A year ago, Tesla quickly responded to the discovery of a security vulnerability in the Model S key fob that could enable a car thief to clone it in seconds and drive off. A year on, Tesla has released another update in response to a second vulnerability with the same Model S key fob.
A brief history of Tesla Model S hacking
Tesla Model S wireless key fobs use a system of encrypted codes to transmit the unlock and disable immobilizer signal from key to car. So far, so good. Unfortunately, that encryption wasn’t as good as it should have been. A research team at the KU Leuven university in Belgium discovered that a relatively weak 40-bit cipher was being employed in the fobs and devised a method of quickly breaking it. How fast? How does 1.6 seconds sound? As Wired reported at the time, “The researchers found that once they gained two codes from any given key fob, they could try every possible cryptographic key until they found the one that unlocked the car. They then computed all the possible keys for any combination of code pairs to create a massive, 6-terabyte table of pre-computed keys.”
Using readily available hardware the hackers were able to remotely target the Tesla key fob, as long as they were within three feet or so of the victim, and then spoof the fob into responding to a request for codes that could be compared to the pre-computed key table and Robert was your Mother’s brother.
Tesla paid the researchers a $10,000 (£8,200) bug bounty reward for disclosing the security flaw and fixed the issue. This included the key fob encryption being upgraded from 40-bit to 80-bit. It took the best part of a year, mind you, but the vulnerability had to be thoroughly tested, the proposed fix also had to be thoroughly tested and integrated into the manufacturing process. All of which takes time. In mitigation, only Tesla Model S vehicles sold before June 2018 were affected, and Tesla had also introduced a dashboard PIN code option that would need to be entered before the car would start.
The newest Tesla key fob vulnerability
The same team of researchers, led by Lennert Wouters, found that they could crack the replacement Tesla Model S key fob. This new attack method was more limited in range than before and took twice as long to crack the codes. However, as it only took two seconds for the original hack, this isn’t any great relief to Tesla Model S owners. Now you might be thinking that doubling the 40-bit encryption to 80-bit should have made the job of cracking it many billion times harder. Unfortunately, a configuration error allowed the researchers to tackle breaking two 40-bit keys instead of a single 80-bit one. This reduces the key discovery process from billions of times to just twice as hard.
Although Wouters and his team didn’t demonstrate the full attack this time around, instead they proved that the concept was possible, it was enough for Tesla to take seriously. This time, there is no need for new key fob hardware either; the fix is all done using an over-the-air (OTA) software upgrade as it was just a configuration error.
The Tesla response
A Tesla spokesperson told Wired that “While nothing can prevent against all vehicle thefts, Tesla has deployed several security enhancements, such as PIN to Drive, that makes them much less likely to occur. We’ve begun to release an over-the-air software update (part of 2019.32) that addresses this researcher’s findings and allows certain Model S owners to update their key fobs inside their car in less than two minutes.”
Tesla believes that neither of those options would be available to other vehicle manufacturers, by way of getting security fixes to existing owners. It refers to this ability to roll out over-the-air security updates as being unique. Indeed, anything that helps differentiate a manufacturer in the increasingly crowded electric vehicle market has to be good for business, and if it’s good for vehicle security as well then it’s a win-win.
Does the car hacking expert agree?
Ken Munro is the founder of, and a consultant at, Pen Test Partners. This is a security company with a long and highly-regarded history of exposing vulnerabilities in the automobile sector.
“The failed fix was a bit of a facepalm moment for Tesla,” Munro says, “perhaps a lesson not to try to fix a vulnerability too fast without sufficient validation.” Not that Munro thinks we should overlook the ability of Tesla to push those OTA updates not only to the car but also to the fob. “That is an achievement,” Munro says, “and a major bonus for security.”
Indeed, Munro suggests comparing this with the significant problems VAG had when fixing the Megamos transponder key security problems a few years ago. “It took nearly two years to get all affected vehicles into their dealer network for updates to be applied,” he says.
“Tesla does all the right things,” Munro says, “it innovates, encourages and assists researchers and can fix issues fast; helping us in the past when we accidentally bricked our own car during research.” He also acknowledges that there is a fine line between the “leading edge of innovation and the bleeding edge when security doesn’t quite keep up.”
Munro also says that most manufacturers are making “significant progress with security,” particularly where the electric vehicle market is concerned. “Manufacturers are starting to offer functionality on-demand,” he says, such as the concept of paying to unlock launch control for a weekend of fast driving fun. “This adds interesting layers of complexity and payments where security is essential,” Munro concludes.