Jump to content

New bluetooth hack to easily steal a Tesla model X in minutes

The_Hawkeye

Summary

A new way has been found to copy a key-fob of the Tesla Model X, take full control and drive away with it within minutes

 

Quotes

Quote

Bart Preneel - Full Professor at University of Leuven, Belgium:

We did it again: we hacked the Tesla Model X. In less than 2 minutes we can create our own key fob and drive away with your shiny car. All the building blocks are secure but there are quite some implementation weaknesses (not the first time this happens). Lesson learned: code signing does not help if you forget to check the signature. Responsible disclosure has been followed and Tesla has created a software update.

 

Sources

Article on Wired: https://www.wired.com/story/tesla-model-x-hack-bluetooth/

Video on Youtube: https://www.youtube.com/watch?v=clrNuBb3myE

Link to comment
Share on other sites

Link to post
Share on other sites

Doesn't surprise me. Key fobs for any vehicle are horribly insecure. You just need a Pringles can 2 antennas and few other components so that you can pick up a key fob from inside the house from which you can then repeat back the the car. Child's play to break into just about any modern vehicle. 

CPU: Intel i7 - 5820k @ 4.5GHz, Cooler: Corsair H80i, Motherboard: MSI X99S Gaming 7, RAM: Corsair Vengeance LPX 32GB DDR4 2666MHz CL16,

GPU: ASUS GTX 980 Strix, Case: Corsair 900D, PSU: Corsair AX860i 860W, Keyboard: Logitech G19, Mouse: Corsair M95, Storage: Intel 730 Series 480GB SSD, WD 1.5TB Black

Display: BenQ XL2730Z 2560x1440 144Hz

Link to comment
Share on other sites

Link to post
Share on other sites

All I need to steal any car would be a forklift and a flatbed. Easy peasy.

 

Link to comment
Share on other sites

Link to post
Share on other sites

Alternative title: "Get a free Tesla Model X in minutes with this simple Bluetooth hack!"

 

1 hour ago, trag1c said:

Doesn't surprise me. Key fobs for any vehicle are horribly insecure. You just need a Pringles can 2 antennas and few other components so that you can pick up a key fob from inside the house from which you can then repeat back the the car. Child's play to break into just about any modern vehicle. 

The whole "you just need a Pringles can, 2 antennas and a few other components" reminds me of this:

AJ6PE3fr6oXPMdVftXWGHjuG_3BrodsoDPsGyu6rKTk.png.1e6d0e71202dd6a8c8a0253b6518a7cf.png

 

You make it sound like "yeah it is so weak you just need a Pringles can and some other stuff" but it's the "other stuff" that is the "complicated" part. 

Car fobs are not exactly the pinnacle of security, but they aren't as weak as you describe them either. At least not in relatively new cars. The Hitag2 for example became very popular after it was released in the 90's. But even that had encryption for authentication and confidentiality. It was really shitty, but it protected against simple replay attacks that you seem to be talking about.

For the central locking system, modern car keys are even more advanced. They have an RNG in both the transceiver and receiver and a rolling code system. You can not just capture the radio signals for an "unlock" command and then replay it to unlock a car. It doesn't work.

 

  

41 minutes ago, TempestCatto said:

This is why I like older cars. They are so much easier to work on, cheaper [to work on], and when maintained properly they work amazingly well (and are reliable).

And probably have even worse security...

The only protection you got in an older car is the immobilizer and the key itself.

The key itself is most likely horrible, and the immobilizer is probably based on the Hitag2 I mentioned earlier, which is well studied and understood at this point. You can break that without even needing to be close to the key.

 

Old cars offers some benefits like being easier to repair by yourself, but security is not exactly a strength.

On the bright side, a car thief will probably be less interested in an old car.

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, trag1c said:

Doesn't surprise me. Key fobs for any vehicle are horribly insecure. You just need a Pringles can 2 antennas and few other components so that you can pick up a key fob from inside the house from which you can then repeat back the the car. Child's play to break into just about any modern vehicle. 

Car keyfobs are not garage door openers...

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, leadeater said:

Car keyfobs are not garage door openers...

bbbbbuuuttt in Gone in 60 seconds, they hacked keyfobs in seconds!

 

Movies aren't real????

