A team of researchers discovered a way to hack a Tesla key fob remotely. To execute, the hack takes less than two seconds.
According to Wired, the team, from KU Leuven University in Belgium, will present a paper at the Cryptographic Hardware and Embedded Systems conference in Amsterdam on Monday that outlines how it broke encryption in Tesla's Model S wireless key fobs.
In theory, one could perform this hack on any car with a wireless key fob, as most fob entry systems work the same way: When the unlock button is pressed, the fob sends an encrypted code to unlock the doors and enable the car to start.
Tesla uses a keyless entry system made by a company called Pektron, which used a relatively weak encryption for the locks. The researchers made a six-terabyte table of possible code combinations, which has roughly 2^16 possible keys.
Aside from the table, all a would-be carjacker would need is a Yard Stick One radio, a Proxmark radio, and a Raspberry Pi mini-computer, which costs about $600 total.
The researchers reported the vulnerability to Tesla in 2017, and the company paid them a $10,000 bounty, but the company didn’t fix it until June 2018.
Tesla defended itself to Wired with this statement:
"Due to the growing number of methods that can be used to steal many kinds of cars with passive entry systems, not just Teslas, we’ve rolled out a number of security enhancements to help our customers decrease the likelihood of unauthorized use of their vehicles. Based on the research presented by this group, we worked with our supplier to make our key fobs more secure by introducing more robust cryptography for Model S in June 2018. A corresponding software update for all Model S vehicles allows customers with cars built prior to June to switch to the new key fobs if they wish.”
Tesla warned of cryptography-based theft risks in July, and advised customers to disable “passive entry” features. It also added a PIN to its anti-theft system last month, which would mitigate the risk of having someone hack your fob, but customers have to enable the optional feature first.