Skip to main content

Researchers hack and steal a Model S; Tesla says vulnerability now fixed

COSIC researchers hack Tesla Model S key fob

Stealing a car used to require a blunt object to break one of its windows, and basic electrical knowledge to hot-wire it. Two Belgian security experts discovered an encryption flaw that let them drive away in a Tesla Model S without busting any glass or cutting any wires.

Recommended Videos

Researchers working at the KU Leuven University in Belgium figured out a relatively simple way to digitally break into a Model S by defeating the encryption in the wireless key fob, according to Wired. It’s a technique that requires about $600 worth of radio and computing equipment, so it’s not something anyone can do with their smartphone, but that’s a small investment considering the price of a Model S. The hardware is used to access the cryptographic key programmed into each fob and copy it, which essentially creates a new key fob. The thieves can thereupon enter any Model S and drive off in it without setting off the alarm.

“Today, it’s very easy for us to clone these key fobs in a matter of seconds. We can completely impersonate the key fob and drive the vehicle,” revealed researcher Lennert Wouters in an interview with Wired. He added figuring out how to hack into a Model S took about nine months.

Tesla awarded the researchers a $10,000 bug bounty when they privately shared their discovery in August of 2017. It then spent nearly a year verifying the technique and developing a fix, which it began rolling out in June of 2018. First, it designed a more secure key fob. That means cars manufactured after that point aren’t affected by the problem.

Earlier models — a vast majority of the ones on the road — received an additional security barrier via an over-the-air software update. This lets owners set a PIN code that must be entered on the car’s touchscreen before it can be driven off. It’s similar to the PIN that protects a smartphone. Tesla told Digital Trends the PIN function will come to the Model 3 in the future.

“Due to the growing number of methods that can be used to steal many kinds of cars with passive entry systems, not just Teslas, we’ve rolled out a number of security enhancements to help our customers decrease the likelihood of unauthorized use of their vehicles,” a Tesla spokesperson told Digital Trends. “Based on the research presented by this group, we worked with our supplier to make our key fobs more secure by introducing more robust cryptography for Model S in June 2018,” the California-based company added.

Wouters and his partner, Tomer Ashur, blame the flaw on a key fob manufactured by British electronics firm Pektron. McLaren, Karma, and Triumph also use Pektron-sourced key fobs so the same hack could allow thieves to break into vehicles made by those brands.

“This attack is out there, and we’re not the only people capable of coming up with it,” Ashur warned.

Update: added statement from Tesla.

Ronan Glon
Ronan Glon is an American automotive and tech journalist based in southern France. As a long-time contributor to Digital…
Teslas likely won’t get California’s new EV tax rebate
teslas likely wont get californias new ev tax rebate ap newsom 092320 01 1

California seems eager to reassert itself, not only as one of the largest economies in the world, but one where EVs will continue to thrive.

Governor Gavin Newsom has announced California will seek to revive state-tax rebates for electric vehicles should the incoming Trump administration carry out its plans to end the existing $7,500 federal incentive on EVs.

Read more
Trade group says EV tax incentive helps U.S. industry compete versus China
ev group support tax incentive 201 seer credit eligibility

The Zero Emission Transportation Association (ZETA), a trade group with members including the likes of Tesla, Waymo, Rivian, and Uber, is coming out in support of tax incentives for both the production and sale of electric vehicles (EVs).

Domestic manufacturers of EVs and their components, such as batteries, have received tax incentives that have driven job opportunities in states like Ohio, Kentucky, Michigan, and Georgia, the group says.

Read more
Tesla posts exaggerate self-driving capacity, safety regulators say
Beta of Tesla's FSD in a car.

The National Highway Traffic Safety Administration (NHTSA) is concerned that Tesla’s use of social media and its website makes false promises about the automaker’s full-self driving (FSD) software.
The warning dates back from May, but was made public in an email to Tesla released on November 8.
The NHTSA opened an investigation in October into 2.4 million Tesla vehicles equipped with the FSD software, following three reported collisions and a fatal crash. The investigation centers on FSD’s ability to perform in “relatively common” reduced visibility conditions, such as sun glare, fog, and airborne dust.
In these instances, it appears that “the driver may not be aware that he or she is responsible” to make appropriate operational selections, or “fully understand” the nuances of the system, NHTSA said.
Meanwhile, “Tesla’s X (Twitter) account has reposted or endorsed postings that exhibit disengaged driver behavior,” Gregory Magno, the NHTSA’s vehicle defects chief investigator, wrote to Tesla in an email.
The postings, which included reposted YouTube videos, may encourage viewers to see FSD-supervised as a “Robotaxi” instead of a partially automated, driver-assist system that requires “persistent attention and intermittent intervention by the driver,” Magno said.
In one of a number of Tesla posts on X, the social media platform owned by Tesla CEO Elon Musk, a driver was seen using FSD to reach a hospital while undergoing a heart attack. In another post, a driver said he had used FSD for a 50-minute ride home. Meanwhile, third-party comments on the posts promoted the advantages of using FSD while under the influence of alcohol or when tired, NHTSA said.
Tesla’s official website also promotes conflicting messaging on the capabilities of the FSD software, the regulator said.
NHTSA has requested that Tesla revisit its communications to ensure its messaging remains consistent with FSD’s approved instructions, namely that the software provides only a driver assist/support system requiring drivers to remain vigilant and maintain constant readiness to intervene in driving.
Tesla last month unveiled the Cybercab, an autonomous-driving EV with no steering wheel or pedals. The vehicle has been promoted as a robotaxi, a self-driving vehicle operated as part of a ride-paying service, such as the one already offered by Alphabet-owned Waymo.
But Tesla’s self-driving technology has remained under the scrutiny of regulators. FSD relies on multiple onboard cameras to feed machine-learning models that, in turn, help the car make decisions based on what it sees.
Meanwhile, Waymo’s technology relies on premapped roads, sensors, cameras, radar, and lidar (a laser-light radar), which might be very costly, but has met the approval of safety regulators.

Read more