It was the latest security experiment from the COSIC, a research group of Imec and the University of Leuven in Belgium, which had previously found a similar vulnerability with Tesla’s Model S luxury sedan, where a key fob was also to blame.
The researchers said they were able to break into the SUV, which starts at $80,000, using a few hundred dollars’ worth of equipment.
Researchers noted that process took about 90 seconds.
The researchers, who informed the company of their findings on Aug. 17, said Tesla is rolling out an update intended to address the issue. An over-the-air software update is being pushed to the key fobs, they said, which will better lock them down.
Wired was first to report on the vulnerability. Tesla did not respond to a request for comment.
Lennert Wouters, a PhD student at the COSIC research group, said in an email that the problem is not necessarily unique to Tesla.
“This system was developed in-house by Tesla, so this exact vulnerability most likely only applies to the Tesla Model X,” he wrote. “However, other keyfobs which have an insecure firmware update mechanism could also be vulnerable to a similar attack.”
Among the key vulnerabilities, Wouters noted: the lack of “cryptographic signatures” in the firmware update process, meaning a key fob has no secure way of certifying whether an update is legitimate; and an insecure pairing protocol that allowed a new, modified key fob to be paired to a Model X.
Equipment to break into the car included a $35 Raspberry Pi computer, a modified key fob and a salvaged Tesla Model X control unit bought off eBay. Researchers used the spare control unit to get key fobs within several meters to advertise themselves as “connectable.” After that, they pushed out a software update to the key fobs that would “acquire a valid unlock message” so they could unlock the car later, Wouters said. They noted that the software in Tesla’s key fobs could be updated without an additional layer of security that would verify its authenticity.
“As this update mechanism was not properly secured, we were able to wirelessly compromise a key fob and take full control over it,” Wouters said in a news release. “Subsequently we could obtain valid unlock messages to unlock the car later on.”