KU Leuven researchers have discovered vulnerabilities in the Tesla Model X’s door release. This makes it possible to take control of a Model X’s wireless keys. Tesla has now fixed the vulnerabilities.
Researchers from Cosic, an imec research group at the University of Leuven, say they discovered the vulnerabilities on August 17, 2020. The vulnerabilities allowed the researchers to unlock a Tesla Model X and drive away. Among other things, a modified key fob and an Electronic Control Unit were used, which the researchers bought on eBay.
With this ECU, the researchers said they could force a Model X-key fob to display itself as a connectable Bluetooth device. This allowed these wireless keys to be updated remotely. “Because this update mechanism was not properly secured, we were able to compromise a key fob remotely and take full control of it,” the researchers write.
Cosic also developed a proof-of-concept attack. Investigators report that they could steal a Tesla Model X by first approaching the victim’s key fob within five meters with an ECU, triggering it. After that, you can send your own software to this key via Bluetooth to gain full control over it, the researchers write. “This process takes a minute and a half, but can easily be performed at a distance of more than 30 meters.”
After this is done, the investigators can receive “valid commands” to unlock the Model X in question. Then the researchers could add their own key fob to the Model X and drive away.
In addition to the ECU and key fob, the proof-of-concept also used a Raspberry Pi, a CAN shield and a lithium-ion polymer battery. All parts together cost about $ 195, Cosic reports. Tesla has fixed the vulnerabilities in update 2020.48, which is currently being rolled out for the Model X. Tesla has rewarded the researchers with a bug bounty of $ 5,500, according to a video from HLN. Cosic previously cloned the keys to a Tesla Model S.