Belgian researchers at the University of Leuven (KU Leuven) managed to hack the key of the Tesla Model X, allowing them to open the vehicle and drive off with it in just a few minutes.
The Computer Security and Industrial Cryptography (COSIC), an imec research group at the university found a security issue in the keyless entry system of the Tesla Model X, showing that the battery-powered car – priced at over $100,000 – can be stolen in a few minutes.
The car’s key fob (a remote-controlled key) allows the owner to automatically unlock it by approaching the vehicle, or by pressing a button, via a smartphone app using Bluetooth.
“When you press the button, the key emits signals that allow you to open the door remotely. You can also open the door without pressing the button,” researcher Bart Preneel told VRT.
To do this, the key fob uses Bluetooth Low Energy (BLE), which are Bluetooth signals that are picked up by the car and processed in a device that controls the Tesla’s safety mechanism, the Electronic Control Unit (ECU).
Preneel and his team managed to get their hands on the ECU of a Tesla Model X and were able to dissect the computer chip of the key.
“This was not easy, it took months,” Preneel said. “Such a chip is very complicated, and Tesla is not going to tell you in advance how the different components were built.”
When dissecting the chip, the team found that they could manipulate the software that makes the connection to the ECU, so that they could make the device believe that they had the right key. In the video below, a KU Leuven researcher demonstrates how stealing the car works.
“To summarize, we can steal a Tesla Model X vehicle by first approaching a victim key fob within about 5 meters to wake up the key fob,” said researcher Benedikt Gierlichs in a press release.
“Afterwards we can send our own software to the key fob to gain full control over it,” he said, adding that this process takes 1.5 minutes and can be easily performed over a range of more than 30 metres.
When the key fob has been compromised, valid commands that will allow the unlocking of the target vehicle can be obtained. Once the vehicle has been approached and unlocked, the diagnostic connector inside the vehicle can be accessed.
“That way, we can pair a modified key fob to the car. The newly paired key fob allows us to then start the car and drive off,” Gierlichs said. “By exploiting these two weaknesses in the Tesla Model X keyless entry system we are thus able to steal the car in a few minutes.”
The KU Leuven researchers informed Tesla of its security weaknesses as early as August. The company acknowledged the problems, awarded a reward (a ‘bug bounty’) and is now making adjustments in its system.
This is not the first time that Elon Musk’s company has been hacked by the KU Leuven researchers. Even in the older Model S, the COSIC lab already exposed some vulnerabilities in the keys.
“Earlier this year, we hacked millions of keys from other car companies. They felt that we could not do that and threatened expensive trials,” Preneel said. “Tesla’s reaction is completely different. It sees itself as a computer company and rewards people who manage to hack into its system.”