This Bluetooth Attack Can Steal a Tesla Model X in Minutes

Wouters notes that the two most serious vulnerabilities he found—the lack of validation for both key fob firmware updates and pairing new key fobs with a car—point to an apparent disconnect between the security design of the Model X’s keyless entry system and how it was implemented. “The system has everything it needs to be secure,” Wouters says. “And then there are a few small mistakes that allow me to circumvent all of the security measures.”

To demonstrate his technique, Wouters assembled a breadbox-sized device that includes a Raspberry Pi minicomputer, a secondhand Model X BCM, a key fob, a power converter, and a battery. The whole kit, which can send and receive all the necessary radio commands from inside a backpack, cost him less than $300. And Wouters designed it so that he could stealthily control it, inputting the car’s VIN number, retrieving an unlock code, and pairing a new key all from a simple command prompt on his smartphone, as shown in the video above.

Wouters says there’s no evidence his technique has been used for real-world grand theft auto. But thieves have actively targeted Tesla’s keyless entry systems to steal vehicles in recent years, using relay attacks that amplify the signal from a key fob to unlock and start a car, even when the key fob is inside the victim’s home and the car is parked in their driveway.

Wouters’ method, while far more complex, could easily have been put into practice if he hadn’t warned Tesla, says Flavio Garcia, a researcher at the University of Birmingham who has focused on the security of cars’ keyless entry systems. “I think it’s a realistic scenario,” says Garcia. “This weaves together a number of vulnerabilities to build an end-to-end, practical attack on a vehicle.”

The Model X hacking technique isn’t Wouters’ first time exposing vulnerabilities in Tesla’s keyless entry systems: He’s twice before found cryptographic vulnerabilities in Tesla Model S keyless entry systems that would have similarly allowed radio-based car theft. Even so, he argues that there’s nothing particularly unique about Tesla’s approach to keyless entry security. Comparable systems are likely just as vulnerable. “They’re cool cars, so they’re interesting to work on,” Wouters says. “But I think if I spent as much time looking at other brands, I would probably find similar issues.”

More unique for Tesla, Wouters points out, is that unlike many other automakers it has the ability to push out OTA software patches rather than requiring that drivers bring their key fobs to a dealer to be updated or replaced. And that’s the upside of treating cars like personal computers: Even when that update mechanism turned out to be a hackable vulnerability, it also offers Tesla owners a lifeline to fix the problem.


More Great WIRED Stories