Hacker Shows Off a Way to Unlock Tesla Models, Start Cars

Tesla Inc. customers carmakers may like the sophisticated keyless entry system, but a cybersecurity researcher demonstrates how the same technology can allow thieves to escape with certain models of electric vehicles.

The hack, effective on Tesla Model 3 and Y cars, will allow a thief to unlock a vehicle, set it on fire and accelerate, according to Sultan Qasim Khan, chief security consultant at Manchester-based British security firm NCC Group. By redirecting communications between the car owner’s mobile phone or keychain and the car, outsiders can trick the login system into thinking the owner is physically close to the vehicle.

The hack, Hahn said, is not specific to Tesla, although it demonstrated the technique to Bloomberg News on one of the car models. Rather, it is the result of his fuss with Tesla’s keyless entry system, which relies on what is known as the Bluetooth Low Energy (BLE) protocol.

There is no evidence that the thieves used the hack to misappropriate Tesla vehicles. The carmaker did not respond to a request for comment. The NCC provided details of its findings to its clients in a note Sunday, an official there said.

Khan said he had revealed the potential for Tesla’s attack and that the company’s employees did not consider the problem a significant risk. To fix it, the carmaker will have to change its hardware and change its keyless entry system, Hahn said. The revelation comes after another security researcher, David Colombo, uncovered a way to hijack certain features of Tesla vehicles, such as opening and closing doors and controlling the volume of music.

The BLE protocol is designed to conveniently connect devices over the Internet, although it has also emerged as a method hackers use to unlock smart technologies, including home locks, cars, phones and laptops, Hahn said. NCC Group said it had succeeded in attacking several other car and device manufacturers.

Kwikset Corp.’s intelligent locks. Kevo, which uses keyless systems with iPhone or Android phones, is affected by the same problem, Hahn said. Kwikset said customers who use the iPhone to access the lock can include two-factor authentication in the lock app. A spokesman also added that the locks operated by the iPhone have a 30-second wait, which helps protect against intrusion.

Kwikset will update its Android app this summer, the company said.

“The security of Kwikset products is critical and we partner with well-known security companies to evaluate our products and continue to work with them to ensure that we provide the highest possible security for our customers.” said a spokesman.

A spokesman for the Bluetooth SIG, a team of technology management companies, said: “The Bluetooth Special Interest Group (SIG) gives priority to security and the specifications include a collection of features that provide product developers with the tools they need to provide communication between Bluetooth devices.

SIG also provides educational resources to the developer community to help them implement the appropriate level of security in their Bluetooth products, as well as a vulnerability response program that works with the security research community to address the vulnerabilities identified in Bluetooth specifications in a responsible way ”

Khan has identified a number of vulnerabilities in NCC Group customer products and is also the creator of Sniffle, the first open source Bluetooth 5 sniffer. Snipers can be used to track Bluetooth signals, helping to identify devices. They are often used by government agencies that operate roads to anonymously monitor drivers passing through urban areas.

A 2019 study by a British consumer group, Koya, found that more than 200 car models are vulnerable to keyless theft using similar but slightly different methods of attack, such as tampering with wireless or radio signals.

In a demonstration to Bloomberg News, Hahn conducted a so-called relay attack in which a hacker used two small hardware devices that forward communications. To unlock the car, Han placed a relay device about 15 yards from the Tesla owner’s smartphone or keychain and a second plugged into his laptop near the car. The technology uses personalized computer code that Han designed for Bluetooth development kits that sell online for less than $ 50.

The necessary hardware, in addition to Khan’s custom software, costs a total of about $ 100 and can be easily purchased online. Once the relays are set up, it only takes ten seconds to hack, Khan said.

“The attacker can go to any home at night – if the owner’s phone is at home – in a car with passive Bluetooth access parked outside and use that attack to unlock and set the car on fire,” he said.

“Once the device is in place near the keychain or phone, the attacker can send commands from anywhere in the world,” Khan added.

Photographer of Tesla Model S: SeongJoon Cho / Bloomberg

Copyright 2022 Bloomberg.


The most important insurance news in your mailbox every working day.

Get the trusted newsletter of the insurance industry