Belgian researchers hack Tesla’s improved Model S key for second time
Researchers of the Belgian KU Leuven university have hacked the encryption of the electronic key of the Tesla Model S again, even after Tesla fixed the first bug the team discovered last year. It was harder to do this time, but once the code cracked, it would still be a matter of seconds to steal the car.
The team signaled the findings to Tesla already in April, but the story only surfaced last Tuesday in a talk at the Cryptographic Hardware and Embedded Systems conference in Atlanta (US), the American tech magazine Wired writes.
In September last year, the cryptographic research team of COSIC from the KU Leuven discovered that Tesla used deprecated and insecure cryptography to open and close its cars automatically.
The PKES system (Passive Keyless Entry and Start) that Tesla uses was called ‘DST 40’ and was already outdated in 2005. In this particular case, it wasn’t even necessary to be near the car and the key at the same time, and it was relatively easy to clone the key.
Signal every second
“First we moved our antenna around the car,” Lennert Wouters who directed the study said at that time. “The Tesla Model S emits a signal every second to check if the key is in the vicinity of the car. We captured that signal and approached the person who had the key in his pocket. There we registered the ‘answer’, and by combining them, we could easily crack the cryptographic security.”
PIN to Drive
Just weeks before the Belgian researches revealed their findings, Tesla had introduced an extra security layer ‘PIN to Drive’, giving the owner of the car the possibility to set a required pin code to start the vehicle.
That would make driving away with the car more complicated for a thief. But to fix the flaw with the electronic key fob, Tesla had to push a software update, and Model S owners had to get a new key too.
Wouters explained at the conference on Tuesday that the vulnerability of the electronic key fob, made by supplier Pektron for Tesla, is a ‘configuration bug’ that reduces the time to crack the encryption code vastly.
Although Tesla had the 40-bit encryption key of the previous version updated to 80-bit encryption, according to Wouters, the configuration bug delivers a shortcut for hackers making finding the right combination just twice as hard as before.
In the first hack, the actual ‘attack’ required weeks of pre-computing a table of billions of possible combinations of the key fob to duplicate it. The new fob needs pre-computing two tables and twice the time, but it is only a matter of resources.
Three or four seconds
In the second ‘updated’ hack once the tables computed the actual attack would take three or four seconds, the researchers say. Once you have the tables calculated, the attack itself only needs a few seconds more.
Because Pektron used a lower radiofrequency in the upgraded key fob, you would need to get much closer to the victim’s key fob – within centimeters – to capture the signal. But there are always ways to extend the range with bigger antennas and more amplification, Wouters says.
No evidence of thefts
The researchers didn’t need to do the actual calculating and the demo-attack this time to convince Tesla. Although Tesla says that it has no evidence the technique was ever used actually to steal a Model S, the company released an over-the-air update that fixes the flaw the researchers found.
Tesla granted the Belgian researchers a ‘bug bounty’ of 5.000 dollars on top of the 10.000 they got the first time. Next time won’t be so easy, Wouters admits. “I do think the way Tesla fixed it this time is pretty cool,” Wouters said at the conference, according to Wired. “That’s something that I don’t think any other car manufacturer has ever done before, or at least not publicly.”