Tesla's Keyless Entry Duped by Cloned Fobs

Credit: TeslaCredit: Tesla

Tesla is having a bad week. Shortly after founder Elon Musk smoked marijuana on video during Joe Rogan's podcast, two senior executives left the company, which was followed by a six percent drop in its share price. Musk later tweeted about Tesla canceling two color options for its vehicles to "simplify manufacturing"--an increasingly contentious problem as Tesla continually fails to deliver cars on time. Now there's even more bad news: Belgian researchers have discovered serious vulnerabilities in the Passive Keyless Entry and Start (PKES) system used by the Tesla Model S.

The Computer Security and Industrial Cryptography (COSIC) research group said the problem likely isn't limited to vehicles made by Tesla. It discovered the vulnerabilities in a PKES system made by a company named Pektron, so even though it's only confirmed that its attack works on the Model S, odds are good that vehicles from other manufacturers that use Pektron's systems are also vulnerable to compromise (it probably isn't particularly easy to convince auto companies to lend you a car so you can publicly expose critical vulnerabilities in their systems).

COSIC explained:

"According to the Federal Communication Commission (FCC) equipment authorization database, Pektron also designed keyless entry solutions for manufacturers such as McLaren, Karma and Triumph. The internal pictures included in the FCC database show that all these systems use the same Texas Instruments TMS37F128 chip. This leads us to believe that the attack described here also affects the other manufacturers."

How It Works

At its most basic level, the attack itself allows someone to clone a key fob. COSIC examined how the key fob communicates with the vehicle, designed a Time-Memory Trade-Off (TMTO) attack, then used it to gain access to the vehicle. Once that was done, the researchers found a practical way to compromise a vehicle using this PKES system with a Raspberry Pi 3 Model B+ paired to a smartphone's hotspot so it could access a 6TB drive with the TMTO tables, Proxmark3, Yard Stick One and a USB battery pack.

None of that equipment is particularly expensive. The Raspberry Pi 3 Model B+ costs around $35, the Yard Stick One is about $100, the Proxmark3 RDV4 kit is roughly $300 and compatible USB battery packs and storage will vary by model. Sure, that means the researchers spent more than $435 on this attack, but what does that matter when it offers access to a car that starts at $77,000 and has notorious manufacturing delays? Of course, fnding a way to actually keep the Model S without getting caught would be a problem for the criminals to figure out. 

You can see the attack in action in COSIC's proof-of-concept video:

COSIC researchers hack Tesla Model S key fob

A Months-Old Problem

COSIC said it disclosed these vulnerabilities to Tesla in August 2017. A few months later it contacted the company that makes the PKES system, Pektron, directly. It also reached out to several Pektron customers, including McLaren, Karma and Triumph. None have responded to COSIC's disclosure. So it conducted a live demonstration of the attack on one of Tesla's engineering vehicles in April, presented its findings at CHES 2018 in Amsterdam on September 10 and has submitted a full research paper that is "currently under submission and will be released in the future."

We've reached out to Tesla to verify COSIC's claim of revealing these vulnerabilities in August 2017, determine if the company's other vehicles are susceptible to the same attack and see how Tesla plans to address the issue. We'll update this post if the company responds.

Create a new thread in the UK News comments forum about this subject
No comments yet
Comment from the forums
    Your comment