For Sale: Meraki Bundle

 

iPhone Xr 128 GB Product Red - HP Spectre x360 13" (i5 - 8 GB RAM - 256 GB SSD) - HP ZBook 15v G5 15" (i7-8850H - 16 GB RAM - 512 GB SSD - NVIDIA Quadro P600)

 

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, LAwLz said:

The key itself is most likely horrible, and the immobilizer is probably based on the Hitag2 I mentioned earlier, which is well studied and understood at this point. You can break that without even needing to be close to the key.

How old are you thinking? 2006? I'm talking maybe 90s at the latest. Yeah, shit security. But I don't care so much about that compared to it being reliable. 

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, leadeater said:

Car keyfobs are not garage door openers...

 

1 hour ago, LAwLz said:

snip

 

You're not actually trying to decode any signals or anything its nothing but a repeater tuned to ~315MHz (typical of most fobs within NA). You're just making it appear as if the fob is within the short range of wireless transceivers. The pringles can is nothing but a dish to replicate an extremely directional antenna so that you capture the weak signal and retransmit it on the 2nd antenna within range of the wireless transceivers on the car. This functions no different then a cellular repeater.

Key fobs have come a long way in terms of preventing brute force attacks and code interception but they ultimately fail to the simplest tricks.

CPU: Intel i7 - 5820k @ 4.5GHz, Cooler: Corsair H80i, Motherboard: MSI X99S Gaming 7, RAM: Corsair Vengeance LPX 32GB DDR4 2666MHz CL16,

GPU: ASUS GTX 980 Strix, Case: Corsair 900D, PSU: Corsair AX860i 860W, Keyboard: Logitech G19, Mouse: Corsair M95, Storage: Intel 730 Series 480GB SSD, WD 1.5TB Black

Display: BenQ XL2730Z 2560x1440 144Hz

Link to comment
Share on other sites

Link to post
Share on other sites

7 minutes ago, trag1c said:

 

You're not actually trying to decode any signals or anything its nothing but a repeater tuned to ~315MHz (typical of most fobs within NA). You're just making it appear as if the fob is within the short range of wireless transceivers. The pringles can is nothing but a dish to replicate an extremely directional antenna so that you capture the weak signal and retransmit it on the 2nd antenna within range of the wireless transceivers on the car. This functions no different then a cellular repeater.

Key fobs have come a long way in terms of preventing brute force attacks and code interception but they ultimately fail to the simplest tricks.

Yup. Which is probably a good idea to keep the fobs in an RF shielded sheath or faraday cage box on the nightstand.

 

Very common for neighborhood criminals to rob items inside a car at night. Most of the time they just open doors that are already left unlocked, or smash-n-grab laptops left in plain sight. But having a tool to perform a replay attack is just one more vector in gaining access to the content inside the vehicle, or perform an actual act of grand theft auto (not the game). 

Link to comment
Share on other sites

Link to post
Share on other sites

3 hours ago, trag1c said:

Doesn't surprise me. Key fobs for any vehicle are horribly insecure. You just need a Pringles can 2 antennas and few other components so that you can pick up a key fob from inside the house from which you can then repeat back the the car. Child's play to break into just about any modern vehicle. 

You can't just get a radio and try transmitting the code to unlock a car. Doesn't work like that.

 

There's a similar 40 bit psuedo random generated code algorithm on both the key fob and the car that outputs the same random number after every attempt. So even if you read the signal, it's next to impossible to figure out what the next code would be.

 

Modern cars obviously has much more advanced and more robust algorithms. But in essence, it's not easy to just trick the car into unlocking for you

Link to comment
Share on other sites

Link to post
Share on other sites

9 minutes ago, RedRound2 said:

You can't just get a radio and try transmitting the code to unlock a car. Doesn't work like that.

 

There's a similar 40 bit psuedo random generated code algorithm on both the key fob and the car that outputs the same random number after every attempt. So even if you read the signal, it's next to impossible to figure out what the next code would be.

 

Modern cars obviously has much more advanced and more robust algorithms. But in essence, it's not easy to just trick the car into unlocking for you

See below...You're not trying to brute force attack the software. You're just extending the range of the keyfob to way beyond what it should be. 

