Hackers can steal a Tesla Model S in seconds by cloning his keychain



[ad_1]

Tesla took many innovative steps to protect the driving systems of its equipped cars against digital attacks. He hired leading security engineers, updated software over the Internet, and added code integrity checks. But a team of hackers has now discovered that Tesla is leaving his S-model cars open to a much simpler form of hacking: cloning the car's keychain in seconds, opening the door and getting in the way. go.

A team of researchers from the KU Leuven University in Belgium is planning to present a paper at the Cryptographic Hardware and Embedded Systems conference in Amsterdam, revealing a technique to defeat the encryption used in the wireless keychains of Tesla's luxury Model S. With about $ 600 in computer and radio equipment, they can wirelessly read Tesla owner's keychain signals nearby. Less than two seconds of calculation give the cryptographic key of the keychain, allowing them to steal the associated car without a trace. "Today, it is very easy for us to clone these key chains in seconds," says Lennert Wouters, a researcher at KU Leuven. "We can completely usurp the identity of the keychain and open and drive the vehicle."

Just two weeks ago, Tesla deployed new anti-theft features for the Model S, including the ability to set a PIN that someone must enter on the dashboard to drive the car. Tesla also reports that Model S units sold after June this year are not vulnerable to attack, due to the updated encryption keychains implemented in response to KU Leuven's research. But if owners of a Model S manufactured before do not activate this PIN or do not pay to replace their keychain with a more heavily encrypted version, the researchers claim that they are still vulnerable to their cloning method by key.

Keys of the Kingdom

Like most automotive keyless entry systems, Tesla Model S keychains send encrypted code, based on a secret cryptographic key, to a car's radios to trigger it and disable its immobilizer, thus allowing the engine to start. . After nine months of reverse engineering work, the KU Leuven team discovered in the summer of 2017 that the Tesla Model S keyless entry system, built by a manufacturer called Pektron, used only weak 40-bit encryption to encrypt keychain codes.

The researchers discovered that once they had obtained two codes from a key ring, they could simply try all the possible cryptographic keys until they find the one that unlocked the car. They then calculated all possible keys for any combination of code pairs to create a massive array of 6 terabytes of pre-calculated keys. With this table and these two codes, hackers claim to be able to search for the correct cryptographic key to impersonate any keychain in just 1.6 seconds.

In their proof-of-concept attack, which they show in the video below, researchers demonstrate their keyless hacking technique with a hardware kit including a Yard Stick One radio, a Proxmark radio, a Raspberry minicomputer Pi, their key table pre-computed on a portable hard drive and some batteries.

First, they use the Proxmark radio to capture the radio ID of the target Tesla lock system, which the car broadcasts at all times. Then, the hacker sweeps this radio about 3 feet from the victim's key ring, using the car's identifier to impersonate a "challenge" at the door. They do this twice in quick succession, prompting the keychain to respond with response codes that the researchers then record. They can then run this pair of codes through the table on their hard drive to find the underlying secret key – allowing them to fool a radio signal that unlocks the car, then starts the engine.

According to the researchers, this chain of attack is possible thanks to the relatively weak encryption of the Pektron key ring system. "It was a very silly decision," says Tomer Ashur, a researcher at KU Leuven. "Someone has messed up, epically."

KU Leuven researchers told Tesla about their findings in August 2017. Tesla acknowledged their research, thanked them and paid them a $ 10,000 "bug bonus" for their work, but did not solved the problem of encrypting its encryption upgrade in June and adding more recent PIN code.

In a statement to WIRED, Tesla said these patches were deployed as quickly as possible, given the time needed to confirm the researchers' work, test a patch and integrate it into their manufacturing processes. "Due to the growing number of methods that can be used to fly multiple types of cars with passive entry systems, not just Teslas, we have deployed a number of security enhancements to help our customers reduce risk. unauthorized use of their vehicles, "a spokesman for Tesla wrote to WIRED." Based on the research presented by this group, we worked with our supplier to strengthen the security of our keychains by introducing a More robust cryptography for Model S in June 2018. A corresponding software update for all Model S June vehicles to switch to the new keychains if they wish. The company also noted that you can trace a Tesla on your phone, which should make it easier to locate a stolen vehicle.

Researchers believe their attack could also hurt cars sold by McLaren and Karma and the bikes sold by Triumph, who also use Pektron's key ring system. But they could not get their hands on these vehicles to test them. Neither Karma nor Triumph responded to WIRED's request for comment, any more than Pektron himself. McLaren says he's still investigating the problem but is alerting his customers about the potential risk of theft and offering them free "signal blocking pockets" that block radio communications to their keychains when they are not used. "Although this potential method has not been proven to affect our cars and is considered low risk, and we do not know that a McLaren vehicle was stolen by this method of our vehicles and the concerns of our customers extremely seriously, "writes a McLaren spokesperson.

If these other manufacturers are actually affected, beyond the establishment of keys in these "signal blocking bags" (Fadaday bags that block radio communications), the way they could definitely solve the problem is far from to be clear. Researchers say companies will likely have to replace all vulnerable keychains and launch a software update of the affected vehicles. Unlike Tesla, whose cars receive live updates, this might not be possible for vehicles from other manufacturers.

Warning sign

Despite questions about how to prevent the attack, Ashur of KU Leuven argues that revealing the vulnerability is needed to put pressure on Tesla and other automakers to protect their customers from theft. Now that Tesla has added a PIN feature, it is also warning Tesla owners to enable this feature to protect against a surprisingly simple method of "Grand Theft Auto". Aside from the PIN, Tesla also allows Model S owners to disable the passive input of its keychains, which means that drivers have to press a button to unlock the car. This would also thwart the attack of KU Leuven. "This attack exists and we are not the only ones in the world capable of doing it," says Ashur.

"Someone has messed up, epically."

Tomer Ashur, KU Leuven

For years, hackers have demonstrated that it is possible to launch relay attacks against keyless entry systems, usurping the car's radio signals to get an answer from its keychain and retransmitting it in time. real. In some cases, hackers attacked by amplifying the radio signal of the key or by connecting the distance between the car and the victim's key ring by keeping a radio device close to each one. These relay attacks were used to obtain very real car thefts, even though their number was never clearly established, given the lack of evidence. Relay attack flights are without a doubt part of Tesla's motivation to add his PIN precaution, regardless of KU Leuven's research.

But even these relay attacks still allow a car thief to once use the victim's key. Even if they manage to drive the car, they can not unlock or restart it. The KU Leuven attack, on the other hand, allows a thief to permanently clone the victim's key, so that she can unlock and drive the car in perpetuity. "Basically, we can do everything that a relay attack can do and more," says Wouters.

With this dangerous key cloning method now open, anyone with a vulnerable Model S would be well advised to activate the newly added PIN feature of Tesla or disable the passive input. Hitting four digits in the dashboard of the car or a button on its keychain before starting it can be a nuisance, but it returns to an empty parking spot.


Biggest cable stories

[ad_2]
Source link