back to article Pentester pops open Tesla Model 3 using low-cost Bluetooth module

Tesla Model 3 and Y owners, beware: the passive entry feature on your vehicle could potentially be hoodwinked by a relay attack, leading to the theft of the flash motor. Discovered and demonstrated by researchers at NCC Group, the technique involves relaying the Bluetooth Low Energy (BLE) signals from a smartphone that has …

  1. jvf

    living in a fantasy

    In my world I don’t need keys because nobody steals anything. I can write Office macros to be productive because no one hacks anything. But, since I’m living in an unreal world I have to be careful. It starts with using a phone to make phone calls and little else.

  2. Loyal Commenter Silver badge

    Always-on Security Hole

    As I understand it, and I'm willing to concede that there may be some subtlety here that I haven't grasped, the root of the problem is that "passive" devices to unlock a car are always going to be open to relay attacks if they're always broadcasting / responding to broadcasts. Relying on limited range is a pretty obvious security weakness.

    What's wrong with having a key fob with a button you have to press? At least then the window of opportunity to perform an attack is vastly limited?

    1. HCV

      Re: Always-on Security Hole

      You might as well ask, "Why build a single-car rail transport tunnel?"

    2. Anonymous Coward
      Anonymous Coward

      Re: Always-on Security Hole

      What's wrong with having a key which you have to physically insert into a slot in order to lock/unlock a door? Oh, I know, 'for your convenience'. Like having escalators at the gym.

      1. Totally not a Cylon
        Linux

        Re: Always-on Security Hole

        When you live in a country where it goes below freezing; physical lock cylinders freeze solid and have to be thawed before a physical key works.

        Keyless entry and remote start are essential features in some countries.

        Penguin because they would need keyless entry........

        1. Piro Silver badge

          Re: Always-on Security Hole

          If it's that cold, the mechanism in the door would also be susceptible to freezing.

          Not to mention the fact that Tesla's presenting door handles (or even just the ones that flip out) would be impossible to use.

      2. DwarfPants
        Coat

        Re: Always-on Security Hole

        I understand the need for escalators from the gym, but not to it.

      3. Jimmy2Cows Silver badge
        Holmes

        Re: escalators at the gym

        Apparently disabled people like to use gyms too. Something about trying to lead as normal a life as possible, and not being stymied, stigmatised and excluded by other peoples' lack of imagination.

        1. Hey Nonny Nonny Mouse

          Re: escalators at the gym

          Yup, weird huh, how people who have lost mobility in some parts of their bodies like to try and keep the working bits in good condition.

    3. Phil O'Sophical Silver badge

      Re: Always-on Security Hole

      What's wrong with having a key fob with a button you have to press?

      Agreed. My new car came with keyless entry which must be disabled every time you lock the car if you don't want it. I never use it.

      Its one saving grace is that the key is only active for a few seconds after it's been moved. If left sitting on a table it becomes quiescent. That way it works when you're carrying it to the car, but can't be used for an unattended relay, which is quite a neat solution.

      1. Anonymous Coward
        Anonymous Coward

        Re: Always-on Security Hole

        Sounds like a good feature.

        My key has to live in a pouch which is a Faraday cage and at home the pouch lives in a steal box. Works for a keyfob but doesn't make much sense for a phone.

        Mind there are days when keeping the phone in a Faraday cage sounds like bliss.

        1. John Brown (no body) Silver badge

          Re: Always-on Security Hole

          "a steal box."

          I saw what you did there! :-)

          1. chivo243 Silver badge
            Headmaster

            Re: Always-on Security Hole

            "a steal box."

            I saw what you did there! :-)

            I'm not sure I see what you see!? :-}

            1. John Brown (no body) Silver badge

              Re: Always-on Security Hole

              The article is about "steeling" cars :-)

              (I'm really not sure if you're being ironic or really didn't get it.)

        2. Billy Whiz

          Re: Always-on Security Hole

          ...."and at home the pouch lives in a steal box".....

          Did you write "Beware of the Leopard" on the box?

      2. Def Silver badge

        Re: Always-on Security Hole

        Its one saving grace is that the key is only active for a few seconds after it's been moved. If left sitting on a table it becomes quiescent. That way it works when you're carrying it to the car, but can't be used for an unattended relay, which is quite a neat solution.

        While a nice idea, that only gets you so far.

        It wouldn't be much use against a pair of thieves working together where one follows you around a shopping centre, for example, while the other waits by your car.

      3. MachDiamond Silver badge

        Re: Always-on Security Hole

        "Its one saving grace is that the key is only active for a few seconds after it's been moved. If left sitting on a table it becomes quiescent."

