A Researcher Discovered How to Steal a Tesla Model X With This 90-Second Hack

According to Wired, the vulnerability was uncovered by Lennert Wouters, a researcher at KU Leuven who has spent the last few months dissecting the inner workings of the Tesla Model X. The specific attack vector he uncovered allows a potential attacker to emulate the Model X unlocking procedure by reading the VIN number at the bottom of the windshield and pairing it with a used Body Control Module (BCM) purchased from eBay. After unlocking the car, he was able to program his own key fob and drive off with the vehicle.

You can get a quick dramatized overview of how the attack works by watching the video below.

We've heard about security flaws in vehicles with passive keyless entry systems before; however, while this is similar to a relay attack, it's significantly more sophisticated than just elongating the signal between the car and the key.

First, Wouters obtained a used Tesla BCM from eBay—these are fairly cheap and can be obtained for under $100. Next, he physically located the Vehicle Identification Number (VIN) for the Model X which is visible from the exterior of the vehicle at the bottom of the windshield. This VIN was then used to trick the BCM into thinking it belongs to the target vehicle.

The next part of this attack is what's most similar to a relay attack: The attacker needs to be within roughly 50 feet of the target key fob. Once within range, he uses his phone to trigger the BCM to send out a signal which wakes up any nearby keyfobs belonging to the target vehicle and begins the attack.

Tesla designed its keyfobs to receive Over the Air (OTA) updates via the BCM. However, this process can only be initiated when the keyfob is first powered on, or when the BCM instructs the key to wake up. Wouters' attack vector uses the second method to begin a remote firmware update on the keyfob which enables him to access a secure chip on the device that is used to generate the unique unlock codes for the vehicle. The code is then transferred back to a small Raspberry Pi connected to the spoofed BCM via Bluetooth and can be used to enter the vehicle.

Now comes the fun part: stealing the car.

In addition to the BCM and Raspberry Pi, Wouters also added a disassembled Model X key fob to his hacking package. He connected the entire bundle of chips and wires to a harness under the Model X's center console to interface with the vehicle's CAN Bus network and tricked the car into pairing the malicious key fob with the vehicle's actual BCM. As it turns out, despite the Model X having the ability to validate certificates between the BCM and key fob, the car doesn't actually take this step and instead paired the malicious key without question. This allowed him to essentially program his own key and drive the Model X away.

The entire attack can be done stealthily, as the assembled circuitry is powered by a portable battery and can fit inside of a backpack. All interfacing can be done via a cell phone, so in theory, an attacker could find a Model X parked at a restaurant, walk into the building so that they could establish a connection with the fob, and finally unlock the car to find out where the vehicle was registered so they could return in the middle of the night and complete the theft. That's not to say that the police won't recover it later, but the possibility of having your vehicle stolen without the thief ever needing to touch the key is jarring, to say the least.

Wouters disclosed the vulnerability to Tesla back in August, allowing the automaker time to rectify the issue before he went public with the information. Tesla reportedly told Wouters that it was readying an over-the-air update to fix at least part of the vulnerability as early as this week. The code developed for the attack has not been published, though Wouters tells Wired he will present his findings at Real World Crypto in January.

Got a tip? Send us a note: tips@thedrive.com