A team of security researchers have revealed a flaw in the keyless unlock system used by Tesla, enabling them to unlock and drive away in a car without its key.
The flaw, which was presented to Tesla in advance of being made public and first reported by Wired, allowed the researchers to copy the unique broadcast IDs of the car and its key. They then replicated the signal, spoofing the car into thinking its key was nearby. The vulnerability has since been patched with a software update from Tesla.
From the University of Leuven in Belgium, the team took advantage of how keyless car fobs work. The car constantly broadcasts a unique signal called its Radio ID; the key fob then detects this when it is within range, replying with its own ID and telling the car to unlock. Once the key is within the car, the vehicle can be started and driven away.
Using around $600 of equipment, including a Raspberry Pi computer, radios and batteries, the researchers demonstrate in a video, below, how they gained access to a Tesla Model S by first standing next to the car to capture its Radio ID. They then walked past the owner and, once within a couple of feet, captured the ID of the key fob in the owner's pocket. This broadcast was then repeated when stood back with the car, unlocking it and allowing them to drive away.
The researchers first made Tesla aware of the vulnerability in August 2017. Tesla acknowledged the hack and awarded the researchers with a $10,000 bug bounty. However, it took almost a year for the vulnerability to be patched.
Tesla says all cars produced from June 2018 onwards have tougher encryption to thwart this kind of attack, and owners of older cars can request a newer, more secure key fob. Tesla also reacted to this discovery by adding a PIN security feature, where drivers can opt to enter a code on the dashboard touch screen before being able to drive — a form of two-factor authentication.
Also counting in Tesla's favor is how its cars have permanent GPS and internet connections, and can be tracked using the owner's smartphone app, helping with the recovery of stolen vehicles.
This was not a flaw with Tesla itself, but with UK-based Pektron, the company which produces the key fob system. Pektron also provides fobs for McLaren sports cars, although the researchers were not able to test their findings on vehicles other than Teslas.
GearBrain has reached out to Pektron for comment and will update this story when we get a reply.
McLaren has since said it is sending affected owners a signal-blocking pouch for their key fob, preventing it from being cloned. However, this means having to remove the fob from its pouch each time you want to unlock the car — which slightly negates the entire convenience of a keyless system.
Researchers believe Triumph motorbikes and cars produced by Karma are also affected by the vulnerable Pektron fobs.
Such hacks are not particular new in the automotive industry. Volkswagen previously suffered from a similar flaw in its security, while in 2017 thieves in Britain stole a Mercedes in 60 seconds by boosting the signal of the car's key fob (left inside the owner's house but close to the front door) and unlocking the car. This so-called relay-crime was caught on camera.
Some vehicles with keyless systems, including those sold by Mercedes, have a feature where a double-press of the key fob disables the keyless system, stopping the key from transmitting the signal captured by thieves. The car is then unlocked with a press of the fob, which re-activates the keyless system.
An alternative would be to keep your key fob away from doors and windows at home, or place it inside a metal box when not in use.