A Belgian security researcher has found a vulnerability in a Tesla Model X that allowed him to steal the car via Bluetooth.
Lennert Wouters from the Computer Security and Industrial Cryptography (COSIC) research group at KU Leuven boasted to Wired about the series of security flaws he found in the Model X’s keyless entry system.
"Basically a combination of two vulnerabilities allows a hacker to steal a Model X in a few minutes time," Wouters said.
"When you combine them, you get a much more powerful attack."
Wouters’ attack method takes advantage of Tesla’s update system on its key fobs which connects with the car’s onboard computer via Bluetooth.
He noticed a lack of cryptographic signature on those firmware updates allowing him to connect a Raspberry Pi directly to the key fob’s firmware, push a malicious update, and essentially ask it for the car’s unlock code.
But first he needs to trick a nearby legitimate key fob into waking up.
To do that he bought his own Model X body control module (BCM) from eBay into which he inputs a code printed on the target car’s windshield, its vehicle identification number.
“You end up with a BCM that thinks it belongs to the target vehicle," Wouters says.
"I can then force that BCM to instruct key fobs that have the same identifier as that car to wake up, basically."
The target fob wakes up, he pushes the malicious firmware update, takes the Tesla’s unlock codes, and can open the car.
Inside the Model X, Wouter then opens a small panel under the centre console where he can attach his computer, authenticate his spoofed key fob, and drive away.
Being a responsible security researcher, Wouter brought notified Tesla of his attack and said the company has begun pushing updates to its Model X cars to stop this attack from working.
Tesla also just issued a recall of over 9,000 2016 Model X vehicles for engineering faults.
This is not the first time Wouter has hacked a Tesla: he and his team have done it twice before on a Model S.
A similar hack was even spotted in the wild two years ago when a British tech executive woke up to find his Model S stolen.
When he checked his home’s security footage, he saw two men copy his key fob and drive away in the dead of night.
Wouter said that, despite some evidence to the contrary, he was confident in the ability of Tesla’s security engineers.
"The system has everything it needs to be secure," he said. "And then there are a few small mistakes that allow me to circumvent all of the security measures.
“They're cool cars, so they're interesting to work on, but I think if I spent as much time looking at other brands, I would probably find similar issues."
Indeed, car thieves and researchers have demonstrated similar attacks on key fobs for other luxury cars.