A Tesla hacker demonstrates how to open doors and turn on the electric motor

If a hacker successfully hacked Tesla's S and Y models, he or she could unlock and start the electric motor, then drive away with the car, suggested Sultan Qasim Khan, the principal security consultant at NCC Group.

Although Tesla Inc. customers might love the carmaker's keyless entry system, one cybersecurity expert has shown how the same technology could enable thieves to steal some models of electric cars.

According to Sultan Qasim Khan, principal security consultant at the Manchester-based security firm NCC Group, a hack that targets S and Y Tesla models allows a thief to unlock the vehicle, start the motor and speed off.

Outsiders can fool an entry system into thinking an owner is physically near the car if they redirect communications between their mobile phone and the vehicle.

Despite demonstrating the hack to Bloomberg News on one of Tesla's car models, Khan said the technique isn't specific to Tesla.

Tesla's keyless entry system runs on what's called Bluetooth Low Energy (BLE), which he tinkered with to make this happen. There's no evidence that thieves have accessed Teslas through the hack.

A comment from the carmaker was not forthcoming. An official at NCC told Reuters that NCC sent a note to its clients on Sunday with details of its findings.

Tesla officials didn't deem the risk significant after Khan told them about the potential attack. Khan said the carmaker must change the keyless entry system and alter the hardware to fix it.

David Colombo, another security researcher, recently demonstrated how to hijack some functions on Tesla vehicles, including opening and closing doors, and controlling music volume.

The Bluetooth Low Energy protocol was designed to enable wireless communication between devices, but hackers are using it to break into smart technologies, including house locks, cars, phones, and laptops, Khan explained. The NCC Group also targeted a few other automakers and technology companies' devices.

Khan said that keyless locks from Kwikset Corp. that work with iPhones or Android phones are also affected by the bug. According to Kwikset, customers who use iPhones to access safety can enable two-factor authentication in the app. Additionally, a spokesperson said the iPhone-operated waves have a 30-second timeout to prevent tampering.

The company said it will update its Android app in the "summer."A spokesperson for Kwikset said that the security of its products is of the utmost importance. The company partners with well-known security companies to evaluate its products and remain committed to working with them so that its consumers receive the highest level of security.

Bluetooth Special Interest Group (SIG), the collective of companies that manage Bluetooth, has said that the specifications include features that give product developers tools to secure communication between Bluetooth devices.

"The SIG also provides educational resources to the developer community to help them implement Bluetooth-based products with the appropriate security level, as well as a vulnerability response program that works with the security research community in response to vulnerabilities found in Bluetooth specifications."

Bluetooth sniffers identify devices by tracking their signals. They are often used by government agencies who manage roads to monitor drivers passing through urban areas anonymously. The author of Sniffle, the first open-source Bluetooth 5 sniffer, Khan, has discovered numerous vulnerabilities in NCC Group client products.  

According to a study by the UK consumer group, more than 200 car models are susceptible to keyless theft using similar but slightly different methods such as spoofing wireless or radio signals.

During a demonstration to Bloomberg News, Khan demonstrated an electronic switch attack using two small hardware devices. Khan used two relay devices to unlock the car -- one placed approximately 15 yards from the Tesla owner's smartphone and the other near his laptop. Khan developed the technology using code he designed for Bluetooth development kits, which are sold online for less than $50.

In addition to Khan's custom software, the hardware needed costs approximately $100 and is readily available online. The hack takes less than ten seconds once the relays are set up, Khan said.

"If a Bluetooth passive entry car parked outside the owner's home were nearby, an attacker could walk up to the car at night using the owner's phone, and use this technique to unlock and start the vehicle," he explained.

"Once the device has been placed nearby the fob or phone, the attacker can send commands anywhere in the world," Khan said.

For more stories like this

Explore our website