Tesla has taken plenty of innovative steps to protect the driving systems of its kitted-out cars against digital attacks. It's hired top-notch security technologists, pushed over-the-internet software updates, and added code integrity checks. But one team of academic hackers has now found that Tesla left its Model S vehicles is accessible to a far more straightforward form of hacking: stealthily cloning the car's key fob in seconds, opening the car door, and driving away.
A team of researchers at the KU Leuven university in Belgium on Monday plan to present a paper at the Cryptographic Hardware and Embedded Systems conference in Amsterdam, exposing a technique for defeat the encryption used in the wireless key fobs of Tesla's Model S luxury sedans. With about $600 in radio and computing equipment, they can wirelessly read signals from a nearby Tesla owner's fob. Less than two seconds of computation yields the fob's cryptographic key, allowing them to steal the associated auto without a trace. “Today it’s very easy for us to clone these key fobs in a matter of seconds, ” says Lennert Wouters, one of the KU Leuven researchers. “We can totally impersonate the key fob and open and drive the vehicle.”
Just two weeks ago, Tesla rolled out new antitheft features for the Model S that include the ability to set a PIN code that someone must enter on the dashboard display to drive the car. Tesla also says that Model S units sold after June of this year aren't vulnerable to the attack, due to upgraded key fob encryption that it implemented in response to the KU Leuven research. But if owners of a Model S fabricated before then don't turn on that PIN–or don't pay to replace their key fob with the more strongly encrypted version–the researchers say they're still vulnerable to their key-cloning method.
Keys to the Kingdom
Like most automotive keyless entry systems, Tesla Model S key fobs send an encrypted code, based on a secret cryptographic key, to a car's radios to trigger it to unlock and disable its immobilizer, letting the car's engine to start. After nine months of on-and-off reverse engineering work, the KU Leuven team discovered in the summer of 2017 that the Tesla Model S keyless entry system, built by a manufacturer called Pektron, used only a weak 40 -bit cipher to encrypt those key fob codes.