The vulnerability of keyless entry system that can steal Tesla Model S in just a few seconds is discovered

The COSIC (computer security and industrial cryptography) research team at Leuven Catholic University in Belgium discovered a way to hack the Tesla Model S keyless entry system in a matter of seconds.

Onderzoekers kraken contactloze sleutel van Tesla - KU Leuven Nieuws
https://nieuws.kuleuven.be/nl/2018/onderzoekers-kraken-contactloze-sleutel-van-tesla/view

Hackers Can Steal a Tesla Model S in Seconds by Cloning Its Key Fob | WIRED
https://www.wired.com/story/hackers-steal-tesla-model-s-seconds-key-fob

You can see how actually it is by seeing the following movie.

COSIC researchers hack Tesla Model S key fob - YouTube


Model S came to charging station.

When the driver starts charging the car ......

I was leaning away from the car.

Aiming at that gap, a man with suspicious equipment appeared. Instruments are composed of " YARD Stick One " and " PROXMARK " which transmit and receive radio signals, and single board computer · Raspberry Pi . Production cost is about 600 dollars (about 67,000 yen).

The research team concluded that the keyless entry system of Model S is made by Pektron , the 40-bit encryption is used for encrypting the key fob code, and it is possible to search the encryption key if two codes can be obtained from the key fob Discovered. So create a 6 TB table covering the code combination. The man who approached the car first got the wireless ID unique to the car.

Then gently approach the driver, communicate twice with the key fob using the ID obtained earlier, and get the code.

While returning to the car, searching for the encryption key is done using the table.

Once you find the encryption key, you just skip the radio signal to unlock the car.

Without touching the key fob itself, the man succeeded in unlocking the model S.

Engage the engine ......

I ran away.

The research team reported this vulnerability to Tesla, and Tesla paid 10,000 dollars (about 1.1 million yen) as a bug finding incentive.

The same keyless entry system is said to be used also by McLaren, Fisca Karma , Triumph, but the research team could not get the experimental body, so whether there is the same vulnerability as Model S I can not confirm it.

If you are using the keyless entry system of this type, it is difficult to steal the code if putting the key fob in a metal box.