The Imec Cosic research group at KU Leuven, which previously hacked the keyless entry system of Tesla’s Model S, has now added the EV automaker’s Model X to its list. The group has pinpointed two security flaws in the new model’s keyless entry system and has detailed and demonstrated how the Model X, which is priced over 100,000 dollars, can be stolen in just a few minutes by hacking into the Tesla fob’s Bluetooth Low Energy (BLE) protocol.
The Tesla Model X key fob uses BLE to allow the owner to automatically unlock the car by approaching the vehicle or by pressing a button. By hooking up a modified electronic control unit (ECU) obtained from a salvage Model X, the Cosic team wirelessly forced Tesla key fobs to advertise themselves as connectable BLE devices, at a distance of 5 meters. By reverse-engineering the fob, researchers discovered that the BLE interface allows for remote updates of the software running on the BLE chip. Lacking proper security, the team compromised the fob and took full control over it to get a valid unlock message. After unlocking the car, the Cosic group then connected to the diagnostic interface normally used by service technicians. Because of a vulnerability in the implementation of the pairing protocol, the team could pair a modified key fob to the car, gaining permanent access and the ability to drive off with the car.