Remember when it was discovered the key fob could be cloned? It’s happened again.
For years, there have been security concerns over Tesla models as thieves have been able to hack them with ease. Just last year, it was discovered that cunning criminals were able to clone a Tesla Model S key fob in seconds, unlock a car and drive away without ever touching the owner's key. To Tesla's credit, the automaker created a new version of its key fob that patched the security flaw. Inevitably, however, it hasn't taken long for researchers to discover another vulnerability that affects the new key fobs.
Wired reports that researchers at a Belgian university have found a technique capable of breaking the Model S key fob's encryption, which would again allow them to clone the keys and steal the car. Since the new attack is more limited in its radio range than the previous one, it takes a few seconds longer to hack the car. It's also worth noting the researchers haven't carried out the full attack demonstration like they did last year, but they have proven that it's possible.
According to the researchers, the vulnerability of the key fob, manufactured by Pektron, is due to a configuration bug that reduces the time necessary to crack its encryption. Originally, Pektron only used 40-bit encryption that was easy to crack, which was upgraded to 80-bit in the newer key fobs. In theory, this should have been more secure and much harder to crack, but the bug allows hackers to simply crack two 40-bit keys. "The new key fob is better than the first one, but with twice the resources, we could still make a copy, basically," researcher Lennert Wouters said.
Luckily, this latest attack can be blocked with a software update rather than a hardware replacement that was required last year. Tesla has acknowledged that thieves could exploit this technique and will roll-out an over-the-air software update to fix the security flaw. A Tesla spokesperson also confirmed to Wired there is no evidence to suggest the key-cloning technique has been used in any thefts. Model X and Model 3 vehicles aren't affected by this vulnerability as they don't use the same Pektron key fobs.
"While nothing can prevent against all vehicle thefts, Tesla has deployed several security enhancements, such as PIN to Drive, that makes them much less likely to occur," the spokesperson said. "We've begun to release an over-the-air software update (part of 2019.32) that addresses this researcher's findings and allows certain Model S owners to update their key fobs inside their car in less than two minutes. We believe that neither of these options would be possible for any other automaker to release to existing owners, given our unique ability to roll out over-the-air updates that improve the functionality and security of our cars and key fobs."