You know those over-the-air upgrades that Tesla can do? Well, there is good news and bad news about that. Tesla uses the Bluetooth connection for changing the codes to add features and fix glitches. But it is just as easy for a hacker to rewrite firmware with that Bluetooth connection. They can steal the unlock code from the keyfob and use it to jack a Model X in two minutes. 

A gang of security vulnerabilities exists with Tesla models. That means with $300 worth of hardware and knowing the VIN number, which is visible on the dash through the windshield, it’s an easy heist. The hardware can fit inside of a backpack and is controlled by a phone. Once the hardware receives a code, which takes about 90 seconds, the thief can pair a fob in under a minute and drive it away. 

“A combination of two vulnerabilities allows hackers to steal a Tesla Model X in a few minute’s time”

“Basically a combination of two vulnerabilities allows hackers to steal a Tesla Model X in a few minute’s time,” says Lennert Wouters, a security researcher at Belgian University KU Leuven, to Wired. He will speak at the Real World Crypto conference in January. Wouters already has informed Tesla about the Bluetooth vulnerabilities this past August. 

Tesla says it will begin rolling out a software update to fix the issue this week. This will address one part of the two-part access attack. Wouters has not published what the code changes and specific hardware is necessary to successfully jack a Model X. He says the reason you can hack a Model X is that its key fobs don’t have code signing for firmware updating. 

Firmware updates by Tesla are done wirelessly but without the need to know the cryptographic signature it issues to each Model X. Wouters connects his computer to a Bluetooth radio connecting to the keyfob. He then rewrites the firmware to connect to the secure enclave chip in the fob to generate an unlock command. From Bluetooth, he can send the code back to his computer in under 90 seconds. 

Thieves normally use relay attacks to amplify signals the key fob releases

Teslas are being eyed by thieves for their ease at being stolen. But thieves normally use relay attacks to amplify signals the key fob releases. Then it’s a simple matter of unlocking the car and then starting it up. Key fobs inside of the house need to be close enough to the driveway to pull this off.  

For Wouter’s hypothetical heist the last five digits of the VIN number are used to confirm to the fob the identity it needs. A body control module (BCM) purchased off of eBay is used to generate a bootleg BCM code. The subject vehicle then thinks it is talking to its own BCM so the BCM can command the fob to wake up. 

Once inside of the car you can tie your computer into a port under the dash display. The computer can then send commands to the car’s CAN bus. Pairing the bootleg fob the thief can register his fob to the vehicle and steal it. “The system has everything it needs to be secure,” Wouters says. “And then there are a few small mistakes that allow me to circumvent all of the security measures.”