A Belgian security researcher has discovered a method to overwrite and hijack the firmware of Tesla Model X key fobs, allowing him to steal any car that isn't running on the latest software update.
The attack, which only takes a few minutes to execute and requires inexpensive gear, was put together by Lennert Wouters, a PhD student at the Computer Security and Industrial Cryptography (COSIC) group at the Catholic University of Leuven (KU Leuven) in Belgium.
This is Wouters' third Tesla hack in as many years, with the researcher publishing two other Tesla attacks in 2018[1] and 2019[2], respectively.
According to a report[3] published today, Wouters said this third attack works because of a flaw in the firmware update process of Tesla Model X key fobs.
The flaw can be exploited using an electronic control unit (ECU) salvaged from an older Model X vehicle, which can be easily acquired online on sites like eBay or any stores or forums selling used Tesla car parts.
Wouters said attackers can modify the older ECU to trick a victim's key fob into believing the ECU belonged to its paired vehicle and then push a malicious firmware update to the key fob via the BLE (Bluetooth Low Energy) protocol.
"As this update mechanism was not properly secured, we were able to wirelessly compromise a key fob and take full control over it," Wouters said. "Subsequently we could obtain valid unlock messages to unlock the car later on."
The steps of the attack are detailed below:
- Attacker approaches the owner of Tesla Model X vehicle. The attacker needs to get as close as 5 meters to the victim in order to allow the older modified ECU to wake up and ensnare the victim's key fob.
- The