Tesla Hack: Model S Key Fobs Could Be Cloned in Seconds to Steal Cars

Tesla's Model S is vulnerable to a key fob hack attack that could be used by tech-savvy car thieves to steal vehicles, security experts warned.

Flaws in the Passive Keyless Entry and Start system linked to the high-end electric car could be abused to unlock and start vehicles, according to research from the Computer Security and Industrial Cryptography (COSIC), a division of Belgium's Catholic University of Leuven.

"We implemented a proof of concept attack that allows [users] to clone a key fob in a few seconds," experts said in a Monday report. "The attacker device consists of a Raspberry Pi 3 Model B+, Proxmark3, Yard Stick One and a USB battery pack." Wired, which first reported news of the vulnerability, said the technology needed to clone a key fob costs approximately $600.

In a video uploaded to YouTube, the researchers can be seen completing the cloning in four stages: They retrieve the car identifier, the frequency activity within proximity of the fob and the cryptographic key, and impersonate the key fob. The entire process takes less than two minutes.

The attack likely affects other manufacturers, including McLaren, Karma and Triumph, but researchers said the companies had not responded to its reporting of the issues. The fob system was bought from a company called Pektron and is not Tesla's own design, they noted.

For disclosing the attack, Tesla paid a $10,000 bug bounty to the university team. The carmaker last month confirmed new security updates, including "improved cryptography" for its fobs.

"Based on the research presented by this group, we worked with our supplier to make our key fobs more secure by introducing more robust cryptography for Model S in June 2018," a spokesperson told Wired this week. "A corresponding software update for all Model S vehicles allows customers with cars built prior to June to switch to the new key fobs if they wish."

Is There a fix?

According to COSIC, there are a number of short-term fixes Tesla customers can take. These include using a Faraday bag to block RF transmissions and modifying the fob by "adding an extra push button, which only enables the low-frequency communication when pressed."

Electrek, a blog dedicated to the electric transportation industry, reported in July that Tesla had warned Model S owners about "relay attacks," the same type of attack COSIC used.

"You can decrease the likelihood of unauthorized entry by disabling Passive Entry when parked in public spaces or storing your key in a holder, which blocks electromagnetic transmissions, such as an RFID-blocking sleeve or Faraday cage," the company said at the time.

The news came after two owners in Germany reported their cars stolen by thieves who had potentially cloned key fobs. In-built GPS tracking may ultimately deter criminals, Electrek noted.

Tesla Model S vehicles have a feature that lets users track them using their smartphones.

While the research team said it would soon present a detailed technical rundown of the findings, any budding carjackers should not hold out hope it will give them usable insights. "We won't be releasing all tools required to go out and steal the affected vehicles," the report read. "At a later stage we will release parts of the tools that can help other researchers."

Last year, British police released footage of an alleged relay attack taking place, showing thieves silently stealing a vehicle without needing the real key fob. Additionally, research from 2016 warned that "millions of vehicles worldwide" were insecure due to keyless entry attacks.