Researchers demonstrate serious flaws in Tesla Model X keyless entry system

Researchers at COSIC have discovered major security flaws in the keyless entry system of the Tesla Model X. The same researchers previously hacked the Tesla Model S keyless entry system and now demonstrate how the more recent Tesla Model X can be stolen in a few minutes. Tesla has already released an over-the-air software update to mitigate these issues.

The Tesla Model X key fob allows the owner to automatically unlock their car by approaching the vehicle or by pressing a button. To facilitate the integration with phone-as-key solutions, which allow a smartphone APP to unlock the car, the use of Bluetooth Low Energy (BLE) is becoming more prevalent in key fobs. The Tesla Model X key fob is no different and uses BLE to communicate with the vehicle.

Using a modified Electronic Control Unit (ECU), obtained from a salvage Tesla Model X, the team were able to wirelessly (up to 5m distance) force key fobs to advertise themselves as connectable BLE devices. By reverse-engineering the Tesla Model X key fob, they discovered that the BLE interface allows for remote updates of the software running on the BLE chip. As this update mechanism was not properly secured, they were able to wirelessly compromise a key fob and take full control over it. This allowed them to obtain valid unlock messages to unlock the car later on.

The researchers were able to pair a modified key fob to the car, thus gaining permanent access and the possibility to steal the car in just a few minutes.

With the ability to unlock the car, they could then connect to the diagnostic interface normally used by service technicians. Because of a vulnerability in the implementation of the pairing protocol, they could pair a modified key fob to the car, giving them permanent access and the possibility to steal the car and drive off with it in a few minutes.

The proof-of-concept attack was realised using a self-made device (see video) built from inexpensive equipment: a Raspberry Pi computer ($35) with a CAN shield ($30), a modified key fob and ECU from a salvage vehicle ($100) and a LiPo battery ($30).

The researchers first informed Tesla of the problem on 17 August 2020. Tesla confirmed the vulnerabilities, awarded the team with a Bug Bounty and started working on security updates. As part of the 2020.48 over-the-air software update, which is currently being rolled out, a firmware update will be pushed to the key fob.

Demonstration video

/Public Release. The material in this public release comes from the originating organization and may be of a point-in-time nature, edited for clarity, style and length. View in full here.