Keyless Tesla cars are open to hacking, consultant says
Tesla Inc. customers might like the automakers’ nifty keyless entry system, but a cybersecurity researcher has demonstrated how the same technology could allow thieves to drive away with certain models of electric vehicles.
An effective hack on Tesla Model 3 and Y cars would allow a thief to unlock a vehicle, start it and drive away, according to Sultan Qasim Khan, senior security consultant at the Manchester-based security firm, in the UK, NCC Group. By redirecting communications between a car owner’s cell phone or key fob and the car, strangers can trick the entry system into thinking the owner is physically near the vehicle.
The hack, Khan said, is not specific to Tesla, although he demonstrated the technique to Bloomberg News on one of his car models. Rather, it’s the result of his tinkering with Tesla’s keyless entry system, which relies on what’s called a Bluetooth Low Energy protocol, known as BLE.
There is no evidence that thieves used hacking to inappropriately gain access to Tesla vehicles. The automaker did not respond to a request for comment. NCC provided details of its findings to customers in a memo on Sunday, an official said.
Tesla acknowledged in April that relay attacks are a “known limitation of the passive entry system,” according to NCC Group.
Khan said he disclosed the attack potential to Tesla and company officials did not consider the issue a significant risk. To fix it, the automaker would have to modify its hardware and change its keyless entry system, Khan said. The revelation comes after another security researcher, David Colombo, revealed a way to hijack certain functions of Tesla vehicles, such as opening and closing doors and controlling music volume.
The BLE protocol was designed to easily link devices across the internet, although it has also emerged as a method that hackers exploit to unlock smart technologies including home locks, cars, phones and laptops. Khan said. The NCC Group said it was able to carry out the attack on devices from several other automakers and technology companies.
Kwikset Corp. smart locks Kevo users who use keyless systems with iPhone or Android phones are affected by the same issue, Khan said. Kwikset said customers who use an iPhone to access the lock can enable two-factor authentication in the lock app. A spokesperson also added that iPhone-operated locks have a 30-second timeout, which helps protect against intruders.
Kwikset will update its Android app in “summer,” the company said.
“The safety of Kwikset’s products is of the utmost importance and we partner with well-known security companies to evaluate our products and continue to work with them to ensure that we provide the highest possible security to our consumers”, said a spokesperson.
A representative from Bluetooth SIG, the collective of companies that manages the technology, said: “The Bluetooth Special Interest Group (SIG) prioritizes security and the specification includes a feature set that provides product developers with the tools they need to secure communications between Bluetooth devices.
“The SIG also provides educational resources to the developer community to help them implement the appropriate level of security in their Bluetooth products, as well as a vulnerability response program that works with the security research community to address identified vulnerabilities in the Bluetooth specifications in a responsible manner.”
Khan has identified numerous vulnerabilities in NCC Group’s client products and is also the creator of Sniffle, the first open source Bluetooth 5 sniffer. Sniffers can be used to track Bluetooth signals, helping to identify devices. They are often used by government agencies that manage roads to anonymously monitor drivers passing through urban areas.
A 2019 study by a UK consumer group, which found that over 200 car models were susceptible to keyless theft, using similar but slightly different attack methods such as keyless signal spoofing wire or radio.
In a demonstration to Bloomberg News, Khan conducted a so-called relay attack, in which a hacker uses two small hardware devices that transmit communications. To unlock the car, Khan placed a relay device about 50 feet from the Tesla owner’s smartphone or key fob and a second, plugged into his laptop, near the car. The technology used custom computer code that Khan had designed for Bluetooth development kits, which are sold online for less than $50.
The necessary hardware, in addition to Khan’s custom software, costs around $100 in total and can be easily purchased online. Once the relays are in place, hacking only takes “ten seconds”, Khan said.
“An attacker could drive into any house at night – if the owner’s phone is at home – with a Bluetooth passive entry car parked outside and use this attack to unlock and start the car,” said he declared.
“Once the device is in place near the key fob or phone, the attacker can send commands from anywhere in the world,” Khan added.