Remember way back in 2018 when it was discovered that hackers could clone a Tesla Model S key fob with some basic gear and a few seconds’ time? It was pretty wild, but to its credit, Tesla reacted fairly quickly to fix the problem, and transitioned to a new key fob.
Well, guess what? It happened again, according to a Wired article published on Tuesday, and this time even those new key fobs are vulnerable. Researchers at a Belgian university — the same ones that outed the original flaw — announced their findings recently, and while the new method took a little longer and has to be done at a closer range, the new fobs were still not as secure as they were meant to be. Thankfully, again reacted quickly and has already rolled out its software update that will allow users to basically re-flash their fob in their car in just a couple of minutes.
So, just as a refresher, with the old key fobs, the problem lay with the way they were encrypted. The company that manufactured them, Pektron, only used a 40-bit encryption protocol, which was relatively easy to break. To fix the problem, Tesla and Pektron transitioned the fobs to 80-bit encryption, which should have been wildly more challenging to break.
That sounds great, but the vulnerability found by the Belgian researchers at KU Leuven University makes it so that instead of having to break the 80-bit encryption, they only had to break two 40-bit encryption keys. Is that better than the original fob’s single 40-bit key? Yes. Is it good enough? No, but that’s OK because Tesla also enabled a feature awhile ago called PIN to Drive, which allows a vehicle owner to set a PIN code that has to be entered before the car can be driven. This is separate from the fob, and not affected by the vulnerability, but the vehicle owner had to enable it.
“While nothing can prevent against all vehicle thefts, Tesla has deployed several security enhancements, such as PIN to Drive, that makes them much less likely to occur,” said a Tesla representative in a statement. “Even though we are not aware of a single customer ever affected by the reported issue, and enabling PIN to Drive already prevents this from occurring, we’ve begun to release an over-the-air software update (part of 2019.32) that addresses this researcher’s findings and allows certain Model S owners to update their key fobs inside their car in less than two minutes.”
The good thing about the revelation of this vulnerability is, as Tesla said, that it doesn’t require a change of hardware and that a software update for Model S owners is on the way. Model X and Model 3 owners aren’t affected by all this because they don’t use the Pektron fobs.
Update, 4:51 p.m.: Clarified language surrounding the current status of the vulnerability