Security Week 49: Hacking Tesla via Bluetooth

Researcher Lennert Wouters of the Catholic University of Leuven found a beautiful way to steal Tesla Model X by rewriting the firmware of the proprietary key to the car. The photo below shows a jailbreak device consisting of a battery, a Raspberry Pi computer, and a Tesla on-board computer purchased during disassembly. The cost of the kit is about $ 300. For a successful attack (rather non-trivial), you will have to approach the car owner with the key in his pocket, and also rewrite the VIN in advance.

According to the researcher, the problem lies in the incorrect implementation of a sufficiently secure communication protocol between the key fob and the Model X on-board computer. First of all, the key firmware can be updated via Bluetooth, and the validity of the code is not checked in any way. True, the firmware update mode itself is non-standard, and to activate it, Wyters just needed a replacement Tesla on-board module.

Usually, the Bluetooth module is activated in the Tesla dongle only after changing the battery. Wyters discovered that wireless can also be turned on from the car – the Body Control Module is responsible for that. This was found on eBay: there they are sold for $ 50-100. The next implementation error is a communication protocol in which the signal from the Body Control Module is authenticated by a code based on the last five digits of the VIN number. But you can just spy it: like almost all cars, it is visible under the windshield.

The next step: after connecting to the keychain, you need to rewrite its firmware. It, in turn, allows you to extract the secret key from the hardware store. This key allows the attacker to open the vehicle. But that’s all. Start the car and drive away. To do this, while in the car, you need to connect to the CAN bus and force the built-in Body Control Module to register the intruder’s key fob as trusted.

The result is a very beautiful and rather complex attack, a dramatic version of which is shown in the video above. Wyuters notes that the vulnerabilities of Tesla keys are not much different from those in cars from other manufacturers, it’s just that Elon Musk’s electric cars are more interesting to hack.

The scenario described is far from a nightmare for the manufacturer of a permanently connected car – a complete compromise of security systems remotely. Here and the owner will have to follow, and dig deeper in the car before theft. But the same Tesla computerization, and specifically the ability to update the key firmware over the air, was beneficial when fixing bugs. In a similar situation, another owner would have to get to the service to reflash the keychain. Here the vulnerability was closed simply: the update flew into the car by air, and the key fobs were automatically stitched from it.

What else happened:

On Wednesday there was a serious glitch in the cloud infrastructure of Amazon Web Services. The US-EAST-1 cluster was unavailable for several hours, resulting in numerous disruptions to network services, including IoT devices such as Roomba vacuums and Amazon Ring smart bells. In the detailed description of the incident is revealed reason: the OS limits on the number of threads of execution were accidentally exceeded. The affected servers had to be rebooted manually.

Critical vulnerability (news, bulletin) in a number of corporate VMware products have not yet been patched, but shared a temporary solution that would prevent an attacker from executing commands remotely.

Another critical vulnerability in the mobile device management system MobileIron is actively exploit intruders.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *