CryptoDB
My other car is your car: compromising the Tesla Model X keyless entry system
| Authors: | |
|---|---|
| Download: | |
| Presentation: | Slides |
| Abstract: | At RWC 2019 we presented a black-box security evaluation of the the keyless entry system employed within the Tesla Model S [WMA+19]. Our analysis revealed that these high-end vehicles could be stolen in a matter of seconds, this was made possible by an inadequate proprietary cipher. Tesla released a second iteration of this key fob, upgrading to a newer version of the proprietary cipher. We later demonstrated that this new version was in fact vulnerable to a downgrade attack [WVdHG+20]. In response Tesla released an over-the-airsoftware update which allowed users to self service their key fob. In contrast, this presentation will cover a security evaluation of the keyless entry system used in the Tesla Model X. This modern-day system was developed in-house by Tesla. The key fob uses Bluetooth Low Energy to communicate with the car, and both the key fob and car use a Common Criteria EAL5+ certified secure element to perform security critical operations. Even though this system was clearly designed with security in mind we demonstrate how a pair of vulnerabilities can be combined to completely bypass the secure public-key and symmetric-key cryptograhpic primitives that are used within this system. Therefore,this talk could serve as a yearly reminder of Shamir’s third law of security which states that cryptography is typically bypassed, not penetrated. To demonstrate the practical impact of our findings we implement a proof-of-concept attack, demonstrating that we could gain interior access to, and drive off with a Tesla Model X in a matter of minutes. The only prerequisite for an attacker is to be within five meters of the legitimate key fob for a few seconds. We want to stress that this is not a classical relay attack, our findings result in permanent access to the vehicle similar to any legitimate key fob. During this talk we will describe our reverse engineering efforts covering both the keyfob as well as the body control module located inside the vehicle. We will uncover the identified vulnerabilities and will showcase a proof-of-concept attack allowing an adversary to drive off with the car in a matter of minutes. We will provide insight into the internal workings of this system from both the key fob and vehicle side as well as the procedure used by Tesla service centers to pair a key fob to the car. This research once again demonstrates the difficulties faced, even by experienced security professionals, to implement a real-world system securely. By doing so we also demonstrate the importance of security evaluation methods, secure building blocks that are impossible or difficult to implement incorrectly, and secure example code provided by silicon vendors. |
| Video: | https://youtu.be/kO-3Uh7tq60?t=2695 |
BibTeX
@misc{rwc-2021-35541,
title={My other car is your car: compromising the Tesla Model X keyless entry system},
note={Video at \url{https://youtu.be/kO-3Uh7tq60?t=2695}},
howpublished={Talk given at RWC 2021},
author={Lennert Wouters and Benedikt Gierlichs and Bart Preneel},
year=2021
}