Owners advised to mind their surroundings for suspicious individuals lurking to capture the secret to unlock the car

Jan 22, 2015 09:18 GMT  ·  By

A vulnerability in the Tesla Model S fully electric luxury car allows an attacker to unlock the vehicle, start the engine and drive away with it.

The report is the second one from Chinese security company Qihoo 360 regarding the security of this particular Tesla model.

In a different demonstration, researchers managed to bypass the car’s protection systems and change the lock state, turn on the headlights, honk the horn, as well as open and close the sunroof.

Hackers could replicate the original key fob

Both vulnerabilities have been shown during the SyScan security conference that took place in Beijing back in July 2014. One challenge from the organizers was to break the security system of a Tesla Model S and control it from afar. The prize for whoever achieved this was $10,000 / €8,600.

The keyless drive away flaw presented by Qihoo 360 can be exploited through a man-in-the-middle (MitM) attack, followed by a replay attack. According to details from the company, an attacker can learn the authentication secret for starting the vehicle by intercepting the communication between the key fob and the car.

Since the information is exchanged via a radio frequency signal, the attacker can then create a device that acts as the original key fob and delivers the stolen authentication to the car system.

Liujian Hao of Qihoo 360 says (Chinese) that the signal from the key fob can be recorded even if no command is sent to the car, which would make a target out of the spare keys, too. He recommends Tesla owners to pay attention to their surroundings when using the keys.

Tesla has a fast firmware update cycle

Qihoo 360 provided the results of its findings to Tesla in July 2014, but made the risk known publicly only this Wednesday, as per their 180-day vulnerability disclosure policy.

The company is not aware if Tesla addressed this issue. However, after receiving the report, Tesla said they confirmed the flaw and would release a fix as soon as possible.

According to the firmware changelog, there have been multiple updates each month since the SyScan conference in Beijing. One entry for version 5.12 of the firmware, released after the security conference, reads: “Replacement key fobs can be paired to the car without replacing the BCM [body control module].”

Tesla is the first car maker showing explicit interest in the security of its products by starting a bug hunting program.

A video proving the hack has been created but not much information can be extracted from it, except for Chinese speakers.

Tesla Model S (3 Images)

Tesla Model S
Tesla Model S interiorTesla Model S
Open gallery