40-bit punks smash weak crypto in Tesla keyless entry system
Boffins have sprung the bonnet on the weak crypto behind the keyless entry system in Tesla’s Model S car.
Researchers from the Computer Security and Industrial Cryptography (COSIC) group – part of the Department of Electrical Engineering at the KU Leuven, a Belgian university – were able to clone a key fob, open the doors and drive away the electric sports car.
The problem was reported to Tesla and resolved in June, when the car maker upgraded the weak encryption that permitted the attack. Last month Tesla added an optional PIN as an additional defence.
In a statement, Tesla confirmed the fix, adding the researchers involved had earned an unspecified bug bounty for their efforts.
Due to the growing number of methods that can be used to steal many kinds of cars with passive entry systems, not just Teslas, we’ve rolled out a number of security enhancements to help our customers decrease the likelihood of unauthorized use of their vehicles.
None of these options would be possible for any traditional automaker – our ability to update software over the air to improve functionality and security is unique.
Based on the research presented by this group, we worked with our supplier to make our key fobs more secure by introducing more robust cryptography for Model S in June 2018. A corresponding software update for all Model S vehicles allows customers with cars built prior to June to switch to the new key fobs if they wish.
In addition, we had already been working on several other over-the-air updates to help protect our customers from thefts – last year we introduced an update that allows all customers to turn off passive entry entirely, and this year we introduced PIN to Drive, which allows customers to set a unique PIN that needs to be entered before their vehicle is driven.
Tesla added it plans to add the security researchers to its Hall of Fame.
It was not a key relay attack (PDF), an established way to hack keyless cars, but rather an exploit of DST40, a technology shown to be weak 13 years ago by a group including (PDF) noted cryptographer Matthew Green.
“I really feel like doing further research is redundant at this point, since my 2005 papers are apparently still good enough to pwn Tesla,” Green noted.
The research aimed to probe the resilience of Passive Keyless Entry and Start (PKES) systems, which allow drivers to unlock and start their vehicle once a paired key fob is within range – no additional interaction required.
Tesla was used as a proof of concept. However, other vehicle makers rely on keyless entry tech from the same vendor, Pektron.
“Everybody is making fun of Tesla for using a 40-bit key (and rightly so). But Tesla at least had a mechanism we could report to and fixed the problem once informed. McLaren, Karma, and Triumph use the same system and ignored us,” said a member of the team.
El Reg asked McLaren, Karma and Triumph Motorcycles to comment on the researcher’s criticism. ®
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/12/tesla_hack/