Researcher Lennert Wouters of the Catholic University of Leuven has found a beautiful way to steal a Tesla Model X by rewriting the firmware of the corporate key to the car. The photo below shows a jailbreak device consisting of a battery, a Raspberry Pi computer, and a Tesla on-board computer purchased during disassembly. The cost of the kit is about $ 300. For a successful attack (rather non-trivial), you will have to approach the car owner with the key in his pocket, and also rewrite the VIN in advance.
According to the researcher, the problem lies in the incorrect implementation of a sufficiently secure communication protocol between the key fob and the Model X on-board computer. First of all, the key firmware can be updated via Bluetooth, and the validity of the code is not checked in any way. True, the firmware update mode itself is non-standard, and to activate it, Wyters just needed a replacement Tesla on-board module.
Usually the Bluetooth module is activated in the Tesla dongle only after changing the battery. Wyters discovered that wireless can also be turned on from the car - the Body Control Module is responsible for that. This was found on eBay: there they are sold for $ 50-100. The next implementation error is a communication protocol in which the signal from the Body Control Module is authenticated by a code based on the last five digits of the VIN number. But you can just spy on it: it, like almost all cars, is visible under the windshield.
The next step: after connecting to the keychain, you need to rewrite its firmware. It, in turn, allows you to extract the secret key from the hardware store. This key allows the attacker to open the vehicle. But that's all. Start the car and drive away. To do this, while in the car, you need to connect to the CAN bus and force the built-in Body Control Module to register the intruder's key fob as trusted.
The result is a very beautiful and rather complex attack, a dramatic version of which is shown in the video above. Wyuters notes that the vulnerabilities of Tesla keys are not much different from those in cars from other manufacturers, it's just that Elon Musk's electric cars are more interesting to hack.
The scenario described is far from a nightmare for the manufacturer of a permanently connected car - a complete compromise of security systems remotely. Here and the owner will have to follow, and dig deeper in the car before the theft. But the same Tesla computerization, and specifically the ability to update the key firmware over the air, was beneficial when fixing bugs. In a similar situation, another owner would have to get to the service to reflash the keychain. Here the vulnerability was closed simply: the update flew into the car by air, and the key fobs were automatically stitched from it.
What else happened:
On Wednesday, there was a major outage in the Amazon Web Services cloud infrastructure. The US-EAST-1 cluster was unavailable for several hours, resulting in numerous disruptions to network services, including IoT devices such as Roomba vacuums and Amazon Ring smart bells. The detailed description of the incident reveals the reason: the OS limits on the number of threads of execution were accidentally exceeded. The affected servers had to be rebooted manually.
A critical vulnerability ( news , bulletin ) in a number of corporate VMware products has not yet been patched, but a temporary solution was shared that would prevent an attacker from executing commands remotely.
Another critical vulnerability in the MobileIron mobile device management system is actively exploited by cybercriminals.