        My car is older and the key fob doesn't do anything unless a button is pressed. It just sits there in an off state. It's the smart fobs that lend themselves to relay attacks and phone mediated systems too. Obviously, you can't be as lazy if you have to get your phone out, unlock and access an app over having only to have the phone in your pocket/bra and powered on.

    4. sreynolds Silver badge

      Re: Always-on Security Hole

      "What's wrong with having a key fob with a button you have to press? At least then the window of opportunity to perform an attack is vastly limited?"

      Well you're asking a bit much from your average Tesla user - note not driver. They expect to walk into a car while watching videos and to continue to be driven while watching video, as the recent England & Wales legislation allows them to do, whilst either mowing down cyclists or being driven to their death - in a game called Tesla roulette.

      So I would say pressing a button is beyond most Tesla users capabilities.

      1. MachDiamond Silver badge

        Re: Always-on Security Hole

        "So I would say pressing a button is beyond most Tesla users capabilities."

        So they have cars that don't have a key hole or even door handles given the latest prototype Cybertruck. I'm glad my car has a mechanical lock. Not too long ago the battery in my fob went flat and I had to use the key. No itch and I picked up a replacement battery that day while out running errands. What do you do if you are relying on your phone to use your car and drop it in the loo? Did you hear the one about the woman that dropped her phone in a "vault" toilet and fell in trying to retrieve it?

  3. Bitsminer Bronze badge

    hacked like any PC

    What do they say about personal computers?

    "If the bad guy has physical access to your computer, it is no longer your computer."

    The same is true of any car with radio/remote access. A physical key or encrypted push-a-button-to-unlock key is essential.

  4. wolfetone Silver badge

    I know someone who never locked their car. There was never anything in there to steal, and they reasoned that it'd save a massive clean up operation from him if the local dickhead smashed a window to discover he had nothing in the car.

    One morning in December he went down to the car to drive to work and some dickhead had smashed the window. Didn't even try the door.

    So while it's awful that a Tesla can be hacked like this, all cars can be hacked easily with a brick. No matter what the owner does.

    1. Jedit Silver badge
      Boffin

      "all cars can be hacked easily with a brick"

      It's a bit easier to spot a car that has been hacked with a brick, though.

  5. Howard Sway Silver badge

    the hack lets the attacker start the car and drive away too

    I suppose the only saving grace here is that the person who nicks your car this way is probably going to lose it pretty quickly to someone else who can steal it just as easily.

    1. Anonymous Coward
      Anonymous Coward

      Re: the hack lets the attacker start the car and drive away too

      Haven't I seen ads where the owner uses their phone app to have the car drive out of tight parking spaces?

      So not only can the thief open the car and drive it away, they can probably persuade the car to drive into the middle of the road without needing to actually get into the car.

      1. Martin-73 Silver badge

        Re: the hack lets the attacker start the car and drive away too

        You can also cause it to brake check the car behind by (as a pedestrian) trying to walk across the road anywhere near it (see Ashley Neal's latest video)

      2. John Brown (no body) Silver badge
        Joke

        Re: the hack lets the attacker start the car and drive away too

        "Haven't I seen ads where the owner uses their phone app to have the car drive out of tight parking spaces?"

        I seem to remember a huge advertising campaign stuck at the start of many VHS tapes and DVDs. IIRC, the strapline was "you wouldn't steal car, would you?". Clearly advertising doesn't work as it doesn't seem to have reduced let alone stopped car theft. Unless, I missed the point of the ad.

      3. MachDiamond Silver badge

        Re: the hack lets the attacker start the car and drive away too

        "So not only can the thief open the car and drive it away, they can probably persuade the car to drive into the middle of the road without needing to actually get into the car."

        GTA can set you up for a stay in the pokey, but a teen looking for fun might be very intrigued to see if an exploit they find on the internet will work to move a connected car to the middle of the street from their bedroom window at oh dark thirty. They may even have a laugh at turning on the lights and blasting the stereo at the same time.

  6. Mike 16 Silver badge

    defeated by simply cutting the latency of the relay process.

    Hmmm. Much of my career involved "cutting latency". It's not simple.

    Unless, of course, the latency of the (first implementation) relay device was needlessly much larger than expected, for reasons that were known but ignored.

    1. yetanotheraoc Silver badge

      Re: defeated by simply cutting the latency of the relay process.

      "cutting latency"

      I think the point was the owner can be _just_ outside the activation range, and the small added relay latency still allows the car to unlock. So in a large carpark you could have a criminal mastermind on a skateboard next to the car, a henchman (likely a him) walking near the owner, and the car could be driven away before the owner reaches the stairs. Convenience indeed.

