A Belgian security researcher discovered a way to replace and hijack the Smart Entry system firmware within the key of a Tesla Model X car, allowing it to hack and steal any non-working cars through the latest software update.
The attack takes only a few minutes to execute, requires inexpensive equipment, and is developed by (Lennert Wouters), a PhD student in the Computer Security and Industrial Encryption Group (COSIC) at the University of Leuven in Belgium.
According to a report published by the researcher, this attack is triggered by a malfunction in the firmware update process for the Smart Entry System within the Tesla Model X car key. The flaw can be exploited using the ECU available on an old Model X car.
The ECU can be easily obtained online through sites such as eBay, or any stores or forums that sell used Tesla auto parts. “An older ECU could be modified to trick the smart entry-key system into believing the ECU belonged to its paired car and then push a malicious firmware update to it via a low-energy Bluetooth protocol”, Wouters said.
Wouters added: Given that this update mechanism is not properly protected, we were able to penetrate the smart entry system within the key wirelessly and control it, and then we were able to obtain valid unlock messages to unlock the car later.
The attacker approaches the owner of the Model X, and needs to approach the victim 5 meters to allow the older modified ECU to wake up and deceive the smart entry system within the victim’s key.
The attacker sends the malicious update to the smart entry system within the victim’s key, and this part requires about 1.5 minutes to execute it, and the range reaches 30 meters, allowing the attacker to stay away from the target vehicle owner.
Once the smart entry system within the key is compromised, the attacker extracts vehicle unlock messages from the smart entry system within the key.
The attacker uses these unlock messages to get into the victim’s car, and connects the older ECU to the diagnostic connector for the hacked Tesla car, which Tesla technicians often use to service the vehicle.
The attacker uses this connector to pair the smart entry system into his car’s key, which he then uses to start the car and drive away.
This part also takes a few minutes to execute, but the only downside to this attack is the relatively huge attack device, which will be easy to spot unless hidden inside a backpack, bag, or other car.