This Bluetooth Attack Can Steal a Tesla Model X in Minutes

Tesla has always prided itself on its so-called over-the-air updates, pushing out new code automatically to fix bugs and add features. But one security researcher has shown how vulnerabilities in the Tesla Model X's keyless entry system allow a different sort of update: A hacker could rewrite the firmware of a key fob via Bluetooth connection, lift an unlock code from the fob, and use it to steal a Model X in just a matter of minutes.

Lennert Wouters, a security researcher at Belgian university KU Leuven, today revealed a collection of security vulnerabilities he found in both Tesla Model X cars and their keyless entry fobs. He discovered that those combined vulnerabilities could be exploited by any car thief who manages to read a car's vehicle identification number—usually visible on a car's dashboard through the windshield—and also come within roughly 15 feet of the victim's key fob. The hardware kit necessary to pull off the heist cost Wouters around $300, fits inside a backpack, and is controlled from the thief's phone. In just 90 seconds, the hardware can extract a radio code that unlocks the owner's Model X. Once the car thief is inside, a second, distinct vulnerability Wouters found would allow the thief to pair their own key fob with the victim's vehicle after a minute's work and drive the car away.

"Basically a combination of two vulnerabilities allows a hacker to steal a Model X in a few minutes time," says Wouters, who plans to present his findings at the Real World Crypto conference in January. "When you combine them, you get a much more powerful attack."