Saturday, December 2, 2023

A Critical Vulnerability in Tesla Model S Let Hackers Clone The Car Key Within 2 Seconds & Steal Car

New cryptographic vulnerability in Tesla Model S key fob’s encryption allows hackers to clone the key and steal the car without touching the owners key.

Lennert Wouters, a security researcher from Belgian university KU Leuven and, his team revealed a new technique to bypass the Model S key fob’s encryption in Cryptographic Hardware and Embedded Systems conference in Atlanta.

A year ago, the Same researcher found the critical vulnerabilities in Telsa car let hackers break the Model S’s keyless entry system to unlock the car.

Soon after Tesla fixed the flaw and created a new version of its key fob but now the spotted another flaw that affected the new key fob.

Compare to the previous one, the new attack is more limited in its radio range and also take a few more seconds to break the system than the previous one.

Cracking the Encryption Keys

According to Wouters, “The vulnerability resides in the Key fob that manufactured by a firm called Pektron, comes down to a configuration bug that vastly reduces the time necessary to crack its encryption”

In the previous version, the 40-bit encryption key was to used that can be easily cracked by hackers to gain the key access. later, Tesla and Pektron’s upgrade the key strength to 80 bit which is extremely hard to crack.

But the new open the door for hackers to break the 80-bit encryption key by split into two 40 bit key.

According to Wired report, “That shortcut makes finding the key only twice as hard as before. “The new key fob is better than the first one, but with twice the resources, we could still make a copy, basically,”

To execute the attack, Proxmark and Yard Stick One radios and a Raspberry Pi minicomputer can be used to capture the radio signal from a parked Tesla and eventually used to spoof the car communication with the owner’s key fob.

Researcher demonstrates the attack by recording and breaking the encryption on the key fob’s response to derive the fob’s cryptographic key in less than two seconds to unlock the car.

According to the Tesla spokesperson,’ “there is no evidence that the key-cloning technique has been used in any thefts. “While nothing can prevent against all vehicle thefts, Tesla has deployed several security enhancements, such as PIN to Drive, that makes them much less likely to occur,”

Tesla implemented the same fix to key fobs for all new Model S vehicles last month, so anyone who bought a Model S since then doesn’t need to update. Other vehicles like the Model X and Model 3 aren’t affected, Wouters said.

This time Tesla pushing out an over-the-air update to the key fobs via cars’ internet connections instead of replacing hardware.

Lennert Wouters disclosed it in April of this year and Tesla rewarded him $5,000 under bug bounty for reporting this vulnerability.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and Hacking News updates.

Also Read:

Pwn2Own 2019 – Tesla Car Internet Browser Hacked – Hackers Won the Car & $545,000 in Total – Day 3

Ex-Tesla Employee Sued for Uploading an Autopilot Source Code to his iCloud and Shipped to China


Latest articles

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...

CISA Warns Hackers Exploiting Wastewater Systems Logic Controllers

In a disconcerting turn of events, cyber threat actors have set their sights on...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles