There seems to be a worldwide auto theft pattern discovered by Belgian researchers where thieves using computer hacking hardware are able to override the transponder codes to both the Tesla vehicles, particularly the Model S, and it’s appropriate key fob, where the car is stolen within minutes, and the key to the car is in the owner’s pocket while the thieves drive away.
- Researchers at a Belgian university discovered a vulnerability in Tesla vehicle security that they are presenting a paper at a hacking conference:
- With about $600 USD of radio and comm equipment they can track signals and hack cars and key fobs without trace.
- It took Tesla a year to find a solution to a simple back door hack over a system of cars connected over the air that soon one day won’t need their drivers.
- Thieves get the cryptographic code from the car then the fob holder; they’re in.
- The key fob is made by outsourced key company Pektron, which makes the fob for all Tesla vehicles as well as for McClaren, Karma, and Triumph Motorcycles.
- They were using a weaker Keptron encryption code but have since strengthened it.
- Tesla over recent months has pulled all stops to stop or prevent car hacking or theft.
- Hiring security engineers, implementing code integrity checks, installing OTA software updates.
- Recently they rolled out new anti-theft features for the Model S that includes a PIN code.
- All Model S customers with cars built before June 2018 have the option of getting new fobs.
- Even with GPS turned off in the car, customers can still track their car on the app and also when the car is charged at a Tesla station.
All This, and the Tent too
These are the problems that happen now when a Society of Automotive Engineers Level 2 to 3 car’s over the air software system, connected to hundreds of thousands of other cars, is backdoor hacked to steal the car. We can only imagine if this was about key fobs and a car network for Level 4 or 5 cars capable of being driven only by software. You folks are all wrapped up about a Level 5 car with no wheel or pedals. Level 4 gives you more options with more worries. A parked Level 5 car with no pedals or steering wheel, is the equivalent of a loaded gun laying on a table with no one ever around. It can sit there to the end of time to harm not a soul. A parked Level 4 car is a double loaded weapon. It can be both physically stolen or stolen through hack. Transfer the cyber security alarms of Levels 4 and 5 to this case. Although there might be a tough security wall a hacker must then overcome to get into that system that has access to those cars, the mere fact that it took outsiders to alarm Tesla that there was a giant but very simple flaw in this system to allow car thieves, and not hackers wishing to do harm to the system or cars or people, is enough to raise eyebrows. Even after Belgian researchers told software security engineers at Tesla that their key fobbed vehicle security system was vulnerable to either cars being stolen or just hacked, the more scary part of the story is that it took Tesla about a year to come up with some kind of solution to overcome the threat. As Tomer Ashur, a Belgian researcher part of that team, told Wired, “This attack is out there, and we’re not the only people in the world capable of coming up with it.”
Ashur and his colleagues, the Belgian researchers from a university located in the Dutch speaking part of their country, told Tesla’s MIS people about the hack in August 2017. While Tesla had what eventually became a dramatic backdrop of a new car launch that led them down a journey to controversial issues like insolvency that had them pitch a giant sized tent next to their factory to race against time, there was an ongoing problem quietly unfolding and racing against time in the background, of trying to permanently plug a back door hole in the giant sized dam that makes up the world of Tesla’s network that links all their cars out in the wild. It seemed that everything they were throwing at it wasn’t working. And as they went along with failed solutions, immediacy slowly, but gradually, became more of a priority.
Back in July Torque News reported about a mystery device seen on various security video footage of thieves in a procedural organized way, of using some kind of electronic handheld device and wanding it over or at any object, to somehow then have access to an adjacent vehicle and drive off with it. What we didn’t know at the time is that Tesla had been working on this problem the past year, they were told they had a problem by outsiders being unaware of it beforehand, and was having a difficult time solving it. It seems like Tesla used everything it had in its arsenal over the year to avert the threat, from things like over the air software updates, bringing in computer security experts, conferring with the outsourced company that makes the keys, hiring more software security engineers, to offering Model S customers with cars made after June 2018 new bunkered encrypted fobs for replacement. While Tesla and their key maker Pektron fix the damage and do damage control, the Cryptographic Hardware and Embedded Systems Conference in Amsterdam is coming soon, and the team that discovered the hack based at KU Leuven University, a school in the Flanders section of Belgium, will be submitting a paper from the whole experience.
Definition of a Relay Hack and What the Hack is Not
It is important to take note that based on this reporter’s research for this story and the previous one covered about the mystery device that was making car thieve’s jobs easier to do, which included two other sources for this one, several items were discovered to take note and bring context to both stories. The tools that were used in the previous story to non-Tesla cars was done with similar tools used in this one. Both are what is called a relay hack against keyless entry systems. In as much as there’s a Mac and PC universe, so too there seems to be in the relay hack world in that the equipment used to spoof keys for non-Tesla vehicles is a one-off occurrence. Once the stolen car is parked and shut off the spoof dies with the motor. What makes the Tesla hack more interesting, dangerous, and adds immediacy to Tesla finding a solution before the car theft worsens to become something like another felony pattern like grocery store or bank robbery or a felony evasion high speed chase with the police, is that a Tesla hack is a car key duplication that lasts.
What this reporter also notes looking at sources from both stories, is that he did not at any time have any reason to believe that items like Tesla’s mainframes or their core computer network that sends and receives information to the hundreds of thousands of cars Tesla has made over the years, were at any time under immediate attack. The issue is that Tesla was vulnerable that at first they didn’t even know it, for a year while they did. Based on the information reported, it appears as if Tesla’s network was for over a year since the Belgians told them in August of 2017, that there was a vulnerability, and the vulnerability made Tesla a target for a threat. Thankfully and in context, this incident involves only a few stolen cars. Mindful that the motive for this hack was grand theft auto, it required equipment purposefully designed to make encryption codes, and thus find the codes to do the hacking. If this crime was anything else but about car theft, it would have required another set of equipment and software to get into and then navigate the Tesla system. The first and only wall of the hacking was easy to do but are hard to find because the exposed vulnerability was obvious.
The next step however, once inside the car to try to hack further, becomes more increasingly difficult. But to get to that level where the car theft hackers were, left Tesla vulnerable for a whole year to anything cyber, including an outright attack, as they tried solution after solution that didn’t work or didn’t solve the entire problem. And for experts and critics, this is more concern for an alarm than what the actual threat poses. Had this happened to any of the legacy makers whose products are not linked through the internet, and that’s most of them, the problem wouldn’t pose a cyber security threat, but it would make things more expensive to fix that often requires a product recall.
For a car company like Tesla, no matter the firewalls they have, they are more vulnerable to attack as all their products are connected to be capable of doing things like communicate with Tesla or one another, receive over the air software updates, or learn from each other the mistakes their fellow cars make in AutoPilot mode. There is also more at stake here for Tesla and for public safety, as Tesla’s business model is accommodating their products even ones assembled in now what are past years, of being capable of being driven at Level 4 autonomous, or retrofitted more easily to do the same. Level 4 has different interpretations, depending who you ask. To some, that means the car has a “Ron Popeil” feature to “set it and forget it,” and sit in the back of the car and the car drives itself. These cars will all be networked to the same system that the cars thieves got access to, that left Tesla vulnerable and exposed to a threat for a whole year.
Here’s the Thing:
To put this all in terms more easy to understand, the car thief hacking is a dynamic that is the equivalent of a car thief who constantly plants himself on your front lawn past your locked gate and perimeter security system, to keep stealing your cars. Your system is set up to protect more what’s inside the house, not necessarily the cars outside. But the perimeter security system is part of and connected to the network inside the house, and if he can access the cars he can try to access the house. He may not be interested in burglarizing your home as it’s loaded with treasure troves of things, but locked down with several strong layers of access and protection, so he’s more interested in stealing your cars in the driveway. You’re pissed off that he always finds a way to defeat your security system to find a way in. You just don’t want him able to come on your property at all anywhere to begin with, that for a year he manages to do that this should be easy to solve. And for a year you throw up your arms in exasperation trying to stop him, but nothing works. Metaphorically, this has been the dynamic of Tesla’s computer security team the past year.