      But where is the market for stolen Teslas? All the features that make them Teslas need the phone-home enabled.

      1. seven of five

        Re: defeated by simply cutting the latency of the relay process.

        Spare parts. Though the cult would like you to believe otherwise, these things break. Often.

      2. Martin an gof Silver badge

        Re: defeated by simply cutting the latency of the relay process.

        But where is the market for stolen Teslas? All the features that make them Teslas need the phone-home enabled.

        Never having looked seriously at a Tesla (way beyond my price range), is it possible that once unlocked, started and driven off it's possible to pair another phone? Instant new key. Unless of course there is some kind of 2FA involving an email to a previously-arranged account or sommat.

        M.

        1. Alex Brett

          Re: defeated by simply cutting the latency of the relay process.

          No, to pair a new key (physical or phone key) you need one of the existing actual RFID keycards to authorise it, so it's 'safe' from that point of view.

          It's also the case that once you park up and walk away, you will then be unable to get in and drive the car again without redoing the attack, which coupled with the fact the car will be reporting its GPS position to Tesla and the owner via the app means overall this is of pretty limited value for anything more than a one-off joyride.

          Pin to drive also defeats it, such that the only thing it allows you to do is get into the vehicle, which as others have said can be done with the use of a brick or similar anyway...

          1. Jimmy2Cows Silver badge

            Re: defeated by simply cutting the latency of the relay process.

            I feel like a lot of people who steal cars (and other things) are usually too stupid to research whether they'd still be able to use it after they've knicked it. Criminal masterminds they are not.

            Besides they tend to either crash it, burn it (or both), or thrash it straight to the nearest chop shop where it's shredded for parts and valuable metals. None of those situations needs the thief to know or care about pairing new keys.

          2. MachDiamond Silver badge

            Re: defeated by simply cutting the latency of the relay process.

            "It's also the case that once you park up and walk away, you will then be unable to get in and drive the car again without redoing the attack,"

            So you're saying that once started, the best move is to drive it into an enclosed truck/trailer that prevents the car from phoning home before its comms are disabled?

      3. MachDiamond Silver badge

        Re: defeated by simply cutting the latency of the relay process.

        "But where is the market for stolen Teslas?"

        Parts. The headlight for a Model 3 from Tesla is $880. The windshield is $1,200. All of the parts with a VIN number stamped into them can just be binned or sold as scrap. Is the big one piece casting that Sandy Munro was gushing over in use on Teslas or still in development. I know Tesla bought a couple of the casting machines. That's a big hunk of easy to recycle Aluminium that once cut up isn't particularly recognizable if the coppers are looking for a complete vehicle.

  7. spireite Silver badge

    Smartfobs, relay attacks and latency being the 'defence'??

    Is this possible to be classed as security through obscurity - in a loose sense?

    I'm a total hater of auto unlocking vehicles if the fob/gadget is within a certain distance.

    A friend of mine had a Beemer, which would auto-unlock when the keyfob got into proximity. Therein lay the problem.

    Drive forward into parking space

    Lock car

    Walk to boot, open boot.

    Lock

    Go inside the house....

    Go back out to move bins for tomorrow.

    Car unlocked, and you didn't know... because the bins were at the same range.

    It happened numerous times. A lot of the time he giveaway was that the wing mirrors had gone into normal position rather than folded - if you saw them.

    There is a price to pay for convenience, and it is a big one when it cost £40K plus!!

    1. the reluctant commentard

      Re: Smartfobs, relay attacks and latency being the 'defence'??

      Normally with systems like these, whether keyless or a key with a fob with buttons, if no doors are opened within a certain time of the car unlocking, it will simply lock itself again.

      1. Anonymous Coward
        Anonymous Coward

        Re: Smartfobs, relay attacks and latency being the 'defence'??

        I am foolish enough to own a Vauxhall. If you accidentally press the unlock button (by keeping your car key in your pocket, for example) it will indeed lock after (I think) 10 minutes. If you keep the unlock button pressed for a few seconds(again, possibly accidentally by having your car key in your pocket), then all the windows wind down and the car stays unlocked. For some reason this tends to happen to me when it's raining, of course.

        Vauxhall offer no way to disable this lovely feature, and cannot understand why I would want one.

        1. Jimmy2Cows Silver badge

          Re: Smartfobs, relay attacks and latency being the 'defence'??

          Ah "comfort opening" and "comfort closing". You can disable them but you need a Tech 2 or whatever they use now to get into the body control module and switch them off

          Vauxhall could, indeed should do it for you if you want to pay them the "diagnostic" charge to plug the computer in for a few minutes and fiddle with the settings.

