Tesla’s flagship Model S - which starts at $75,000 - offers keyless entry and driving. After all, an owner who’s paid almost six figures for his Model S doesn’t want to fumble around with keys every time he gets into his vehicle.
However, researchers at KU Leuven university in Belgium managed to come up with a way to reverse-engineer the keyless entry system and drive off with a Model S in seconds. They demonstrated this method at the Cryptographic Hardware and Embedded Systems conference in Amsterdam on Monday.
Simply put, the car itself transmits a low-frequency radio signal, which the fob detects and responds to with a high-frequency signal of its own. The car then broadcasts an encrypted ‘challenge’ signal, which the fob again responds to with its encrypted answer. Once the car has verified this answer twice, it is ready to lock, unlock, and start with the press of a button.
The Belgian researchers found that they could pick up the car’s initial radio signal using a portable radio, which they then swiped within three feet of the target’s key fob. They then recorded the fob’s response codes twice, and ran them through a massive 6-terrabyte combination of all possible keys.
This computation takes just short of two seconds. Once complete, the researchers broadcast the secret key, started the car, and took off at blistering speed.
The portable radios they used can be bought at any electronics store and the Raspberry Pi microcomputer can be found online for less than $40. The 6-terabyte list of keys is stored on a portable hard drive, while the whole setup is powered by a few batteries.
This smooth getaway is made possible by the Model S key fob’s relatively weak encryption technology. The KU Leuven researchers already told Tesla about this vulnerability back in 2017, and Tesla paid them $10,000 for their work. However, the electric carmaker only fixed the bug this June, with an encryption update and a software update that lets drivers set a PIN code that must be entered before the vehicle starts.
This means that Teslas sold before June 2018 are still vulnerable, unless owners cough up $150 for a new, improved fob. The fault does not lie with Tesla per se, but with Pektron, the English company that makes the key fobs.
Cloning key fobs is one of several methods of keyless car theft. For years, thieves have been able to hold one radio device near an owner’s key and another near the car to ‘bridge’ the signal and fool the car into thinking the key was nearby. Bridging attacks like these were always costly, but in 2017 a group of Chinese researchers discovered that they could be carried out with just $22 worth of equipment.
More about: Tesla