Connect with us

Hi, what are you looking for?


IoT Security

Hackers Can Clone Tesla Key Fobs in Seconds

Researchers claim to have discovered a new attack method that can be used to quickly clone the wireless key fob of Tesla Model S and possibly other vehicles.

Researchers claim to have discovered a new attack method that can be used to quickly clone the wireless key fob of Tesla Model S and possibly other vehicles.

The Passive Keyless Entry and Start (PKES) system is used by many high-end cars to unlock the doors and start the engine. The system relies on a paired key fob that needs to be in proximity of the vehicle.

PKES has been known to be vulnerable to relay attacks, which have been used to steal luxury vehicles. These attacks involved relaying messages between the car and the smart key by placing one hacking device near the key and one device in proximity of the car. This allows an attacker to open the door and start the engine even if the key is at a considerable distance from the vehicle. However, in these relay attacks, the car can only be unlocked and started once, while the legitimate key fob is in range.Tesla key fob can be cloned in seconds

A team from the COSIC research group at the KU Leuven university in Belgium has discovered a new attack method that can be used to clone key fobs in just seconds. Cloning a fob then allows the attacker to open and start a car whenever they wish.

“During normal operation the car periodically advertises its identifier. The key will receive the car’s identifier, if it is the expected car identifier the key fob will reply, signaling it is ready to receive a challenge,” the researchers explained in a blog post. “In the next step the car will transmit a random challenge to the key fob. The key fob computes a response and transmits it. After receiving the key fob’s response, the car must verify it before unlocking the doors. The same challenge response protocol is repeated to start the car.”

The team noted that there are several security issues during this process. For instance, there is no mutual authentication, allowing anyone to get a response from the key fob if they know the vehicle’s identifier, which is broadcasted by the vehicle and is easy to record.

There are also some crypto-related issues. Responses are computed using DST40, an outdated proprietary cipher that uses a 40-bit secret cryptographic key. Researchers showed more than a decade ago that the cryptographic key can be recovered using at least two challenge response pairs.

The attack described by KU Leuven researchers has four major phases. In the first phase, the attacker obtains the targeted vehicle’s identifier, which is transmitted periodically. The identifier is then used to impersonate the vehicle and send two challenges to the key fob.

Advertisement. Scroll to continue reading.

The response pairs are captured and the 40-bit encryption key can be recovered, allowing the attacker to impersonate the fob and unlock and start the car.

An attack can be conducted using Proxmark 3, a $400 tool designed for RFID analysis, from a distance of 1 meter (3 feet). However, experts believe the distance can be increased to up to 8 meters (26 feet) if purposely build antennas and transmission hardware are used.

This research focused on the PKES system used in the Tesla Model S. However, the analyzed PKES system is made by Pektron and is used by several other manufacturers, including McLaren, Karma and Triumph, which means their vehicles could be affected as well.

Tesla has worked with the researchers to implement measures that should prevent attacks, but none of the other companies responded to attempts to report the flaws.

Tesla was first notified of the vulnerability in August 2017 and the company addressed the issue in recent weeks by rolling out improved cryptography for key fobs and introducing an optional feature called “PIN to Drive,” which requires a PIN to be entered on the central console before the vehicle can be driven.

In general, these types of attacks can be prevented by keeping the key in a special box or pouch that blocks RF transmission. However, this defeats the purpose of the keyless entry and start system.

The researchers do not plan on making public any of the tools they have developed, but a paper containing technical details will become available soon.

Related: Tesla Model X Hacked by Chinese Experts

Related: Chinese Researchers Remotely Hack Tesla Model S

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.