tesla car's diagnostics connector — normally used by Tesla technicians to service the car.
The attacker uses this connector to pair their own key fob to the car, which they later use to start the vehicle and drive away. This part also takes a few minutes to execute.
The only downside of this attack is the relatively bulky attack rig, which would be easy to spot unless concealed inside a backpack, bag, or another car.
Nonetheless, the attack rig isn't expensive, requiring a Raspberry Pi computer ($35) with a CAN shield ($30), a modified key fob, an older ECU from a salvaged vehicle ($100 on eBay, and a LiPo battery ($30).
Below is also a video of the entire attack steps and the attack rig.
Wouters said he discovered the bug earlier this summer and reported it to Tesla's security team in mid-August.
The researcher has published his findings today after Tesla began rolling out an over-the-air software update to all its Model X cars this week. The software update where this bug has been fixed is 2020.48, according to Wouters.