42 minutes ago, trag1c said:

 

You're not actually trying to decode any signals or anything its nothing but a repeater tuned to ~315MHz (typical of most fobs within NA). You're just making it appear as if the fob is within the short range of wireless transceivers. The pringles can is nothing but a dish to replicate an extremely directional antenna so that you capture the weak signal and retransmit it on the 2nd antenna within range of the wireless transceivers on the car. This functions no different then a cellular repeater.

Key fobs have come a long way in terms of preventing brute force attacks and code interception but they ultimately fail to the simplest tricks.

 

CPU: Intel i7 - 5820k @ 4.5GHz, Cooler: Corsair H80i, Motherboard: MSI X99S Gaming 7, RAM: Corsair Vengeance LPX 32GB DDR4 2666MHz CL16,

GPU: ASUS GTX 980 Strix, Case: Corsair 900D, PSU: Corsair AX860i 860W, Keyboard: Logitech G19, Mouse: Corsair M95, Storage: Intel 730 Series 480GB SSD, WD 1.5TB Black

Display: BenQ XL2730Z 2560x1440 144Hz

Link to comment
Share on other sites

Link to post
Share on other sites

That's why Tesla has a pin-to-drive feature. It adds another layer of security to prevent these attacks. I assume there will be a patch for this in a week or so anyway.

Link to comment
Share on other sites

Link to post
Share on other sites

While the Tesla attack doesn't seem trivial (above the paygrade of thieves who do relay attacks), it is slightly concerning...with that said, it really does sound like they could easily implement a fix for at least the car (seems like they overlooked the certificate check, which would prevent the stealing the car part of the attack at least).

 

I wonder how easy it will be for them to fix the key fob issue...on a similar note, how many Tesla owners are using a key fob?  (Genuinely curious about this...as you don't even get a key fob with the vehicle, but rather use your phone...please someone correct me if I am wrong here)

 

edit: Actually looks like they don't ship with fobs, and just use an app itself...so I wonder how much of this is a non-starter...also explains maybe why there was a bit less attention given to by Tesla if a key fob is more of an addon than a necessity.  Either way it's really inexcusable to not check security features that have been put in place

3735928559 - Beware of the dead beef

Link to comment
Share on other sites

Link to post
Share on other sites

19 minutes ago, wanderingfool2 said:

edit: Actually looks like they don't ship with fobs, and just use an app itself...

Even better. I wonder if this would be effected by the recent media control failures due to worn out eMMC NAND flash?

 

 https://arstechnica.com/cars/2020/11/after-12523-replacements-feds-investigate-tesla-media-control-unit-failures/

 

Tesla's choice in technologies is truly an enigma to me. So much winning, yet so often failing.

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, StDragon said:

Even better. I wonder if this would be effected by the recent media control failures due to worn out eMMC NAND flash?

 

 https://arstechnica.com/cars/2020/11/after-12523-replacements-feds-investigate-tesla-media-control-unit-failures/

 

Tesla's choice in technologies is truly an enigma to me. So much winning, yet so often failing.

Part of that is likely simply their inexperience as an automaker. Tesla has only been a large scale automaker for about 8 years - the Model S came out in 2012 (and really, the S and X were not very large scale at that).

 

Compare that to, say, Ford, which has been operating since 1903. Traditional companies might be slow to adopt new tech (something they're a lot better at lately, but still need improvement on), but they also have much more experience in finding out what technology is reliable.

For Sale: Meraki Bundle

 

iPhone Xr 128 GB Product Red - HP Spectre x360 13" (i5 - 8 GB RAM - 256 GB SSD) - HP ZBook 15v G5 15" (i7-8850H - 16 GB RAM - 512 GB SSD - NVIDIA Quadro P600)

 

Link to comment
Share on other sites

Link to post
Share on other sites

3 minutes ago, dalekphalm said:

Part of that is likely simply their inexperience as an automaker. Tesla has only been a large scale automaker for about 8 years - the Model S came out in 2012 (and really, the S and X were not very large scale at that).

 

Compare that to, say, Ford, which has been operating since 1903. Traditional companies might be slow to adopt new tech (something they're a lot better at lately, but still need improvement on), but they also have much more experience in finding out what technology is reliable.

☝️ And that is why I prefer Toyota.

 

🎤 drop!

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, StDragon said:

☝️ And that is why I prefer Toyota.

