A Tesla Model X, for 80-90 million can drive away for only 2000 yuan? And this is not what Tesla is doing with car finance, but the researchers at the University of Leuven in Belgium have broken through the security loopholes Model X high-end models! For about 2000 yuan, they DIY a car key with a raspberry pie computer, opened the door in 90 seconds, and drove away in less than a few minutes.
Keyless entry has become literally "keyless entry". So, what's the problem? How did Tesla explain it himself?
The first loophole: how to get into the car?
The way to copy the car key is to sit next to you. When you are chatting and laughing with your friends, your car key has been copied unconsciously.
This is how the attacker is demonstrating how to approach the owner. In a short distance (within 15 meters), the attacker uses the body control module (BCM) purchased online to wake up the Bluetooth of the owner's smart key.
In reality, hackers can't walk past you with a development board in their hands, but hiding it in a backpack is no problem.
The attacker first needs to read a string of numbers from the windshield of the target car: the last five digits of the vehicle identification number.
With these numbers, attackers can create a code for their pirated BCM to prove their identity.
It is equivalent to "rebuilding" a vehicle engine system.
Then, with this set of cloned BCM, wake up the car key close by and perform the next step of cracking.
The key to this step is to rewrite the firmware program on the car owner's key.
The key card of model x connects with the computer inside model X through Bluetooth, and then receives firmware updates wirelessly.
However, there is a major vulnerability: the firmware update of model x key lacks encryption signature to prove the security of the update firmware source.
Generally speaking, it is to prove that the update source is official and secure, while the car key of model X does not have the verification step.
So by recording the last five digits of the windshield, hackers can disguise raspberry pie as model X and trick your car keys into updating firmware.
This firmware is designed by hacker image, which can query the security chip in the car key and generate unlocking code for the vehicle.
Therefore, the attacker can connect the key card of the target vehicle through Bluetooth and rewrite the firmware.
When the firmware is updated to the attacker's version, it can be used to query the security chip in the key card.
After getting the unlock code, you can send the code back to your car via Bluetooth, and the door will be open.
The whole process only takes 90 seconds. Does it have the flavor of "spy movies".
The second loophole: how to start the car?
"Stealing a car" is only half done.
Starting and driving Tesla Model x requires some "physical work.".
In the previous step, the way to rewrite the firmware of the key and crack the security chip is equivalent to copying a key with the Bluetooth device on the DIY motherboard to crack the door.
What we have to do now is to let the real vehicle system recognize the fake key and start the vehicle.
First, remove the storage box under the screen inside the car. There is an interface (physical interface) inside the console, which is directly connected to the core part of the vehicle control system, namely can bus, including the vehicle's own BCM.
Plug the DIY computer directly into the interface to send instructions to the vehicle's BCM directly.
The command sent is to make the computer of the vehicle match the key generated by the hacker himself, so that the vehicle can be started easily.
What's the problem? Why is the fake key generated by DIY matched with the vehicle system without obstacles?
In fact, Tesla's car keys are originally with a unique password certificate to verify the authenticity.
However, the BCM on the car has not checked the certificate from the beginning to the end.
The agile old brother, from dismantling the storage box to driving the car, also in a few minutes.
This is not the first time
This is not the first time Tesla has been compromised on the wireless key.
Previously, Tesla Model s was also attacked by researchers on the key issue.
The previous Tesla Model s was based on the encrypted key card code to control the in car device, trigger the unlocking and disable its anti-theft lock.
In the summer of 2017, the research team from Ku Leuven found that the Tesla Model s wireless key card produced by a manufacturer named pektron used only a weak 40 bit password for encryption.
The researchers found that once they got two codes from any given key card, they could try to guess by analogy until they found the key to unlock the car.
After that, they calculate the possible combinations and organize them into tables.
With this table and the two codes, researchers say they can find the right key to "steal" your car in 1.6 seconds.
The researchers told Tesla about the vulnerability in August 2017. Tesla acknowledged their research and paid them a $10000 "reward.".
However, it was not until the encryption upgrade and the addition of pin code in the second half of 2018 that this encryption risk was solved.
What did Tesla say?
Researchers from the University of Leuven informed Tesla of the security issue on August 17 this year, and Tesla has started to repair the security vulnerability after confirming the security vulnerability.
Starting this week, Tesla will launch a push to update and fix vulnerabilities.
These measures include two aspects: one is the source verification of the vehicle key itself for firmware update.
The second part is to repair the missing inspection of key safety certificate by vehicle BCM.
These updates will cover all risky models in a month.
The researchers who discovered the vulnerability said Tesla's keyless entry technology is no different from other cars.
Both use low frequency radio waves (NFC) to send or receive unlock codes to unlock vehicles.
The unique feature of Tesla lies in the design of Bluetooth part which can make car key firmware accept OTA update.
The formal security vulnerability on OTA node allows hackers to easily rewrite firmware, so as to gain access to the underlying security chip and generate the corresponding unlock code.
At the start-up stage, there is also a lack of effective identification verification of radio frequency signal sources.
At the same time, on the physical interface of the vehicle control module, Tesla is too casual.
So, is there no risk without the keyless entry of Bluetooth OTA link?
Previously, Tesla security department has said that NFC relay attack, almost no solution.
A simple and crude method is to amplify the NFC signal of the car key within a certain range to unlock and start the vehicle.
As a result, not only Tesla, but all vehicles with NFC keyless entry technology are at risk.
In the future, can you safely use keyless access?