What the Hack Is
For most news agencies like this reporter’s, the source story came from Wired that gives in good detail for you hacker nerds, as to how the hack worked. WHat is different about the hacks in that report withnon-Tesla cars, is that This report will simplify it and post the YouTube re-enactment done by the researchers themselves, which is even more simplified:
Using what’s called a Proxmark radio, the thieves pick up the radio ID of the targeted Tesla locking system, which the car incidentally broadcasts at all times. One received, they go after the fob holder to get within 3 feet and grab that signal. They do this twice to trick the car too challenge the fob which allows the thieves to record the code. Put the code through a search engine to find the secret key, you’re in!
The Key Maker’s Sloppy Car Key Chain
For whatever reason the decision makers at Pektron chose, the core of the problem apparently was not necessarily about any carelessness, negligence, or recklessness on Tesla’s part, inasmuch as the flaw in the security system that protects these cars had an inherent but obvious flaw, that perhaps only academians who spend their lives studying these things could find. It took nine months of reverse engineering to trace the steps to find the vulnerability. That vulnerability, the researchers say, was Pektron’s choice for using a relatively weak key encryption to counter an attack chain that creates a hack. The irony is that the vulnerability wouldn’t have been discovered were it for a much stronger Pektron security encryption they could have given Tesla customers. Pektron is in the business of making keys for other vehicle makes and applications, and has state of the art equipment it uses and gives its clients like Tesla, which is why car companies like Tesla outsource these hard and software issues to other companies like Pektron. Why Pektron chose to use a weak encryption is befuddling, and it sounds like a fireable offense. As Tomer Asher, one of the Belgian researchers recently told Wired regarding the weak encryption: “It was a very foolish decision, somebody screwed up. Epically.”
Tesla seems to have solved its fob security issue. Tesla closed its Pandora’s Box to perhaps open others. Pektron clients like McClaren, Karma, and Triumph Motorcycles may have reason to become concerned as they use the same kind of security equipment, and can be just as vulnerable if their Pektron installers didn’t use strong encryption to stave off similar attacks to their vehicles. Other vehicle makers are surely watching this closely to see what their equipment and procedures are to counter such threats to their vehicles.
In response to the original Wired report, Pektron, Karma, and Triumph Morotorcycles did not respond for their request for comment. McClaren did on the Tesla hack: “While this potential method has not been proven to affect our cars and is considered to be a low risk, plus we have no knowledge of any McLaren vehicle being stolen by this or the previously reported ‘relay attack’ method, nevertheless we take the security of our vehicles and the concerns of our customers extremely seriously," a McLaren spokesperson writes. They told Wired they are investigating the hack and Pektron’s response to it, relative to how it might affect them.
McClaren is a niche bespoke luxury performance car maker of rare exotic cars that are purposefully engineered in certain characteristics to perform in a certain way. There aren’t too many McClarens in the wilderness that when you see one you notice it. That works toward their advantage if replacing every fob is a solution. But for most other car or vehicle companies where size, output volume, or internet connectivity is not an issue, like Tesla in all these categories for example, or for McClaren with its low production output, it becomes problematic for those makers when your products are not interconnected over the air, and pushing a software update is not a option, and a key fob crisis would be treated no differently than a product recall, which can cost the bottom line hundreds of millions of dollars.