 

🎤 drop!

The shitty thing with toyota is you only ever see tech and mechanical updates every 10 years and this also means they don't really fix much for 10 years either before reintroducing new issues. I mean waiting 6 years for Ford or GM to get their shit updated is bad enough lol. 

 

I bought a truck last year and I was between the 2019 GMC Sierra 1500 AT4 and the Toyota 1774 edition. Ultimately the GMC won because for a lower price I got way more out of it.

 

CPU: Intel i7 - 5820k @ 4.5GHz, Cooler: Corsair H80i, Motherboard: MSI X99S Gaming 7, RAM: Corsair Vengeance LPX 32GB DDR4 2666MHz CL16,

GPU: ASUS GTX 980 Strix, Case: Corsair 900D, PSU: Corsair AX860i 860W, Keyboard: Logitech G19, Mouse: Corsair M95, Storage: Intel 730 Series 480GB SSD, WD 1.5TB Black

Display: BenQ XL2730Z 2560x1440 144Hz

Link to comment
Share on other sites

Link to post
Share on other sites

32 minutes ago, StDragon said:

☝️ And that is why I prefer Toyota.

 

🎤 drop!

There's no doubt that Toyota is among the best automakers. But there are pros and cons to every make and model of car. Tesla has plenty that Toyota doesn't offer. And vice versa.

 

They could learn much from each other.

For Sale: Meraki Bundle

 

iPhone Xr 128 GB Product Red - HP Spectre x360 13" (i5 - 8 GB RAM - 256 GB SSD) - HP ZBook 15v G5 15" (i7-8850H - 16 GB RAM - 512 GB SSD - NVIDIA Quadro P600)

 

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, dalekphalm said:

There's no doubt that Toyota is among the best automakers. But there are pros and cons to every make and model of car. Tesla has plenty that Toyota doesn't offer. And vice versa.

 

They could learn much from each other.

Oddly, Toyota have been making full EVs for some time now. In California there have been compliance cars for 10 years from the brand. Not exactly production stuff but they exist. However, for the Chinese market Toyota have full EV cars that are full production. For some reason they are currently only sold there.

 

As for their key fobs, the replay type attack worked on their fobs until late 2019.Fobs made after that include a number of new protectors including a simple timer that deactivates the fob after a few seconds of it being stationary. So you get in, hang up your keys or put them on a table and the fob is switched off totally a few seconds later. The simplest of things was all it took to foil that kind of attack, unless the attacker is quick or you do what I do and leave the key in your pocket until you go to bed.

Link to comment
Share on other sites

Link to post
Share on other sites

5 hours ago, TempestCatto said:

This is why I like older cars. They are so much easier to work on, cheaper [to work on], and when maintained properly they work amazingly well (and are reliable).

until someone breaks the defrost windows, (too old?) until someone shims the door.

AMD blackout rig

 

cpu: ryzen 5 3600 @4.4ghz @1.35v

gpu: rx5700xt 2200mhz

ram: vengeance lpx c15 3200mhz

mobo: gigabyte b550 auros pro 

psu: cooler master mwe 650w

case: masterbox mbx520

fans:Noctua industrial 3000rpm x6

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

Per another Wired article dated 2016.

 

Quote

Here's the full list of vulnerable vehicles from their findings, which focused on European models: the Audi A3, A4 and A6, BMW's 730d, Citroen's DS4 CrossBack, Ford's Galaxy and Eco-Sport, Honda's HR-V, Hyundai's Santa Fe CRDi, KIA's Optima, Lexus's RX 450h, Mazda's CX-5, MINI's Clubman, Mitsubishi's Outlander, Nissan's Qashqai and Leaf, Opel's Ampera, Range Rover's Evoque, Renault's Traffic, Ssangyong's Tivoli XDi, Subaru's Levorg, Toyota's RAV4, and Volkswagen's Golf GTD and Touran 5T. Only the BMW i3 resisted the researchers' attack, though they were still able to start its ignition. And the researchers posit---but admit they didn't prove---that the same technique likely would work on other vehicles, including those more common in the United States, with some simple changes to the frequency of the equipment's radio communications.

 

Cars aren't cheap. If there hasn't been one already, there should be a recall issued to address that problem.

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×