Skip to Content

Hackers can steal a Tesla Model S in seconds by cloning its key fob

Imagine purchasing a Tesla and the excitement that comes with it. One of the coolest car manufacturers around, the company is known for making vehicles that look nice and provide plenty of wonderful features.

Entirely electric, they certainly have the feel of a car of the future, which is undoubtedly a big part of the appeal. Take the Model S, for example. Its MSRP starts at $74,500, and it offers an estimated 335 miles of range and can go from 0 to 60 mph in a crazy 2.5 seconds.

As technologically advanced as the Tesla is, there is a downside. The more computers are involved, the greater the need to protect it against cyberattacks. As of now there is one that is so worrisome that, if successful, it could lead to someone unlocking the car and driving it away.

It only takes seconds

The issue was discovered by a research team at the KU Leuven University in Belgium, who found that it was possible to fairly easily clone the wireless key fob that is used to both unlock and start up the Tesla S.

According to the researchers, all one needs is about $600 in radio and computing equipment and with that they can read signals from a nearby Tesla owner’s key fob, with no wires necessary. With the right tools, it can be done in just a few seconds, letting the hacker open the car and drive away.

The good news is that a couple weeks ago Tesla brought out some new anti-theft features for the Model S that included the option to set a PIN code. The code then must be entered on the dashboard display in order to drive the car, which make just imitating the key fob not enough to steal the vehicle.

Also, Tesla says Model S cars that were sold after June of this year are not vulnerable to the attack because they upgraded the key fob encryption in response to the research. However, if someone who has a Model S purchased before then does not turn on the PIN or does not plan on replacing their key fob with the new version, the researchers believe they will still be vulnerable to the hack.

How’d they do it?

The Tesla Model S is not alone in using a key fob to unlock and allow the car to be started. These days, many manufacturers use them as they are programmed based on a secret cryptographic key that is recognized by the car’s radios.

But in this case, the researchers needed nine months of on-and-off reverse engineering to come up with their hack of the Tesla Model S’s system, which was built by a manufacturer called Pektron. It was more vulnerable in part because it used a weaker 40-bit cipher to encrypt the key fob codes.

That made it so that all the researchers needed to do was gain two codes from any random key fob. From there they could just try every possible cryptographic key until finding the one that unlocked the car.

Once that was done, they computed every possible key for any combination of code pairs in order to create a 6-terabyte table of pre-computed keys. With the table and their two codes, the hackers were able to look up the exact key to clone any key fob in less than two seconds.

In a proof-of-concept video, the theft process would look something like this:

The tools the hacker used include a Yard Stick One radio, a Proxmark radio and a Raspberry Pi minicomputer which, when combined with the pre-computed table of keys on a portable hard drive, allow for the car to be stolen.

Tesla appreciated the heads up

The research team came to its conclusion and informed Tesla about it all in August 2017. The company not only acknowledged what they found, but paid them a $10,000 “bug bounty” for their work.

However, Tesla did not fix the problem until recently, with its encryption upgrade and the introduction of the PIN code. Tesla told it did everything as soon as it could, but had to confirm the researchers’ work before testing a fix and then integrating it into their manufacturing process.

As for whether or not this trick could work on other vehicles, the researchers believe it might with McLaren and Karma as well as motorcycles sold by Triumph, but were unable to test it on them. Yet, McLaren is investigating and in the meantime is alerting its customers to the potential danger as well as offering them free pouches that would block radio communications to their key fobs when they are not in use.

Ask me your digital question!

Navigating the digital world can be intimidating and sometimes downright daunting. Let me help! Reach out today to ask your digital question. You might even be on my show!

Ask Me