          There are plenty of non-Vauxhall garages who can perform this if you don't want to pay Vauxhall's excessive diagnostic tax.

          1. Anonymous Coward
            Anonymous Coward

            Re: Smartfobs, relay attacks and latency being the 'defence'??

            Ooh! Thanks for that - I might just try it. I have other reasons for not going back to my local main dealer (apart from this), so I'll try to find an independent garage.

    2. MachDiamond Silver badge

      Re: Smartfobs, relay attacks and latency being the 'defence'??

      "A friend of mine had a Beemer, which would auto-unlock when the keyfob got into proximity. Therein lay the problem."

      That could be an issue, but many cars will re-lock if a door isn't opened within a short period of time. Mine will do that if I unlock it with the fob and don't open a door right away. I'm used to it now so if I'm unlocking the car and need to load things in, I'll open a door so it stays unlocked and I don't need to fumble in my pockets to do it again. The thing that worries me is if the car might re-lock for some reason that I don't expect and my keys are inside.

      1. pirxhh

        Re: Smartfobs, relay attacks and latency being the 'defence'??

        My 2012 VW will unlock only if you pull the handle (any front door or the trunk) while the key fob is in range.

        It is susceptible to a relay attack, though, requiring a bit of RF hardware.

  8. LeeWalton

    PIN to drive

    Tesla offer a feature to set a PIN which has to be entered to be able to drive the car, which owners are encouraged to use.

    So, whilst someone may be able to break into the car, they will not be able to drive it away if you follow the advice.

    1. Loyal Commenter Silver badge

      Re: PIN to drive

      "Offer a feature" which is turned off by default, according to the article I just read. If the owner is too lazy to want to physically unlock the car, do you think they are not also too lazy to turn on any non-default features?

    2. Charlie Clark Silver badge

      Re: PIN to drive

      Welcome to California, the home of unlimited liability: it's not enough to recommend people don't do something stupid!

    3. Piro Silver badge

      Re: PIN to drive

      So to solve a problem that was never a problem before keyless entry, we've created a new replacement for pressing the keyfob button. Genius.

      I actively do not want keyless entry.

      1. pirxhh

        Re: PIN to drive

        A fingerprint reader in the start button, or facial or voice recognition of registered drivers might work instead of a PIN.

        So you'd just need to greet your car with whatever cutesy (or not) nickname you choose... "Hello, you heap of c@#p, let's go!"

  9. umacf24

    This is not a problem

    The car is -- really -- owned by Tesla, and Tesla alone, regardless of who can drive it away.

  10. MachDiamond Silver badge

    Never underestimate lazy

    The ability to just walk up to the car and have it unlock saves time. The same thing with the charge port door opening automatically when you bring the charging plug close to it. What could possibly go wrong?

    I'm a total nerd with it comes to gadgets but I also value the K.I.S.S. principle. For something like a car, I don't want loads of "features" that can go wrong. If the medium fan setting stops working, I can deal with that. If a patch on a touch screen stops working, that might be $3k in a replacement cost if the car is out of warranty. If you break said touch screen accidentally, it's certainly not covered under warranty and if you don't have it repaired (can't buy the parts to do it yourself), it's more than the stereo that doesn't work anymore. I've had all sorts of strange things happen in a car. I put a bag of shopping in the passenger footwell and a soda can hit the seat rail and got a puncture. Sticky liquid all over the place. A coffee creamer pod sat out on the center console in the sun popped spraying artificial moo all over. Just one bizarre incident could render a car with massive single points of failures completely useless and expensive to fix. When it works, it's all very clever, When it doesn't, it's a very bad day.

  11. DrXym Silver badge

    Not a new attack

    People have had keyless entry cars stolen through similar attacks for years - they stick the keys on the hall table, thieves boost the key signal & jack the car from the outside the house. Any kind of proximity system is vulnerable to this.

    The mitigations to this sort of thing are fairly simple. Don't enable this keyless entry by default and require constant contact between the car and the key. If contact is lost the car should slow to a halt and alert the owner. The app could even track the vehicle, call the police, putting the car into a "distress" mode or whatever.

  12. Hey Nonny Nonny Mouse

    V2L/V2G power theft also possible?

    Seems there are quite some security concerns with all EVs.

    It's rather interesting that you can open the 'filler' cap on a Tesla with a simple replay attack using a cheap SDR transmitter (and perhaps even cheaper with off the shelf RF remote control modules)

    The inclusion of V2L/V2G capability in the Tesla and many other EVs leads to some interesting possibilities for power theft or just outright damage/mischief.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022