Researchers from KU Leuven have discovered vulnerabilities in the Tesla Model X’s door release. This makes it possible to take control of a Model X’s wireless keys. Tesla has now fixed the vulnerabilities.
Researchers from Cosic, an imec research group at the University of Leuven, let them know that they discovered the vulnerabilities on August 17, 2020. The vulnerabilities allowed the researchers to unlock a Tesla Model X and drive away. Among other things, a modified key fob and an Electronic Control Unit were used, which the researchers bought on eBay.
With this ECU, the researchers said they could use a Model Xkey fob force to display itself as a connectable bluetooth device. This allowed these wireless keys to be updated remotely. “Because this update mechanism was not properly secured, we were able to compromise a key fob remotely and take full control of it,” the researchers write.
Cosic also developed a proof-of-concept–attack. The researchers report that they could steal a Tesla Model X by first using the key fob of the victim within five meters with an ECU, which activates it. After that, you can send your own software to this key via Bluetooth to gain full control over it, the researchers write. “This process takes a minute and a half, but can easily be performed at a distance of more than 30 meters.”
After this is done, the investigators can receive “valid commands” that will unlock the Model X in question. Then the researchers could add their own key fob to the Model X and drive away.
For the proof-of-concept, in addition to the ECU and key fob, a Raspberry Pi, a CAN–shield and using a lithium ion polymer battery. All parts together cost about $ 195, Cosic reports. Tesla has fixed the vulnerabilities in update 2020.48, which is currently being rolled out for the Model X. Tesla has awarded researchers a bug bounty, but the amount is unknown. Cosic cloned before the keys to a Tesla Model S.