I’ve never been a fan of keyless entry systems in cars, especially since they appear to be highly vulnerable to being “bypassed”, as illustrated by a Tesla which was recently hacked. The news that researchers from COSIC, an imec security research group at the University of Leuven in Belgium, managed to hack the keyless entry system in a Tesla Model X, makes me wonder even more why security can’t be designed in right in the first place.
The COSIC team said they have discovered a major security flaw in the keyless entry system of the Tesla Model S; and detailed how the security measures implemented in the more recent Tesla Model X can be bypassed. They demonstrated how the battery powered Tesla Model X priced at over $100,000 US can be stolen in a few minutes. As a result of the hack, Tesla has released an over-the-air software update to mitigate these issues.
The Tesla Model X key fob allows the owner to automatically unlock their car by approaching the vehicle, or by pressing a button. To facilitate the integration with phone-as-key solutions, which allows a smartphone app to unlock the car, the use of Bluetooth Low Energy (BLE) is becoming more prevalent in key fobs. The Tesla Model X key fob is no different and uses BLE to communicate with the vehicle.
One of the PhD students at the COSIC research group, Lennert Wouters, explained the scenario: “Using a modified electronic control unit (ECU), obtained from a salvaged Tesla Model X, we were able to wirelessly (up to 5m distance) force key fobs to advertise themselves as connectable BLE devices. By reverse engineering the Tesla Model X key fob we discovered that the BLE interface allows for remote updates of the software running on the BLE chip. As this update mechanism was not properly secured, we were able to wirelessly compromise a key fob and take full control over it. Subsequently we could obtain valid unlock messages to unlock the car later on.”
He added, “With the ability to unlock the car we could then connect to the diagnostic interface normally used by service technicians. Because of a vulnerability in the implementation of the pairing protocol we can pair a modified key fob to the car, providing us with permanent access and the ability to drive off with the car.”
Two weaknesses exposed using a Raspberry Pi computer
“To summarize, we can steal a Tesla Model X vehicle by first approaching a victim key fob within about 5 meters to wake up the key fob. Afterwards we can send our own software to the key fob in order to gain full control over it. This process takes 1.5 minutes but can be easily performed over a range of more than 30 meters. After compromising the key fob, we can obtain valid commands that will allow unlocking the target vehicle. After approaching the vehicle and unlocking it we can access the diagnostic connector inside the vehicle. By connecting to the diagnostic connector, we can pair a modified key fob to the car. The newly paired key fob allows us to then start the car and drive off. By exploiting these two weaknesses in the Tesla Model X keyless entry system we are thus able to steal the car in a few minutes”, said Dr. Benedikt Gierlichs, researcher at COSIC.
The proof of concept attack was realized using a self-made device built from inexpensive equipment: a Raspberry Pi computer ($35) with a CAN shield ($30), a modified key fob and ECU from a salvage vehicle ($100 on eBay) and a LiPo battery ($30).
The Belgian researchers first informed Tesla of the identified issues on the 17th of August 2020. Tesla confirmed the vulnerabilities, awarded their findings with a bug bounty and started working on security updates. As part of the 2020.48 over-the-air software update, that is now being rolled out, a firmware update will be pushed to the key fob.
The COSIC (computer security and industrial cryptography) research group is part of the Department of electrical engineering at KU Leuven focused on the protection of digital information. The group develops advanced cybersecurity solutions to protect data in the cloud and in the internet of things (IoT), and to protect the privacy of users.
Its work creates new cryptographic algorithms and protocols, and it develops efficient and secure implementations in software and hardware. Researchers COSIC also create secure hardware building blocks such as true random number generators (TRNGs) and physical unclonable functions (PUFs) that uniquely identify hardware. COSIC has an evaluation lab to assess the security of embedded devices, using for example side-channel and fault attacks.
Staff from COSIC have created the global AES standard for encryption. A special AES instruction has been added to all x86 processor chips from Intel and AMD and to many Arm chips. This means that AES protects billions of laptops, mobile phones and electronic devices. On its future work, COSIC is creating novel cryptographic schemes that resist attacks on future quantum computers and efficient schemes to compute on encrypted data. Researchers from the team also develop solutions for multi-party computation (MPC), which allow mutually distrustful parties to compute information on their data sets without sharing them.
The COSIC research team is applying its knowledge to create security mechanisms for embedded systems and to build architectures that offer “security-by-design” and “privacy-by-design”. This work leads to privacy-friendly techniques for user authentication including biometrics. Application areas being studied include road-pricing, implantable medical devices, smart cars, smart grids and smart cities. In the area of privacy, the team has developed solutions for anonymous communications and for the detection of covert user tracking.
- Enhancing security of passive keyless entry with UWB technology
- Cryptographic companion chip upgrades automotive security
- NXP automotive MCUs streamline software reuse, security, assurance and OTA
- Ultra-wide band chip enables smartphone-based vehicle access
For more Embedded, subscribe to Embedded’s weekly email newsletter.