How to hack a Tesla Model X in three steps
Oliver Bradshaw | Last Updated:
Technical VPN Analyst
How to hack a Tesla Model X in three steps, … Or, how to steal a $100.000 car with $300 of equipment.
Little pompously, Tesla company bet their new Model 3 and almost $1.000.000 in cash. The challenge was to jeopardize the security system of their high-performance electrical Model 3 car. The offer took place in this year’s Pwn2Own hacking competition. Little self-confidence can’t hurt, right?
Well, their Model X paid the price of overconfidence. Here is how the Tesla car was hacked:
Step 1: be Belgian
The jolly crew of researchers from COSIC, a research group from the University of Leuven (Belgium) has experience in hacking Tesla. Precisely, they already hacked a Model S in the past. Now, they successfully hacked a new Tesla Model X. The COSIC group took advantage of the BLE system in Tesla’s key fob.
Step 2: be extremely smart and educated
The Bluetooth Low Energy (BLE) system is used in communication between a key fob and a car. The technology also allows you to use your phone as a key and unlock your vehicle with a simple smartphone app. And that was the weak point of a lot of modern cars, especially Tesla models.
The COSIC research team modified the Electronical Control Unit (ECU) bought on eBay. Using the modified ECU, they manipulated the key fobs into advertising themselves as connectable BLE devices. Bingo! The update mechanism of the key fobs was the weakest link in the security chain.
Step 3: purchase $300 worth of kit
You will need:
- LiPo battery – $30
- Raspberry Pi – $35
- ECU from a reclaim vehicle – $100
- CAN shield – $30
- modified key fob – unknown price
Also, you will need the last five digits of the VIN number. You can simply read them from the windshield of the Tesla Model X. Just with that equipment, and being near the car owner for a minute and a half, you can clone the Tesla Model X key.
Find out more in this video.
Using cheap equipment, the Belgian team managed to hack the state of the art Model X in 90 seconds. But they didn’t just open the doors. They connected to the diagnostic connector and drove the car off. The COSIC team obtained full control of the vehicle.
The Belgian team informed the Tesla company of the security issues on Aug 17, 2020.
Unlike other car companies, Tesla acknowledged the mistake and even awarded the COSIC team with a ‘bug bounty.’
Nice move, Tesla.