Another keyless vehicle hack: Key fobs to the inverse rescue
Vehicles are synonymous with the US culture. These are pervasive through commercials, print ads, radio, the vast number of vehicles on the road, and various other sources. As these continue to grow in technology being implemented and autonomy, these become more of a target for attack and research. Vehicle and embedded systems cybersecurity is a growing field to complete research in based on this. One relevant, significant attack and the researchers have their 15 minutes of fame, and hopefully a bug bounty for their efforts.
Recently another vulnerability was detected with a Tesla vehicle. The researchers were students at the University of Leuven in Belgium. The researchers were working at the Belgium Uni’s Computer Security and Industrial Cryptography (COSIC) research group. In particular, the researchers focussed on the Passive Keyless Entry and Start (PKES) system used int eh Tesla model S, McLaren vehicles, and others.
The PKES is a common feature in vehicles. Although in nearly all vehicles in current production, the two primary vehicles affected are the Tesla and McLaren, and any other vehicle using the Pektron PKES system. Two other vehicle manufacturers using this are Karma and Triumph.
With a simple tool, the researchers were able to steal a vehicle within a few seconds. In short, this operates to clone the key fob signal.
As noted, the key fob system is manufactured by Pektron. COSIC analyzed the key fob communication and designed a Trade-Off (TMTO) attack. As this was successful, the researchers were able to gain access to the internal area of the vehicle.
With this type of vehicle, seemingly the tools required for this would be rather expensive and complex. To the contrary, the equipment used for the attack tools included a Raspberry Pi 3 Model B+, a smartphone hotspot, Proxmark 3, yard Stick One, and USB battery pack. The cell phone hot spot was needed to access the 6TB drive containing the TMTO table. This equipment is not costly or expensive. The Raspberry Pi 3 Model B+ was $35, Yard Stick One ($100), Proxmark 3 RDV4 kit $300. The USB battery pack would vary greatly in price. Thus the researchers spent approximately $435 to access a $77k (starting price) vehicle.
The security issue which allowed this access was an exceptionally weak cipher for the encryption. The 40-bit cipher was used, which allowed this quick compromise, due to the fob’s limited processing power.
The traffic was sniffed from the car radio transmitter to the fob and back. This signal is transmitted continuously. Once the researchers captured two responses, they used the 6TB table of the pre-computed keys. The process to crack this was merely a few seconds.
Naturally, this is a rather serious issue. The attack process leads to a significant compromise and entry to the vehicle. For Tesla remediating the issue consisted of a software update requiring the user to input a PIN to enable the vehicle to be driven. McLaren, on the other hand, took a physical route. McLaren mailed a pouch to put the key fob in. This acts as a Faraday pouch for the user to block the signal from reaching as far as it had been.
The COSIC disclosed the vulnerabilities to Tesla in August 2017, giving them time to fix the issue. Tesla did acknowledge the issue, the researchers were thanked and paid $10k for the bug bounty. To be fair, the researchers also contacted Pektron, the company which manufactured the PKES system. The other known vehicle manufacturers (McLaren, Karma, and Triumph) were also contacted.
To further the research, the attack was repeated during a live demonstration in April 2018, and presented the findings at the Cryptographic Hardware and Embedded Systems (CHES) 2018 Conference in Amsterdam on September 10th.
Allen, L. (2018, September 10). Security flaws in tesla and mclaren keyless entry found. Retrieved from https://www.autocar.co.uk/car-news/new-cars/security-flaws-tesla-and-mclaren-keyless-entry-found
Beckwith, J. (2018, August 29). Tesla introduces ‘PIN to Drive’ security feature. Retrieved from https://www.autocar.co.uk/car-news/new-cars/tesla-introduces-pin-drive-security-feature
Field, K. (2018, August 6). Tesla files FCC application for bluetooth key fobs for tesla model 3 owners. Retrieved from https://cleantechnica.com/2018/08/06/tesla-rolling-out-bluetooth-key-fobs-fortesla-model-3-owners/
Greenberg, A. (2018, September 10). Hackers can steal a tesla model s in seconds by cloning its key fob. Retrieved from https://www.wired.com/story/hackers-steal-tesla-model-s-seconds-key-fob/
Jones, R. (2018, September). Researchers show off method for hacking tesla’s keyless entry, so turn on two factor authentication. Retrieved from https://gizmodo.com/researchers-show-off-method-for-hacking-tesla-s-keyless-1828951056
Lambert, F. (2018, August 7). Tesla is working on a new key fob-potentially for keyless model 3. Retrieved from https://electrek.co/2018/08/07/tesla-new-key-fob-model-3/
Mahoney, J. (2018, September 12). Hackers discover security flaw with teslas and mclarens. Retrieved from https://www.motoring.com.au/hackers-discover-security-flow-with-teslas-and-mclarens-114580/
Malone, W. (2018, August 7). Potential model 3 fob: Tesla registers new BLE fob with FCC. Retrieved from https://insideevs.com/potential-model-3-fob-tesla-registers-new-ble-fob-with-FCC/
Morse, J. (2018, September 10). Your tesla is probably vulnerable to hackers, but there’s an easy fix. Retrieved from https://mashable.com/article/tesla-model-3-hack-key-fob/#VJLA4Bg8uaq0
Mott, N. (2018, September 11). Tesla’s keyless entry duped by cloned fobs. Retrieved from https://www.tomshardware.com/news/security-flaws-tesla-wireless-key-systems,37779.html
Sachdeva, A. (2018, September 11). Tesla model s can be hacked in seconds with this raspberry pi-powered equipment. Retrieved from https://fossbytes.com/tesla-model-s-keyfob-hacked-equipment/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.