Expert Comments

Expert Insight On The Bluetooth Attack To Steal A Tesla Model X In Minutes

Expert(s):
Expert(s):

It has been reported that Lennert Wouters, a security researcher at Belgian university KU Leuven, revealed a collection of security vulnerabilities in keyless entry for Tesla Model X which can be exploited to steal the car.

Experts Comments

Dot Your Expert Comments
David Barzilai
November 25, 2020
Co-founder and Executive Chairman
Karamba Security

Karamba’s position is that the Tesla hack shows yet again the need of securing keyless entry systems.
According to new research from insurer LV= shows that in 2016- 2019, insurance claims for car theft have jumped by 20%, with keyless car theft accounting for a large proportion of the claims. These figures from LV= show that luxury car makes such as Audi, BMW, Jaguar, Land Rover, Lexus, Mercedes, Porsche and Tesla are increasingly affected by keyless theft, accounting for almost half (48%) of all ‘theft of’ vehicle claims. Karamba’s position is that the Tesla hack shows yet again the.....Read More
According to new research from insurer LV= shows that in 2016- 2019, insurance claims for car theft have jumped by 20%, with keyless car theft accounting for a large proportion of the claims. These figures from LV= show that luxury car makes such as Audi, BMW, Jaguar, Land Rover, Lexus, Mercedes, Porsche and Tesla are increasingly affected by keyless theft, accounting for almost half (48%) of all ‘theft of’ vehicle claims. Karamba’s position is that the Tesla hack shows yet again the need of securing keyless entry systems. Time and again vulnerabilities in the keyless entry components - on the key fob or in the respective controller in the car - lead to hack-based car theft. Ensuring software integrity from boot time to runtime should be a priority to close the hackers way in.  Read Less
Simon Roe
November 25, 2020
Product Manager
Outpost24

The PIN is still required to start the car, and is needed to disable the PIN as well.
It’s a clever hack relying on sourcing components most likely came from stolen and chopped up vehicles (the majority of eBay parts are coming out of Eastern Europe after cars were stolen) but it would be harder to execute in real life given the attacker needs to be in proximity of the key as well as the vehicle, without being noticed. Also, if Tesla’s ‘PIN to drive’ technology is enabled it doesn’t allow people to drive off in the car without a PIN. Even if the car is tricked into.....Read More
It’s a clever hack relying on sourcing components most likely came from stolen and chopped up vehicles (the majority of eBay parts are coming out of Eastern Europe after cars were stolen) but it would be harder to execute in real life given the attacker needs to be in proximity of the key as well as the vehicle, without being noticed. Also, if Tesla’s ‘PIN to drive’ technology is enabled it doesn’t allow people to drive off in the car without a PIN. Even if the car is tricked into thinking the key is present, the PIN is still required to start the car, and is needed to disable the PIN as well. What’s good for Teslas, unlike other cars that might need a service center recall in a similar scenario to receive software updates, is the ability to receive over the air updates to the car software and key fob firmware, with a way to track which vehicles have not received the updates to take additional steps if needed.  Read Less
Erich Kron
November 25, 2020
Security Awareness Advocate
KnowBe4

Tesla did a great job quickly fixing the issue with an over the air update.
This vulnerability helps to illustrate how our homes and vehicles have become more connected and as convenience features are added, the attack surface increases. In this case, while relatively low cost considering the value of a targeted Tesla, there are a number of steps that need to take place in order to pull it off. While not difficult, it could raise some suspicion if done in a public parking lot or other populated public space. Tesla did a great job quickly fixing the issue with an over.....Read More
This vulnerability helps to illustrate how our homes and vehicles have become more connected and as convenience features are added, the attack surface increases. In this case, while relatively low cost considering the value of a targeted Tesla, there are a number of steps that need to take place in order to pull it off. While not difficult, it could raise some suspicion if done in a public parking lot or other populated public space. Tesla did a great job quickly fixing the issue with an over the air update and the researcher showed responsible reporting ethics by notifying Tesla and allowing them to develop the fix before publicly releasing the vulnerability and the exploit. BLE (Bluetooth Low Energy) is used extensively in modern smart devices such as smartphones, fitness trackers, smart watches, home door locks and home automation devices, among many others, to allow for seamless data transfer while using very little battery power. While this is not an attack on BLE itself, it illustrates how the devices handling of registration and communication can be circumvented from a distance using these types of wireless protocols. Attacks such as this are why it is important to purchase devices from a reputable company that will continue to offer patches and updates in the event of a vulnerability being discovered. Publicly reporting vulnerabilities like this will help secure vehicles and devices of all manufacturers across many industries and applications.  Read Less
Jacob Wilson
November 25, 2020
Senior Security Consultant
Synopsys

Automotive key fob attacks are real-world threats with significant impacts for automobile manufacturers.
Automotive key fob attacks are real-world threats with significant impacts for automobile manufacturers, law enforcement, vehicle financers, and drivers. With consumer demand for Bluetooth and internet-connected vehicle functionality on the rise, it’s more important than ever to ensure these technologies are secure. Wouters’ Tesla Model X research demonstrates the impacts of security requirements and security features not having proper validation. Having thorough software composition.....Read More
Automotive key fob attacks are real-world threats with significant impacts for automobile manufacturers, law enforcement, vehicle financers, and drivers. With consumer demand for Bluetooth and internet-connected vehicle functionality on the rise, it’s more important than ever to ensure these technologies are secure. Wouters’ Tesla Model X research demonstrates the impacts of security requirements and security features not having proper validation. Having thorough software composition analysis and fuzz testing performed against embedded electronics provides a higher level of confidence to thwart these attacks.  Read Less

Dot Your Expert Comments


Only for registered and approved experts. Please register before providing comments. Register here
* By using this form you agree with the storage and handling of your data by this web site.
Submit
0
FacebookTwitterLinkedinWhatsappEmail

You may also like

Experts Reaction On World Economic Forum 2021 Report Cites Cyber...

Major Security Flaws Found In Signal And other Video Chat...

Comment On IoT Risks Of Peloton Bike

70% of UK Finance Industry Hit With Cyber-Attacks In 2020

A Chinese Hacking Group Is Stealing Airline Passenger Details

Expert Commentary: Hacker Posts 1.9 Million Pixlr User Records For...

NSA And Dutch NCSC Warn Outdated TLS Certs

Federal Agency Warns Cloud Attacks Are On The Rise –...

Experts Reaction On New Chrome Update To Boost Password Security

Experts Insight On Latest Flaw Within DNSpooq