He identified a serious vulnerability in the keyless entry system that allowed criminals to bypass an approximately $ 100,000 vehicle’s onboard security system.
The Tesla Model X key fob allows owners to automatically unlock the electric vehicle when they approach it or press a button, using BLE to exchange data between the car and a smartphone app. Wouters, a Ph.D. student at the Computer Security and Industrial Cryptography (Cosic) Research Group at the University of Leuven, developed a way to hack this circuit. For a practical proof-of-concept, he used a single-board Raspberry Pi microcomputer, a modified keyfob, and an engine control unit (ECU) from a decommissioned Model X. and other components for a total of $ 195.
“Through reverse engineering of the Tesla Model X key fob, we found that the BLE interface allows remote software updates running on the BLE chip. Since this update mechanism was not properly secured, we could hack the key fob wirelessly and take full control of it. Subsequently, we could receive genuine unlock messages to unlock the car later, ”- this is how Wouters describes the essence of the project.
The hijacker only needs to approach the victim about 5 meters to activate the key fob, send his software into it, and gain complete control to exploit this vulnerability. This process is said to take one and a half minutes. The thief can then receive genuine commands to unlock the car. After gaining access to the on-board diagnostic connector, he can associate the modified key fob with the electric vehicle, start the car and drive away.
This is the third time that Wouters has successfully hacked a Tesla vehicle using a keyless entry key fob. In previous cases, he was able to “clone” the device.