Belgian researchers at the KU Leuven in Belgium have examined the key system of the Tesla Model X and found two weaknesses that could allow an attacker to steal the fully functional car within a very short time. Tesla will fix the problem with a software update. Owners should ensure that the update 2020. 48 is installed correctly in the next few days.

Tesla’s Model X uses Bluetooth Low Energy as the radio transmission protocol for the locking system. However, the implementation is flawed. With a modified Body Control Module (BCM, where Tesla’s locking system is located), the research team was able to wake up someone else’s key from the junkyard. To do this, the attacker only has to come close to the key, around five meters. A weak point allows the Bluetooth chip to be updated with new, incorrect firmware. Modified in this way, the keyfob issues a cryptographic one-time token with which the attacker can open the car.

Second weak point: learning the key In the open vehicle, the attacker connects a Raspberry Pi to the diagnostic interface. Due to a second weak point in the locking system, he can now learn his own, foreign key. With this he has full access to the vehicle and can now drive away. The owner doesn’t notice anything. The attack also works, for example, when the owner is at home – as long as the key is within reach.

The researchers used a Raspberry Pi with CAN shield for access to the diagnostic interface, a lithium -Battery for mobile power supply, a modified key for opening and training and a BCM control unit that flashes the attacked key. The hardware costs around 170 euros including a used BCM from Ebay (around 90 euros). Tesla paid a bug bounty of 5500 US dollars as a reward.

(cgl)