Expert Comments

Expert Insight On The Bluetooth Attack To Steal A Tesla Model X In Minutes

Expert(s):
Expert(s):

It has been reported that Lennert Wouters, a security researcher at Belgian university KU Leuven, revealed a collection of security vulnerabilities in keyless entry for Tesla Model X which can be exploited to steal the car.

Experts Comments

Dot Your Expert Comments
David Barzilai
November 25, 2020
Co-founder and Executive Chairman
Karamba Security

Karamba’s position is that the Tesla hack shows yet again the need of securing keyless entry systems.
According to new research from insurer LV= shows that in 2016- 2019, insurance claims for car theft have jumped by 20%, with keyless car theft accounting for a large proportion of the claims. These figures from LV= show that luxury car makes such as Audi, BMW, Jaguar, Land Rover, Lexus, Mercedes, Porsche and Tesla are increasingly affected by keyless theft, accounting for almost half (48%) of all ‘theft of’ vehicle claims. Karamba’s position is that the Tesla hack shows yet again the.....Read More
According to new research from insurer LV= shows that in 2016- 2019, insurance claims for car theft have jumped by 20%, with keyless car theft accounting for a large proportion of the claims. These figures from LV= show that luxury car makes such as Audi, BMW, Jaguar, Land Rover, Lexus, Mercedes, Porsche and Tesla are increasingly affected by keyless theft, accounting for almost half (48%) of all ‘theft of’ vehicle claims. Karamba’s position is that the Tesla hack shows yet again the need of securing keyless entry systems. Time and again vulnerabilities in the keyless entry components - on the key fob or in the respective controller in the car - lead to hack-based car theft. Ensuring software integrity from boot time to runtime should be a priority to close the hackers way in.  Read Less
Simon Roe
November 25, 2020
Product Manager
Outpost24

The PIN is still required to start the car, and is needed to disable the PIN as well.
It’s a clever hack relying on sourcing components most likely came from stolen and chopped up vehicles (the majority of eBay parts are coming out of Eastern Europe after cars were stolen) but it would be harder to execute in real life given the attacker needs to be in proximity of the key as well as the vehicle, without being noticed. Also, if Tesla’s ‘PIN to drive’ technology is enabled it doesn’t allow people to drive off in the car without a PIN. Even if the car is tricked into.....Read More
It’s a clever hack relying on sourcing components most likely came from stolen and chopped up vehicles (the majority of eBay parts are coming out of Eastern Europe after cars were stolen) but it would be harder to execute in real life given the attacker needs to be in proximity of the key as well as the vehicle, without being noticed. Also, if Tesla’s ‘PIN to drive’ technology is enabled it doesn’t allow people to drive off in the car without a PIN. Even if the car is tricked into thinking the key is present, the PIN is still required to start the car, and is needed to disable the PIN as well. What’s good for Teslas, unlike other cars that might need a service center recall in a similar scenario to receive software updates, is the ability to receive over the air updates to the car software and key fob firmware, with a way to track which vehicles have not received the updates to take additional steps if needed.  Read Less
Erich Kron
November 25, 2020
Security Awareness Advocate
KnowBe4

Tesla did a great job quickly fixing the issue with an over the air update.
This vulnerability helps to illustrate how our homes and vehicles have become more connected and as convenience features are added, the attack surface increases. In this case, while relatively low cost considering the value of a targeted Tesla, there are a number of steps that need to take place in order to pull it off. While not difficult, it could raise some suspicion if done in a public parking lot or other populated public space. Tesla did a great job quickly fixing the issue with an over.....Read More
This vulnerability helps to illustrate how our homes and vehicles have become more connected and as convenience features are added, the attack surface increases. In this case, while relatively low cost considering the value of a targeted Tesla, there are a number of steps that need to take place in order to pull it off. While not difficult, it could raise some suspicion if done in a public parking lot or other populated public space. Tesla did a great job quickly fixing the issue with an over the air update and the researcher showed responsible reporting ethics by notifying Tesla and allowing them to develop the fix before publicly releasing the vulnerability and the exploit. BLE (Bluetooth Low Energy) is used extensively in modern smart devices such as smartphones, fitness trackers, smart watches, home door locks and home automation devices, among many others, to allow for seamless data transfer while using very little battery power. While this is not an attack on BLE itself, it illustrates how the devices handling of registration and communication can be circumvented from a distance using these types of wireless protocols. Attacks such as this are why it is important to purchase devices from a reputable company that will continue to offer patches and updates in the event of a vulnerability being discovered. Publicly reporting vulnerabilities like this will help secure vehicles and devices of all manufacturers across many industries and applications.  Read Less
Jacob Wilson
November 25, 2020
Senior Security Consultant
Synopsys

Automotive key fob attacks are real-world threats with significant impacts for automobile manufacturers.
Automotive key fob attacks are real-world threats with significant impacts for automobile manufacturers, law enforcement, vehicle financers, and drivers. With consumer demand for Bluetooth and internet-connected vehicle functionality on the rise, it’s more important than ever to ensure these technologies are secure. Wouters’ Tesla Model X research demonstrates the impacts of security requirements and security features not having proper validation. Having thorough software composition.....Read More
Automotive key fob attacks are real-world threats with significant impacts for automobile manufacturers, law enforcement, vehicle financers, and drivers. With consumer demand for Bluetooth and internet-connected vehicle functionality on the rise, it’s more important than ever to ensure these technologies are secure. Wouters’ Tesla Model X research demonstrates the impacts of security requirements and security features not having proper validation. Having thorough software composition analysis and fuzz testing performed against embedded electronics provides a higher level of confidence to thwart these attacks.  Read Less

Dot Your Expert Comments


Only for registered and approved experts. Please register before providing comments. Register here
* By using this form you agree with the storage and handling of your data by this web site.
Submit
0
FacebookTwitterLinkedinWhatsappEmail

You may also like

ObliqueRAT Trojan Lurks On Compromised Websites – Experts Comments

Microsoft Multiple 0-Day Attack – Tenable Comment

Experts Reaction On Malaysia Airlines 9 Years Old Data Breach

IoT Security In The Spotlight, As Research Highlights Alexa Security...

Oxfam Australia Confirms ‘Supporter’ Data Accessed In Cyber Attack

Expert Reaction On Solarwinds Blames Intern For Weak Passwords

Expert Reaction On Go Is Becoming The Language Of Choice...

Experts On Google Voice Outage

Expert Reaction On GCHQ To Use AI In Cyberwarfare

Comment: Hackers Break Into ‘Biochemical Systems’ At Oxford Uni Lab...