A security researcher from Belgium has recently exploited two vulnerabilities in the Tesla Model X’s keyless entry system, allowing him to unlock and steal the vehicle in just a couple of minutes.
According to Lennert Wouters, all he needed to break into the Model X were several hundred dollars worth of supplies bought from eBay, including a Bluetooth radio and a second-hand Tesla computer.
During his research at the KU Leuven University, Wouters discovered a series of security vulnerabilities in Model X and the keyless entry fob that could be exploited by a tech-savvy car thief who managed to read the vehicle’s identification number (VIN) and lift a code residing in the owner’s key fob.
After unlocking the vehicle using a spoofed signal, the researcher could plug in the control module bought off eBay and pair his key fob with no additional verification from the Model X dashboard.
“Basically, a combination of two vulnerabilities allows a hacker to steal a Model X in a few minutes time,” Wouters said in an interview for Wired Magazine. “When you combine them, you get a much more powerful attack.”
“Using a modified Electronic Control Unit (ECU), obtained from a salvage Tesla Model X, we were able to wirelessly (up to 5m distance) force key fobs to advertise themselves as connectable BLE devices,” the researcher said. “By reverse engineering the Tesla Model X key fob, we discovered that the BLE interface allows for remote updates of the software running on the BLE chip. As this update mechanism was not properly secured, we were able to wirelessly compromise a key fob and take full control over it. Subsequently we could obtain valid unlock messages to unlock the car later on.”
Although no evidence indicates that Wouters’ method has ever been used in any Tesla car heists, thieves have leveraged vulnerabilities in its keyless entry system in the past.
The researcher reported his findings to the renowned electric-car manufacturer in mid-August. Tesla is now rolling out an over-the-air security update to prevent opportunistic thieves from attempting such attacks.