Tesla’s keyless entry vulnerable to spoofing attack, researchers findSeptember 10, 2018
Last week’s Tesla security update may have been more urgent than the company let on. Researchers at KU Leuven have figured out a way to spoof Tesla’s key fob system, as first reported by Wired. The result would let an attacker steal a Tesla simply by walking past the owner and cloning his key.
The attack is particularly significant because Tesla pioneered the keyless entry concept, which has since spread to most luxury cars. This particular attack seems to have only worked on Model S units shipped before June, and in an update last week, Tesla pushed out an update that strengthened the encryption for the remaining vehicles. More importantly, the company added the option to require a PIN password before the car will start, effectively adding two-factor to your car. At the time, it seemed like overkill — but knowing that this kind of attack is possible, it’s probably worth turning on. Tesla owners can add the PIN by disabling Passive Entry in the “Doors & Locks” section of “Settings.”
The attack itself is fairly involved. Because of the back-and-forth protocol, attackers would first have to sniff out the car’s Radio ID (broadcast from the car at all times), then relay that ID broadcast to a victim’s key fob and listen for the response, typically from within three feet of the fob. If they can do that back-and-forth twice, the research team found they can work back to the secret key powering the fob’s responses, letting them unlock the car and start the engine.
It’s worth noting that Tesla cars are already fairly theft-resistant, since the always-on GPS tracking often allows victims to track and retrieve their cars after they’ve been stolen, which in turn encourages car thieves to look elsewhere for a payoff. Still, entering a pin code for your car is a small price to pay, particularly now that there’s public research showing how to break through the less sophisticated versions of the protocol.
This isn’t the first time an attack like this has caused a panic in the auto security world. For years, Volkswagen struggled with a flaw in the Megamos transponder that allowed hackers to impersonate a key fob and drive off with cars that would otherwise have been immobilized. More generally, replay attacks are often used to unlock cars, even if it’s harder to turn them on and drive away.
The best defense we have against those attacks is essentially what Tesla has in place now: a complex handshake with robust encryption to keep the signals from being deciphered. But the strength of that encryption is limited by the keyfob itself, which can only pack so much processor power. As researchers catch on, those hacks are going to be hard to avoid, which makes less conventional fixes like second-factor PINs or RF-blocking key wallets all the more attractive.