Trade Offs With the Solutions
In the meantime the counter-response to such attacks ironically seems to parallel those issues we face with terrorism, and often entails balancing convenience verses security. McClaren’s immediate solution as they investigate, is to offer their customers a free “signal blocking pouch,” similar to the technology used to protect RFID cards in our wallets. But one of the most convenient features our newer cars gives us is the ability for them to detect us when we approach with our fob, no differently as if they too are our pets, to let them know we’re about to greet them. It’s a now process we think little about that a RFID blocker complicates in our relationship with them.
As if they’re wagging their tail, this is when our cars turn on their courtesy lights to say “here I am, and here you are so you can see,” while they boot up their computer to get ready in standby mode for you to start the motor, if gas, for you to engage in drive, if electric. While they do that, they’re going to unlock the doors, open the trunk or hatch for your groceries, maybe start the music as you finally settle in the driver’s seat and you both go off together on your next journey, in the way our pets do when they go crazy we come home or to the next stop if they’re with us. Getting into a car that has a computer is not the same as getting into an analog car, turn the key, and go, if under warm weather. A RFID blocker turns “keyless” into “pouchful” of inconvenience by the fob holder now having to take a fob out of a container.
As that year Tesla went through of trying to find a solution to this hack as tent drama unfolded outside, their ultimate solution inside other than offering new bunkered fobs, was to offer Model S customers a PIN code option to start their cars. This provides another layer that car thieves don’t need to deal with, as the element that helps them quickly steal and get away, is time. So ironically Model S owners have to ask themselves, as their cars get older, and OEM new parts are and always will be expensive and rare, and used ones become even more desirable and in more other places than eBay, what kind of line do they want to be waiting on? As this reporter knows from the other side of that window to take reports, waiting on a police complaint report line to report a stolen car isn’t long, but the wait on it sure is. How badly do you want to wait on that line?
A compromise solution in between RFID and PIN code perhaps might be for a Tesla customer to go into their screens and deactivate passive entry, which would revert the key fob back to 1990’s style of being just a clicker to unlock the door. The key technology is based on the same principles but there’s no more encryption code to hack. Remember that, back in the day? Those were for the same alarms that waled through the night!
In situations like these, companies pay what’s known as a “bug bounty” when outsiders approach their MIS computer people to make awareness of a vulnerability issue in their systems. In this case, Tesla paid the researchers $10,000 which makes for nice small grant money. And in doing that, the researchers sent Tesla on a long one year journey down a yellow brick road of trying to find a solution that apparently failed to the next solution. But first they had to research the researchers’ findings to verify what was it they found, before exposing it to their systems to find solutions. Then very much like making a car from the ground up, you take a fix from planning and draft to prototype and then testing at preproduction before production. Failure I’m sure occurred many times up to here. When those one or two fixes makes it up to production, and for cyber security fixes that means finding a way to incorporate into the manufacture process, you may even have failure there, as something that’s a fix can actually work, but there’s no way, no practical way, or no cheap way for you to put the fix into the design or assembly process, etc. Even when the fix is in those engineers I’m sure go home at times wondering if they’ll ever hear about the key fobs again.
All this while another crisis is brewing next to the factory with a tent to give it “the Greatest Show on Earth.” It is amazing when a company releases a statement about an event affecting them, to the hell they went though, that they’re obviously not interested in advertising it, so glossfully rolls over the event like it was nothing. Here’s Tesla’s response to Wired about the key fob crisis: "Due to the growing number of methods that can be used to steal many kinds of cars with passive entry systems, not just Teslas, we’ve rolled out a number of security enhancements to help our customers decrease the likelihood of unauthorized use of their vehicles," a Tesla spokesperson wrote to WIRED. "Based on the research presented by this group, we worked with our supplier to make our key fobs more secure by introducing more robust cryptography for Model S in June 2018. A corresponding software update for all Model S vehicles allows customers with cars built prior to June to switch to the new key fobs if they wish."
Pandora’s Box with the keyfob is closed. The tent still drags on . . .
What’s your view on the Model S hacking? Let us know below!