Gone in 120 Seconds: Flaws Enable Theft of Tesla Model XElectric Car Manufacturer is Pushing Over-the-Air Updates to Patch Software Flaws
Tesla Model X electric vehicle owners can opt to pay extra for a model with "ludicrous performance." But unfortunately, researchers have found that no matter the trim level, the Model X hasn't been providing ludicrously good security.
Indeed, with an investment of about $300, researchers from Belgium's University of Leuven - aka KU Leuven - found that they could actively clone a Tesla Model X driver's wireless key fob, and about two minutes later, drive away with the car. A demonstration video posted by the researchers also suggests such an attack could be stealthy, potentially leaving a stolen car’s owner unaware.
KU Leuven has issued a press release about the attack, but it only outlines the bare bones. A Wired report, however, provides more details, although notes that full details of the attack haven’t been released, as Tesla is in the process of deploying over-the-air updates.
We did it again: we hacked the Tesla Model X. In less than 2 minutes we can create our own key fob and drive away with your shiny car. All the building blocks are secure but there are quite some implementation weaknesses (not the first time this happens). pic.twitter.com/stS3DDqHsq— Cosic.be (@CosicBe) November 23, 2020
Call the success of the attack ironic: Tesla apparently had all of the security components in place that it would have needed to block such an exploit. But Tesla didn't correctly implement the required features, including validating firmware signatures, the researchers say.
The new research comes two years after KU Leuven researchers successfully cloned a key fob for a Tesla Model S in seconds using a relay attack. Tesla updated its software to mitigate the attack.
Firmware Signatures Need Verifying
The researchers - part of KU Leuven’s Computer Security and Industrial Cryptography, aka COSIC, group - are due to present their findings at the Real World Crypto Symposium, to be held virtually beginning on Jan. 11, 2021.
They say the attack centers on the unlocking mechanism used by a Tesla Model X. The vehicle can be unlocked in one of two ways: approaching the vehicle while carrying a wireless fob keyed to the vehicle, which communicates with the car via Bluetooth Low Energy - aka BLE; or by using a smartphone app that can communicate with the vehicle via BLE.
The fob can accept over-the-air updates to its BLE chip, and researchers say that is where the vulnerability began.
Security researchers have long warned that a firmware best practice is to always ensure that any firmware updates get digitally signed, and to have hardware processes in place that verify that the signature is legitimate. Such checks help block the potential for attackers to push rogue firmware code and surreptitiously take control of the hardware.
But the KU Leuven researchers reverse-engineered the key fob and found that Tesla was not checking the firmware’s signature to ensure that any code updates were legitimate.
Enter the researchers' proof-of-concept attack: Using a modified Body Control Module from a salvaged Tesla Model X, the researchers found that they could force a fob - which might be in a driver's pocket at the time - to wake up. To be successful, they needed to be within about 15 feet of someone in possession of a legitimate fob.
Once the fob was awake, the second stage of the attack involved pushing custom firmware onto the device, which researchers said could be done from up to 90 feet away from a fob.
“As this update mechanism was not properly secured, we were able to wirelessly compromise a key fob and take full control over it,” Lennert Wouters, a doctoral student at COSIC, says in a news release. “Subsequently, we could obtain valid unlock messages to unlock the car later on.”
Unlocking a Second Flaw
More specifically, Wired reports that via their malicious firmware, the researchers were able to query a secure enclave on the fob that generates an unlock code for the car, and then to unlock the vehicle.
But researchers were able to then go one step further: By unlocking the car, they gained physical access to its diagnostic port, located near the front screen inside the vehicle. Subsequently, the researchers found another vulnerability, this time in the vehicle's Bluetooth pairing protocol. By exploiting the flaw, the researchers report that they could then match their modified fob to the car, start the vehicle, and drive it away.
The total cost to boost a Tesla Model X would be around $300. The full list of required ingredients: a Raspberry Pi computer, which costs $35; a CAN shield for $30; a LiPo battery that cost $30; a Body Control Module - the researchers obtained theirs for $100 on eBay; and a key fob to modify, which would also be available via eBay and cost around $100.
For would-be attackers with malicious intent, such an outlay wouldn't represent a poor return on investment. A Tesla Model X sport utility vehicle retails for $80,000, or close to $100,000 for models featuring enhanced trim levels, including "ludicrous performance" mode.