11-28-2020 , 11:28 PM
https://www.wired.com/story/tesla-model-...bluetooth/ ANDY GREENBERG SECURITY 11.23.2020 07:00 AM
This Bluetooth Attack Can Steal a Tesla Model X in Minutes
The company is rolling out a patch for the vulnerabilities, which allowed one researcher to break into a car in 90 seconds and drive away. TESLA HAS ALWAYS prided itself on its so-called over-the-air updates, pushing out new code automatically to fix bugs and add features. But one security researcher has shown how vulnerabilities in the Tesla Model X's keyless entry system allow a different sort of update: A hacker could rewrite the firmware of a key fob via Bluetooth connection, lift an unlock code from the fob, and use it to steal a Model X in just a matter of minutes.
Lennert Wouters, a security researcher at Belgian university KU Leuven, today revealed a collection of security vulnerabilities he found in both Tesla Model X cars and their keyless entry fobs. He discovered that those combined vulnerabilities could be exploited by any car thief who manages to read a car's vehicle identification number—usually visible on a car's dashboard through the windshield—and also come within roughly 15 feet of the victim's key fob. The hardware kit necessary to pull off the heist cost Wouters around $300, fits inside a backpack, and is controlled from the thief's phone. In just 90 seconds, the hardware can extract a radio code that unlocks the owner's Model X. Once the car thief is inside, a second, distinct vulnerability Wouters found would allow the thief to pair their own key fob with the victim's vehicle after a minute's work and drive the car away.
"Basically a combination of two vulnerabilities allows a hacker to steal a Model X in a few minutes time," says Wouters, who plans to present his findings at the Real World Crypto conference in January. "When you combine them, you get a much more powerful attack."
Wouters says he warned Tesla about his Model X keyless entry hacking technique in August. He says the company has told him it plans to start rolling out a software update to its key fobs this week—and possibly components of its cars too—to prevent at least one step in his two-part attack. WIRED also reached out to Tesla to learn more about its software fix, but the company didn't respond. (Tesla dissolved its press relations team in October.) Tesla told Wouters that the patch may take close to a month to roll out across all of its vulnerable vehicles, so Model X owners should be sure to install any updates Tesla makes available to them over the coming weeks to prevent the hack. In the meantime, the Belgian researcher says he's been careful not to publish any of the code or reveal technical details that would enable car thieves to pull off his tricks.
Wouters' technique takes advantage of a collection of security issues he discovered in the Model X's keyless entry system—both major and minor—that together add up to a method to fully unlock, start, and steal a vehicle. First, the Model X key fobs lack what's known as "code signing" for their firmware updates. Tesla designed its Model X key fobs to receive over-the-air firmware updates via Bluetooth by wirelessly connecting to the computer inside a Model X, but without confirming that the new firmware code has an unforgeable cryptographic signature from Tesla. Wouters found that he could use his own computer with a Bluetooth radio to connect to a target Model X's keyfob, rewrite the firmware, and use it to query the secure enclave chip inside the fob that generates an unlock code for the vehicle. He could then send that code back to his own computer via Bluetooth. The whole process took 90 seconds.
At first, Wouters found that establishing the Bluetooth connection wasn't so easy. The Model X key fob's Bluetooth radio only "wakes up" for a few seconds when the fob's battery is removed and then put back in. But Wouters discovered that the computer inside the Model X responsible for the keyless entry system, a component known as the body control module (BCM), can also perform that Bluetooth wake-up command. By buying his own Model X BCM on eBay—where they go for $50 to $100—Wouters could spoof the low-frequency radio signal sent to the key fob. (While that initial wake-up command has to be sent from close radio range—about 15 meters—the rest of the firmware update trick can be carried out from hundreds of feet away if the victim is outdoors.)
This Bluetooth Attack Can Steal a Tesla Model X in Minutes
The company is rolling out a patch for the vulnerabilities, which allowed one researcher to break into a car in 90 seconds and drive away. TESLA HAS ALWAYS prided itself on its so-called over-the-air updates, pushing out new code automatically to fix bugs and add features. But one security researcher has shown how vulnerabilities in the Tesla Model X's keyless entry system allow a different sort of update: A hacker could rewrite the firmware of a key fob via Bluetooth connection, lift an unlock code from the fob, and use it to steal a Model X in just a matter of minutes.
Lennert Wouters, a security researcher at Belgian university KU Leuven, today revealed a collection of security vulnerabilities he found in both Tesla Model X cars and their keyless entry fobs. He discovered that those combined vulnerabilities could be exploited by any car thief who manages to read a car's vehicle identification number—usually visible on a car's dashboard through the windshield—and also come within roughly 15 feet of the victim's key fob. The hardware kit necessary to pull off the heist cost Wouters around $300, fits inside a backpack, and is controlled from the thief's phone. In just 90 seconds, the hardware can extract a radio code that unlocks the owner's Model X. Once the car thief is inside, a second, distinct vulnerability Wouters found would allow the thief to pair their own key fob with the victim's vehicle after a minute's work and drive the car away.
"Basically a combination of two vulnerabilities allows a hacker to steal a Model X in a few minutes time," says Wouters, who plans to present his findings at the Real World Crypto conference in January. "When you combine them, you get a much more powerful attack."
Wouters says he warned Tesla about his Model X keyless entry hacking technique in August. He says the company has told him it plans to start rolling out a software update to its key fobs this week—and possibly components of its cars too—to prevent at least one step in his two-part attack. WIRED also reached out to Tesla to learn more about its software fix, but the company didn't respond. (Tesla dissolved its press relations team in October.) Tesla told Wouters that the patch may take close to a month to roll out across all of its vulnerable vehicles, so Model X owners should be sure to install any updates Tesla makes available to them over the coming weeks to prevent the hack. In the meantime, the Belgian researcher says he's been careful not to publish any of the code or reveal technical details that would enable car thieves to pull off his tricks.
Wouters' technique takes advantage of a collection of security issues he discovered in the Model X's keyless entry system—both major and minor—that together add up to a method to fully unlock, start, and steal a vehicle. First, the Model X key fobs lack what's known as "code signing" for their firmware updates. Tesla designed its Model X key fobs to receive over-the-air firmware updates via Bluetooth by wirelessly connecting to the computer inside a Model X, but without confirming that the new firmware code has an unforgeable cryptographic signature from Tesla. Wouters found that he could use his own computer with a Bluetooth radio to connect to a target Model X's keyfob, rewrite the firmware, and use it to query the secure enclave chip inside the fob that generates an unlock code for the vehicle. He could then send that code back to his own computer via Bluetooth. The whole process took 90 seconds.
At first, Wouters found that establishing the Bluetooth connection wasn't so easy. The Model X key fob's Bluetooth radio only "wakes up" for a few seconds when the fob's battery is removed and then put back in. But Wouters discovered that the computer inside the Model X responsible for the keyless entry system, a component known as the body control module (BCM), can also perform that Bluetooth wake-up command. By buying his own Model X BCM on eBay—where they go for $50 to $100—Wouters could spoof the low-frequency radio signal sent to the key fob. (While that initial wake-up command has to be sent from close radio range—about 15 meters—the rest of the firmware update trick can be carried out from hundreds of feet away if the victim is outdoors.)