Tesla’s Model X key allows the owner to unlock his car automatically by approaching the vehicle or pressing a button. In order to facilitate integration with Phone-as-as-key solutions that allow a smartphone app to unlock the car, the use of Bluetooth Low Energy (BLE) in key fobs is becoming increasingly common. The Tesla Model X key fob also uses this technology to communicate with the vehicle.
The researchers from Belgium took a closer look at the Tesla wireless locking system. Using a modified electronic control unit (ECU) from another vehicle of the same type, the researchers were able to wirelessly force key fobs to register themselves as connectable BLE devices at a distance of up to 5 meters. By reverse engineering the Tesla Model X key fob, the experts discovered that the BLE interface allows remote updates of the software running on the BLE chip. However, this update mechanism was not sufficiently secured. Thus, the researchers succeeded in wirelessly compromising a key ring and taking full control of it. "We were then able to obtain valid release messages to release the car later," says Lennert Wouters, a PhD student in the COSIC research group.