Outdated Tesla keyless fobs vulnerable to relay attacks that could make Model S easy to steal
Proprietary encryption system used in fobs' handshake with car can be intercepted and de-coded
Tesla's Model S electric car could be vulnerable to thieves due to outdated security on the keyloess fobs that secure the vehicles.
And attacks against the Passive Keyless Entry and Start (PKES) system used on the Model S could affect other makes and models of vehicle.
The security flaws affect PKES technology supplied by a company called Pektron, and the attack has so far only been demonstrated to work with the Tesla Model S.
According to the Computer Security and Industrial Cryptography (COSIC) group at the Catholic University of Leuven (KU Leuven) in Flanders, Belgium the system is vulnerable to relay attacks.
"In this type of attack two adversaries relay the short-range communication over a long-range communication channel. Recent news reports and home security videos have shown that relay attacks are frequently used to steal luxury vehicles," warns KU Leuven's COSIC group.
To reduce the risk of such attacks, makers of PKES technology have responded by introducing distance bounding mechanisms.
However, one of the problems identified in the group's research into the Pektron technology used in the Model S is that the DST40 proprietary cipher used is out of date.
"During normal operation the car periodically advertises its identifier (denoted ‘wake' in the figure below). The key will receive the car's identifier, if it is the expected car identifier the key fob will reply, signaling it is ready to receive a challenge.
"In the next step the car will transmit a random challenge to the key fob. The key fob computes a response and transmits it. After receiving the key fob's response, the car must verify it before unlocking the doors. The same challenge response protocol is repeated to start the car.
"The simple challenge-response protocol described earlier does have some issues. For example, the lack of mutual authentication allows anyone who knows the car's identifier to get responses from a key fob. This identifier is broadcasted by the vehicle in the wake messages and can be recorded by anyone."
Even worse is the outdated 40-bit cryptography used for computing responses, the University's research continues, which was reverse engineered more than 10 years ago.
"DST40 transforms a 40-bit challenge into a 24-bit response… this transformation is dependent on a 40-bit secret cryptographic key. Additionally, Because the response or output (24-bit) is smaller than the input or challenge (40-bit) there will be multiple cryptographic keys that produce the same response to a given challenge. Because of this, an attacker requires at least two challenge response pairs to recover the cryptographic key.
"Since the car's identifier is public we can transmit any chosen challenge to a key fob and observe the response. We can thus transmit the same challenge to each key fob we try to attack. The combination of a very small key-space and lack of mutual authentication allow us to perform a Time-Memory Trade-Off (TMTO) attack."
The University has produced a proof-of-concept video demonstrating how its attack can work in the real world, using a Raspberry Pi 3 Model B+ and a number of other cheap components.
In the short-term, Model S owners could keep their key fobs in a Faraday bag or metal box to block the RF transmissions. "Tesla Model S owners should [also] disable passive entry and enable the pin to drive feature," the researchers conclude.