Tesla is already working on a fix.
Despite Tesla's mostly very successful efforts, hackers are sometimes able to penetrate its vehicle security systems and expose their flaws. These are known as "exploits" and the good news for Tesla is that a security researcher from Belgium has found two more before criminal hackers did.
Wired reports that Lennart Wouters, an online security researcher from KU Leuven University in Belgium discovered last August two vulnerabilities relating to the Tesla Model X. He immediately updated the automaker. A software patch via an over-the-air-update is now in progress. Wouters also posted a video demonstrating the security breach he found where it would be possible to steal a Model X in a matter of minutes.
The first vulnerability is essentially the ability to create a key for a Model X simply by knowing the last five VIN digits which happen to be visible on the windshield. It only takes about $300 worth of hardware, a backpack, and standing near the vehicle's owner for about 90 seconds to do the rest. The hardware is a Raspberry Pi minicomputer and a Model X body control module (BCM) that can be bought off eBay.
The BCM enabled Wouters to hijack the Bluetooth radio connection the key fob uses to unlock the vehicle when the owner is only 15 feet away. Next, the hardware rewrites the target fob's firmware. This allowed Wouters to gain access to the code that unlocks the vehicle. He then stored that code in his backpack containing the minicomputer and walked directly up to the Model X. The car immediately unlocked, thinking that it's connected to the original key fob, not the duplicate Wouters made.
Once inside, the second vulnerability was exposed - starting the vehicle. Wouters accessed the USB port located behind a panel under the display, and then connected his backpack/computer to the vehicle's Controller Area Network (CAN) where it told the EV's computer the fake key fob isn't actually fake. The Model X could then start up and drive off.
What Wouters really exposed was the fact the BCM and key fob, even when connected to one another, don't validate firmware updates to the fob. This allowed him to gain access simply by pretending to send new firmware updates from Tesla.
"The system has everything it needs to be secure," Wouters said. "And then there are a few small mistakes that allow me to circumvent all of the security measures."
Acura
Alfa Romeo
Aston Martin
Audi
Automobili Pininfarina
Bentley
BMW
Bollinger
BrightDrop
Bugatti
Buick
Cadillac
Caterham
Chevrolet
Chrysler
Dodge
Ferrari
Fiat
Fisker
Ford
Genesis
GMC
Gordon Murray Automotive
Hennessey
Honda
Hyundai
Ineos Automotive
Infiniti
Jaguar
Jeep
Karma
Kia
Koenigsegg
Lamborghini
Land Rover
Lexus
Lincoln
Lordstown
Lotus
Lucid Motors
Maserati
Mazda
McLaren
Mercedes-Benz
Mini
Mitsubishi
Nissan
Pagani
Polestar
Porsche
Ram
Rimac
Rivian
Rolls-Royce
Spyker
Subaru
Tesla
Toyota
VinFast
Volkswagen
Volvo
Join The Discussion