herein public number from the micro-channel: qubit (ID: QbitAI), of: Jia Haonan, Mu Yi, the original title is “Tesla was exposed to low-level vulnerabilities: using Raspberry Pi DIY car key, unlocking takes only 90 seconds”, the title picture comes from Visual China
A Tesla Model X priced from 800,000 to 900,000 yuan can be driven away for only 2,000 yuan?
This is not what Tesla is pursuing a financial plan for car purchases, but that researchers from the University of Leuven in Belgium have breached the security loopholes in the high-end Model X.
They only used about 2,000 yuan to DIY a “car key” with a Raspberry Pi computer, opened the car door in 90 seconds, and could drive away in less than a few minutes.
Keyless entry has truly become “keyless entry” in the literal sense.
So, where is the problem? How did Tesla explain it himself?
The first loophole: how to get into the car?
The way to copy this car key is to sit next to you secretly. When you are chatting and laughing with your friends, your car key has been copied without knowing it.Up.
This is how the attacker is demonstrating how to approach the car owner, using the body control module he bought online at close range (within 15 meters) (BCM) to wake up the Bluetooth of the owner’s smart key.
In reality, it is of course impossible for a hacker to swagger past you with the development board in his hand, but it is perfectly fine to hide it in a backpack. The attacker needs to read a string of numbers from the windshield of the target car: the last five digits of the vehicle identification number.
Through this string of numbers, attackers can create a code for their pirated BCM to prove their identity. It is equivalent to recreating a car-machine system.
Then, take this set of cloned BCM, wake up the car keys that are close, and perform the next step of cracking.
The key to this step is to rewrite the firmware program on the owner’s key.
The key fob of Model X connects to the computer inside Model X via Bluetooth, and then wirelessly receives firmware updates.
However, there is a major vulnerability: The firmware update of the Model X key lacks a cryptographic signature to prove the security of the source of the updated firmware.
In layman’s terms, it is to prove that the source of the update is official and safe, and the Model X car key does not have the verification step. So hackers can record the last five digits of the windshield, and they can disguise the Raspberry Pi as Model X and trick your car key to update the firmware.
This firmware is designed as a hacker image, it can query the security chip in the car key and generate an unlock code for the car. As a result, the attacker can easily connect to the key fob of the target vehicle via Bluetooth and rewrite the firmware.
When the firmware is updated to the attacker’s version, you can use it to query the security chip in the key fob(secure enclave chip).
After obtaining the unlock code, send the code back to your car via Bluetooth, and the door opens.
The whole process takes only 90 seconds. Does it smell like a “spy warfare movie”.
Second vulnerability: How to start the car?
Getting in the car, “Stealing the Car” is only half done.
Starting the Tesla Model X and driving away requires some physical work.
The method of rewriting the key firmware and cracking the security chip in the previous step is equivalent to using the Bluetooth device on the DIY motherboard to copy a key with the purpose of cracking the car door.
What we need to do now is to make the real vehicle system recognize the fake key to start the vehicle.
First, remove the storage box under the screen in the car. There is an interface (physical interface) inside the console, which is directly connected To the core part of the vehicle control system, the CAN bus, which includes the vehicle’s own BCM.
Plug the DIY computer directly into the interface, you can directly send instructions to the vehicle’s BCM.
The command sent is for the computer of the vehicle to match the key generated by the hacker himself, so that the vehicle can be started easily.
Where is the problem? Why is the fake key generated by DIY matched with the car system without any obstacles? In fact, Tesla’s car keys originally had a unique password certificate to verify the authenticity.
However, the BCM on the car never checked the certificate from start to finish. The agile brother, it takes only a few minutes from unpacking the storage box to driving the car.
This is not the first time
This is not the first time Tesla has been compromised on the wireless key. Before, Tesla Model S was also breached by researchers on the key issue.
The previous Tesla Model S was based on encrypted key fob codes to control the equipment in the car, trigger unlocking and disable its anti-theft lock.
In the summer of 2017, a research team from KU Leuven discovered that the Tesla Model S wireless key fob produced by a manufacturer called Pektron only used a weak 40-bit password for encryption.
Researchers found that once they obtained two codes from any given key fob, they couldTry to guess by analogy until you find the key to unlock the car.
After that, they calculated the possible combinations and organized them into a table. With this table and these two codes, the researchers said that they can find the correct key to “steal” your car in 1.6 seconds.
Researchers informed Tesla about the vulnerability research findings in August 2017. Tesla thanked them for their research and paid them a “bounty” of $10,000.
However, until the encryption upgrade and the addition of PIN codes in the second half of 2018, this encryption risk was not resolved.
What did Tesla say?
Researchers from Leuven University notified Tesla of the security issue on August 17 this year. After confirming the security vulnerability, Tesla has begun to fix the security vulnerability.
Starting this week, Tesla will start to push the update and patch of the vulnerability.
These measures include two aspects, one is the verification of the source of the firmware update by the car key itself. The second part is the repair of the vehicle BCM’s missed inspection of the key safety certificate.
These updates will gradually cover all risky models within a month.
Found thisVulnerability researchers say that Tesla’s keyless entry technology is not essentially different from other cars. Both use low frequency radio waves (NFC) to send or receive an unlock code to unlock the vehicle.
Tesla is unique in that it has designed the Bluetooth part that allows the car key firmware to accept OTA updates.
The official security vulnerability on the OTA node allows hackers to easily rewrite the firmware to gain access to the underlying security chip and generate the corresponding unlock code.
In the start-up phase, there is also a lack of valid identity verification of the source of the radio frequency signal.
At the same time, what Tesla did on the physical interface linking the vehicle control module was too random.
So, without keyless entry of Bluetooth OTA link, is there no risk? Nor is it.
Previously, Tesla’s security department said that NFC relay attacks are almost unsolvable.
This method is simple and rude, which is to amplify the NFC signal of the car key within a certain range to unlock and start the car.
So, not only Tesla, but all models that use NFC keyless entry technology are at risk.
In the future, can I still use keyless entry with confidence?