There’s no denying Tesla vehicles are some of the most connected cars on the road. The electric carmaker championed previously unheard of over-the-air software updates that can roll out, updates and essential security upgrades without the owner ever needing to find a service center. Not all is well, however, in the ultraconnected world of Tesla.
Wired reported Monday on significant security oversights that Lennert Wouters, a Belgian security researcher, discovered and informed Tesla of earlier this year. While the hack is apparently simple, that’s not to say anyone could just get away with it. The flaws are severe enough that Tesla will reportedly issue a patch for the vulnerabilities in the coming weeks. Tesla does not operate a public relations department to field requests for comment, but according to Wouters, the automaker is taking his findings seriously.
So, what’s the hack? It exploits thespecifically and the electric SUV’s key fobs. With about $300 worth of portable gear, a hacker could dupe the car into thinking the hacker has the correct key fob, gain entry and then trick the car once again into thinking the phony key fob is the proper unit to start the car and take off. Gaining access to the car takes about 90 seconds, Wouters told Wired, and once inside, it only takes a little finagling to start the car.
To be clear, the researcher found Tesla does have systems in place to keep this scheme from working. But a few errors didn’t quite connect all the security dots in the current software, which leaves it open to the newly discovered vulnerabilities. Wouters discovered he could use his own computer with a Bluetooth receiver to intercept either the car’s actual key fob, or the body control module in the car. And it works from up to 50 feet away.
With the car unlocked, thanks to a bogus fob, he could then plug his own computer into a port accessible from the dashboard and basically tell the car the false fob is the right one. Here’s where one of a few problems Tesla didn’t quite connect comes into play. The Model X features a unique cryptographic certificate that should prevent this from being possible, but the system doesn’t actually work as it stands. Without it, the researcher told the car everything was A-OK, and he could drive off with a Model X.
Wouters underscored the car has everything it needs to stop him from carrying out this sort of plot; Tesla just needs to close a few loopholes with software updates for the car and the key fob. Those are reportedly on the way now and owners won’t need to leave home to receive the fix.