Hackers clone Tesla Model S key fob in 2 seconds to steal car

Belgium researchers quickly cloned the key fob of a Tesla Model S designed by Pektron. Tesla fixed the vulnerability, but McLaren, Karma and Triumph systems are also likely vulnerable.

Feeling reckless and looking for something new to do with your Raspberry Pi? Using a Raspberry Pi 3 Model B+, Proxmark3, Yard Stick One, and a USB battery pack, Belgium researchers needed less than two seconds to clone the key fob of a Tesla Model S.

The reckless part comes into play if you were to actually steal the Tesla. But if you turn to a life of crime, then the researchers believe McLaren, Karma and Triumph are vulnerable to the attack, as well, because like Tesla, the keyless entry solutions for those vehicles are designed by Pektron.

In case it’s not clear that stealing a Model S was a joke, then don’t try it because Tesla would be able to track down the vehicle even if you disabled GPS.

Relay attacks on Passive Keyless Entry and Start (PKES) systems are apparently so yesterday that Computer Security and Industrial Cryptography (COSIC) researchers from KU Leuven University in Belgium hunted for a new attack. They honed in on Tesla, as the Pektron-designed PKES system used a weakly encrypted DST40 cipher.

Tesla, at least, had a way for the researchers to report the vulnerability. McLaren, Karma, and Triumph, however, reportedly ignored the problem even though “the FCC database show that all these systems use the same Texas Instruments TMS37F128 chip.”

Pwning the PKES system means the car could be unlocked and started if the key fob is in proximity. By deciding to use a weak 40-bit cipher encryption in the key fob system, KU Leuven researcher Tomer Ashur told Wired that someone at Pektron “screwed up. Epically.”

Wired added that with roughly $600 in radio and computing equipment, the researchers were able to “wirelessly read signals from a nearby Tesla owner's fob. Less than two seconds of computation yields the fob’s cryptographic key, allowing them to steal the associated car without a trace.”

KU Leuven researcher Lennert Wouters confirmed, “Today it’s very easy for us to clone these key fobs in a matter of seconds. We can completely impersonate the key fob and open and drive the vehicle.”

As you can see in the proof-of-concept attack video below, the researcher walked over to the Tesla and retrieved the car identifier in 1.079 seconds and then walked within three feet of the owner’s key fob and cloned it in 1.6 seconds.

Tesla paid the researchers $10,000 for reporting the vulnerability back in August 2017. A year passed before the company started rolling out new security features to make Teslas more difficult to steal. If you bought a Model S since June 2018, then the key fob has “more robust” crypto. For older key fob's, an over-the-air software update added an optional PIN that can be entered before the car can be driven. But if you want a new, more secure key fob, then it costs $150.  

Tesla has been issuing the following statement to the press:

Due to the growing number of methods that can be used to steal many kinds of cars with passive entry systems, not just Teslas, we’ve rolled out a number of security enhancements to help our customers decrease the likelihood of unauthorized use of their vehicles. None of these options would be possible for any traditional automaker – our ability to update software over the air to improve functionality and security is unique.

Based on the research presented by this group, we worked with our supplier to make our key fobs more secure by introducing more robust cryptography for Model S in June 2018. A corresponding software update for all Model S vehicles allows customers with cars built prior to June to switch to the new key fobs if they wish. In addition, we had already been working on several other over-the-air updates to help protect our customers from thefts – last year we introduced an update that allows all customers to turn off passive entry entirely, and this year we introduced PIN to Drive, which allows customers to set a unique PIN that needs to be entered before their vehicle is driven.

Related:
SUBSCRIBE! Get the best of CSO delivered to your email inbox.