Today in "it's not a car company, it's a technology company" news, researchers have again hacked and exploited a security flaw in Tesla's Model S key fob.
It was about one year ago when researchers unveiled a serious flaw in the security of Tesla's vehicles, relating to the Model S keyless entry system, according to Wired. With little more than standard radio equipment, hackers were able to defeat the car's encryption and wirelessly clone the sedan's key fob in seconds, allowing them to unlock the car and drive away without ever touching the owner's key.
In response to this report, Tesla created a "new" version of its key fob that supposedly patched the underlying flaw. But now, predictably, the same researchers are back and say that they have found yet another vulnerability that even affects the replacement key fobs.
Researcher Lennert Wouters of Belgian university KU Leuven revealed in a talk at the Cryptographic Hardware and Embedded Systems conference in Atlanta recently that his team had found a technique capable of breaking the Model S's key fob encryption yet again. This flaw - again - allowed them to clone the keys and steal the vehicle.
Wouters noted that the new attack is more limited in its radio range than the previous one was, and that it takes a little bit longer to perform. He also noted that researchers haven’t carried out the full attack demonstration as they did last year, but they have proven that it’s possible.
The researchers' analysis was convincing enough that Tesla acknowledged the possibility of it being exploited and was forced to roll out yet another fix that will be pushed over the air to Tesla owners. The good news is that the new flaw can be blocked with a security software update instead of a hardware replacement. The previous vulnerability required installing a security update, but also buying a new key fob.
Tesla responded to the hack by stating:
"While nothing can prevent against all vehicle thefts, Tesla has deployed several security enhancements, such as PIN to Drive, that makes them much less likely to occur. We’ve begun to release an over-the-air software update (part of 2019.32) that addresses this researcher’s findings and allows certain Model S owners to update their key fobs inside their car in less than two minutes. We believe that neither of these options would be possible for any other automaker to release to existing owners, given our unique ability to roll out over-the-air updates that improve the functionality and security of our cars and key fobs.”
The key fob is manufactured by a company called Pektron. Wouters notes that the vulnerability relates to a configuration bug that reduces the time necessary to crack the fob's encryption. Despite Tesla and Pektron's upgrade from 40 bit encryption to 80 bit encryption, the bug still allows hackers to reduce the problem to cracking two 40 bit keys, instead of one 80 bit key. The shortcut makes cracking the key fob only twice as hard as before, instead of the "trillion times harder" it should have been with the update.
"I do think the way Tesla fixed it this time is pretty cool. That's something that I don't think any other car manufacturer has ever done before, or at least not publicly."
Video of the original hack can be seen here:
When the initial vulnerability came to light a year ago, Tesla stated that the car‘s GPS tracking feature could help stop thieves. But that feature hasn’t since stopped multiple Tesla thefts that have used keyless entry hacks and have been documented on surveillance video.
As we pointed out in both a non-Tesla specific report - and a Tesla-specific report weeks ago, these types of hacks are the new reality for an automotive industry where wireless entry has become the standard.