The vulnerabilities exploited in the attack were reported to Tesla in mid-August and the electric car maker recently fixed them with a wireless update (version 2020.48) that is currently rolling out to vehicles.
The attack has been method identified by COSIC researchers targets the Tesla Model X key fob, which uses Bluetooth Low Energy (BLE) to communicate with the vehicle. They found that the BLE interface allows software running on the Bluetooth chip to update remotely, but this update mechanism was not properly protected.
Investigators used a modified Model X electronic control unit (ECU) to force the victim’s key fob to advertise itself as a pluggable Bluetooth device. They then exploited the update mechanism to send a malicious firmware update to the keychain, allowing them to obtain data that would allow them to unlock the car at any time.
Once the car was unlocked, they could connect to its diagnostic interface as a service technician and pair a modified key fob with the vehicle. This gave the researchers permanent access to Model X and allowed them to leave.
Investigators said the attack only took a few minutes and required roughly $ 200 worth of equipment, including the ECU, a Raspberry Pi, a CAN shield, a battery, and a key fob.
A video has been posted to show how the attack works:
This wasn’t the first time the COSIC research group targeted a Tesla. In 2018, they showed how a Model S key fob could be cloned in seconds. In 2019, they demonstrated another way to clone the Model S key fob, but believed that this method affected other luxury vehicles as well.
Also Read | Network Protocol Ethical Hacking Course