New cryptographic vulnerability in Tesla Model S key fob’s encryption allows hackers to clone the key and steal the car without touching the owners key.
Lennert Wouters, a security researcher from Belgian university KU Leuven and, his team revealed a new technique to bypass the Model S key fob’s encryption in Cryptographic Hardware and Embedded Systems conference in Atlanta.
A year ago, the Same researcher found the critical vulnerabilities in Telsa car let hackers break the Model S’s keyless entry system to unlock the car.
Soon after Tesla fixed the flaw and created a new version of its key fob but now the spotted another flaw that affected the new key fob.
Compare to the previous one, the new attack is more limited in its radio range and also take a few more seconds to break the system than the previous one.
Cracking the Encryption Keys
According to Wouters, “The vulnerability resides in the Key fob that manufactured by a firm called Pektron, comes down to a configuration bug that vastly reduces the time necessary to crack its encryption”
In the previous version, the 40-bit encryption key was to used that can be easily cracked by hackers to gain the key access. later, Tesla and Pektron’s upgrade the key strength to 80 bit which is extremely hard to crack.
But the new open the door for hackers to break the 80-bit encryption key by split into two 40 bit key.
According to Wired report, “That shortcut makes finding the key only twice as hard as before. “The new key fob is better than the first one, but with twice the resources, we could still make a copy, basically,”
To execute the attack, Proxmark and Yard Stick One radios and a Raspberry Pi minicomputer can be used to capture the radio signal from a parked Tesla and eventually used to spoof the car communication with the owner’s key fob.
Researcher demonstrates the attack by recording and breaking the encryption on the key fob’s response to derive the fob’s cryptographic key in less than two seconds to unlock the car.
High-end vehicles are often equipped with a Passive Keyless Entry and Start (PKES) system. These PKES systems allow to unlock and start the vehicle based on the physical proximity of a paired key fob; no user interaction is required.
In this type of attack two adversaries relay the short-range communication over a long-range communication channel. Recent news reports and home security videos have shown that relay attacks are frequently used to steal luxury vehicles. Distance bounding mechanisms are gradually being deployed to preclude relay attacks.
The goal of our research was to evaluate the resistance of a modern-day PKES system to attacks other than relay attacks. We have completely reverse engineered the PKES system used in the Tesla Model S. Our research shows that this system is using the outdated proprietary DST40 cipher.
The Passive Keyless Entry and Start (PKES) system as introduced earlier allows to both unlock and start the car if the key fob is in proximity.
According to the Tesla spokesperson,’ “there is no evidence that the key-cloning technique has been used in any thefts. “While nothing can prevent against all vehicle thefts, Tesla has deployed several security enhancements, such as PIN to Drive, that makes them much less likely to occur,”
Tesla implemented the same fix to key fobs for all new Model S vehicles last month, so anyone who bought a Model S since then doesn’t need to update. Other vehicles like the Model X and Model 3 aren’t affected, Wouters said.
This time Tesla pushing out an over-the-air update to the key fobs via cars’ internet connections instead of replacing hardware.
Lennert Wouters disclosed it in April of this year and Tesla rewarded him $5,000 under bug bounty for reporting this vulnerability.