Researchers hack Tesla keyless entry to steal car

Electric vehicle company Tesla has paid a bug bounty to Belgian researchers who showed it was possible to exploit two vulnerabilities in the Model X keyless entry system to steal the car.

The researchers KU Leuven and imec in Belgium devised a somewhat elaborate multi-step attack on the car's keyless entry system that uses the Bluetooth low energy (BLE) wireless protocol to communicate with the vehicle and the Tesla smartphone app to control the car.

They used a salvaged Tesla Model X electronic control unit obtained on eBay for US$100 to wake up key fobs for targeted vehicles, and force them to go into connectable BLE device mode within five metres of the device.

Furtheremore, the researchers had reverse engineered a Tesla key fob and found its over the air software update system was not properly secured, which meant malicious code could be pushed onto the device at a distance of 30 metres or more to compromise it.

Compromising the target key fob with malicious software took 15 minutes. 

Aftewards, the researchers were able to capture door unlock codes from the device and gain entry to the Model X.

Using a homebrew Raspberry Pi computer costing US$35 to control the hacked ECU for stealing the codes, and to access the Model X diagnostics system via the Controller Area Network (CAN) connector, the researchers were able to pair their own modified key fob with the car, start it, and drive off with the vehicle.

Tesla was notified of the vulnerabilities in August this year and has pushed out an over-the-air update to secure the keyless entry system as part of the version 2020.48 car software.