2-bit punks' weak 40-bit crypto didn't help Tesla keyless fobs one bit
Eggheads demo how to clone gizmo, nick flash motor in seconds – flaw now patched
Video Boffins have sprung the bonnet on the weak crypto used in the keyless entry system in Tesla's Model S car.
Researchers from the Computer Security and Industrial Cryptography (COSIC) group – part of the Department of Electrical Engineering at Belgian university KU Leuven – were able to clone a key fob, open the doors, and drive away the electric sports car.
Essentially, using some software-defined radio kit, it is possible to extract enough information over the air from a nearby victim's wireless fob to create a copy of it – and use this to steal their flash motor. This is done by probing the legit fob into thinking it is talking to its car, when really it's talking to a Raspberry Pi 3 B+ connected to transceiver equipment and running special software.
The above link has all the technical details, if you're interested. It takes a couple of seconds to break the cryptography.
The problem was reported to Tesla, and resolved in June when the car maker pushed out a software upgrade: this update strengthened the weak encryption that permitted the attack. Last month Tesla added an optional PIN as an additional defence. Below is a video demo'ing the attack.
In a statement, Tesla confirmed the fix, adding the researchers involved had earned an unspecified bug bounty for their efforts:
Due to the growing number of methods that can be used to steal many kinds of cars with passive entry systems, not just Teslas, we've rolled out a number of security enhancements to help our customers decrease the likelihood of unauthorized use of their vehicles.
None of these options would be possible for any traditional automaker – our ability to update software over the air to improve functionality and security is unique.
Based on the research presented by this group, we worked with our supplier to make our key fobs more secure by introducing more robust cryptography for Model S in June 2018. A corresponding software update for all Model S vehicles allows customers with cars built prior to June to switch to the new key fobs if they wish.
In addition, we had already been working on several other over-the-air updates to help protect our customers from thefts – last year we introduced an update that allows all customers to turn off passive entry entirely, and this year we introduced PIN to Drive, which allows customers to set a unique PIN that needs to be entered before their vehicle is driven.
Tesla added it plans to add the security researchers to its Hall of Fame.
It was not a key relay attack (PDF), an established way to hack keyless cars, but rather an exploit of DST40, a 40-bit-key technology shown to be weak 13 years ago by a group including (PDF) ace cryptographer Matthew Green.
"I really feel like doing further research is redundant at this point, since my 2005 papers are apparently still good enough to pwn Tesla," Green noted this week.
The research aimed to probe the resilience of Passive Keyless Entry and Start (PKES) systems, which allow drivers to unlock and start their vehicle once a paired key fob is within range – no additional interaction required.
Tesla was used as a proof of concept. However, other automakers rely on keyless entry technology from the same vendor – Pektron – meaning their vehicles potentially could be at risk, too.
"Everybody is making fun of Tesla for using a 40-bit key (and rightly so). But Tesla at least had a mechanism we could report to and fixed the problem once informed. McLaren, Karma, and Triumph use the same system and ignored us," said Tomer Ashur, a member of the research team.
El Reg asked Karma and Triumph Motorcycles to comment on the researcher's criticism. ®
Updated to add
Mclaren has been in touch with The Reg to tell us: "Our experts feel the paper is credible and does demonstrate a theoretical vulnerability in our vehicle security systems. As yet, however, the vulnerability as described in the paper has not been proven to affect our vehicles and we know of no McLaren that has been compromised in such a way."