Belgian researchers found a way to clone the Tesla Model S car's key fob
Tesla is a well-known and innovative automotive maker that employs sophisticated security measures to protect users from digital attacks. Despite all the precaution measures used by highly trained security engineers hired by the company, the team of Belgian researchers found a way to hack into the luxury Tesla Model S.
Security experts from Computer Security and Industrial Cryptography (COSIC) at the KU Leuven University exposed weaknesses of the encryption used in the wireless key fob. They confirmed that the hack would only take a couple of seconds to complete and would only require computing and radio equipment worth $600. Considering that the Model S costs between $68,000 and $135,000, it is not a bad deal for criminals.
One of the academic hackers, Lennert Wouters, said:
Today it’s very easy for us to clone these key fobs in a matter of seconds. We can completely impersonate the key fob and open and drive the vehicle.
Tesla used a weak 40-bit cipher for the data encryption on the key fob
The Passive Keyless Entry and Start (PKES) system allows the owner of the car to unlock and start it remotely if the key fob is in its proximity. Tesla Model S key fobs send out a signal to the vehicle, allowing the access.
It turned out that Tesla is using a keyless entry system manufacturer Pektron which uses a weak 40-bit cipher to encrypt codes used by the vehicle. It took security experts from the KU Leuven nine months to produce a six terabyte table with all possible key combinations. They then used Yard Stick One and Proxmark radios, as well as a Raspberry Pi mini-computer to acquire the needed two codes.
With all the preparations ready, researchers visually demonstrated the complete process on the YouTube video. We can see that all hackers have to do is retrieve the car identifier (which takes 1 second) and download the key file from the person with a key hob. As soon as that is done, criminals can open the doors, sit down and comfortably drive off.
Tesla rewarded the researchers with $10,000 “bug bounty”
According to the security team, the whole process is possible due to the weak Pektron's encryption. Researchers alerted the company in August 2017, but the bug was still not fixed until June 2018, when the PIN code feature was added as well.
Industry giant acknowledged researchers' work and awarded them with $10,000 “bounty,” along with adding their names to its Hall of Fame. However, before any changes could be made, Tesla had to verify, test and integrate the change into the manufacturing process. The company worked with their supplier to change the key hob encryption process to make it more secure; thus, vehicles that have been manufactured after June should be immune to the vulnerability.
Owners of insecure cars that were manufactured prior to the change can exchange their key hob for the newer version for free. Additionally, owners of Model S are urged to add the PIN feature to prevent unauthorized entry to the car. While it might be an annoying experience for some, it is worth the time, considering that the extra seconds can protect from car theft.
Unfortunately, not only Tesla car owners are affected by the hack. According to researchers, McLaren, Karma, and Triumph use the same systems but chose to ignore the warnings.