Tesla Hacked
To steal a Model X in minutes requires the exploitation of two vulnerabilities in order to get Tesla Hacked. Wouters started with a hardware kit costing roughly $300 that sits in a backpack and includes a Raspberry Pi low-cost computer and a Model X body control module (BCM) that he purchased off eBay. It’s the BCM that enables these exploits, even though it’s not from the target vehicle. It acts like a trusted piece of Tesla hardware that allows both exploits to be pulled off. With it, Wouters is able to hijack the Bluetooth radio connection that the key fob uses to open the vehicle using the VIN and coming within 15 feet of the target vehicle’s fob. At that point, his hardware system rewrites the target’s fob firmware and is able to access the secure enclave and get the code to unlock the Model X. He stores that code in his backpack rig and returns to the Model X, which opens up because it believes it’s connected to the original fob.
Essentially, Wouters is able to create a key for a Model X by knowing the last five digits of the VIN—which is visible in the windshield—and standing near the owner of that vehicle for about 90 seconds while his portable setup clones the key.
Once in the vehicle, Wouters has to use another exploit to get the vehicle started. By accessing the USB port hidden behind a panel under the display, Wouters is able to connect his backpack computer to the vehicle’s CAN (Controller Area Network) bus and tell the vehicle’s computer that his spoofed key fob is valid. With that done, the Model X believes a valid key is in the vehicle and willingly starts up and is ready to drive away.
The issue is that the key fob and BCM, while connecting to each other, don’t go the extra step of validating firmware updates to the key fob, giving the researcher access to the key by pretending to send over new firmware from Tesla. “The system has everything it needs to be secure,” Wouters told Wired. “And then there are a few small mistakes that allow me to circumvent all of the security measures.”
Wouters also noted that this type of exploit isn’t unique to Tesla Hacked. “They’re cool cars, so they’re interesting to work on,” Wouters told Wired. “But I think if I spent as much time looking at other brands, I would probably find similar issues.”
Tesla has a history of working with security researchers and even offers up a Model 3 every year to the Pwn2Own competition. Wouters won’t share the technical details of his exploit until January at the Real World Crypto conference.