back to article Here's a fun idea: Try to unlock and drive away in someone else's Tesla

The first keys and locks appeared some 6,000 years ago and continue to work well. We use them to secure our homes and cars among many other things valued by us. But Big Tech – ever in search of solutions without problems – disdains anything that doesn't have a microchip in it. Apple, for example, thinks it would be wicked cool …

  1. Yet Another Anonymous coward Silver badge

    It's a feature

    The removable steering wheel is for security - just take it with you when you park

    1. Lee D Silver badge

      Re: It's a feature

      Patent already pending by Mr Bean.

    2. Mayday
      Coat

      Re: It's a feature

      Works for Formula 1.

      1. Jedit Silver badge
        Headmaster

        "Works for Formula 1."

        Actually it's against F1 rules to take your steering wheel with you when you leave your car. You've got to put it back on, as it doubles as a mooring point for the trackside cranes.

        1. John Robson Silver badge

          Re: "Works for Formula 1."

          Not a mooring point, but the Marshalls like being able to push the car around, and you need to be able to weigh the thing

          1. Jedit Silver badge
            IT Angle

            Re: "Works for Formula 1."

            I'm sure I recall Martin Brundle saying that was why you had to replace the steering wheel when you exited the vehicle. Has it changed?

            You're of course correct about moving the car and the weight mattering.

            1. Anonymous Coward
              Anonymous Coward

              Re: "Works for Formula 1."

              The removable steering wheel is just 'cos they're all getting too tubby with all that sitting around all day...

        2. Anonymous Coward
          Anonymous Coward

          Re: "Works for Formula 1."

          I would imagine an F1 team would be slightly concerned the £75000 steering wheel was used as a crane mooring point...

    3. elsergiovolador Silver badge

      Re: It's a feature

      Bring your own steering wheel™

      1. Anonymous Coward
        Anonymous Coward

        Re: It's a feature

        Mine is shiny and chrome.

        1. jake Silver badge

          Re: It's a feature

          Mine are flat-black, and usually hang on the roll cage when not in use.

          1. John Brown (no body) Silver badge
            Joke

            Re: It's a feature

            "Mine are flat-black, and usually hang on the roll cage when not in use."

            Doers that give a better view of the road on a long straight when rallying?

    4. big_D
      Trollface

      Re: It's a feature

      They had paid for full self driving mode, so the steering wheel is just decoration...

  2. TheMaskedMan Silver badge

    So, you unlock your car / house with your phone. What happens when you run out of charge and the charger is inside?

    1. DreamEater

      "So, you unlock your car / house with your phone. What happens when you run out of charge and the charger is inside?"

      You just slip the back off your phone and use the key hidden inside...oh wait...

      1. DS999 Silver badge

        You laugh

        But that's exactly the situation on my Audi. It is a smart key that lets me just open the door and it will automatically unlock if the key is within a few feet of the door, but in case the battery dies there is a key hidden inside that can be slipped out to unlock the door.

        Not sure how that key allows starting the car but I assume that's doable as well.

        1. Anonymous Coward
          Anonymous Coward

          Re: You laugh

          I'm afraid you'll have to do something unusual: read the manual :).

          For models with keyless start (i.e. a start/stop button), there is a place where you have to place the key so its RFID circuit can be picked up by the car, usually somewhere in the middle console. Once you've done that you will find it will start.

          You also need that location to resync the key in case it has lost battery power for too long, so worth looking up before you need it :).

          1. Solviva

            Re: You laugh

            On my Volvo it's quite obvious - they still have the slot where you'd insert the non-keyless key,

            1. GruntyMcPugh

              Re: You laugh

              A slot for a keyless key might have saved a former colleague of mine a right PITA. She'd spent the weekend camping, packed up, driven off, then some time later stopped for coffee. Returning to her car, she realised she didn't have her car key. It must have fallen out of her bag near her car, allowing her to start the car and drive off. She called the campsite but it had been a popular event and lots of cars had exited the car park since and the keys were not visible. So she needed recovery, and a replacement key,... all because you can start the car without knowing exactly where your key is. Not a fan of that idea myself.

              1. Timop

                Re: You laugh

                My car gives the most annoying beeps if car is running and you jump out and close the door behind you if you keep the key in your pocket. Well within the range where the fancy touch the sensor to unlock doors -feature works. I suppose there are different detection areas and door unlock and start engine use different circuits.

                I will definetly test at some point the multiple ways this arrangement will also fail in practice.

          2. Anonymous Coward
            Anonymous Coward

            Re: You laugh

            > I'm afraid you'll have to do something unusual: read the manual :).

            I'm afraid they've solved that problem too, modern cars don't come with a manual, they have an app

            The app will tell you millions of things about the car you can't imagine why anyone in their right minds would want, but bugger all about things you might need to know.

            Least ways that's my experience with a recent Merc. loaner car.

            1. Anonymous Coward
              Anonymous Coward

              Re: You laugh

              That'll be the app that's on the same phone as the key software that's just run out of batteries

              .... oh wait my car has the manual available on the computer inside the car ... if only I could open it to learn how to open it ....

            2. Anonymous Coward
              Anonymous Coward

              Re: You laugh

              NEVER give a Merc app your real data - give it an account you can wipe later and where possible fake personal data. I unavoidably had a Merc some 5 years ago and I still get spam. All efforts to have Mercedes delete my details have failed so it's about to hit the regulator when I find some time (note to self: read less El Reg so you actually have the time).

              1. Anonymous Coward
                Anonymous Coward

                Re: You laugh

                That sounds like fun. Merc are German, IIRC from the crap I had to do about GDPR the punishments for mishandling data of a German citizen are fairly draconian. :-)

              2. Doctor Syntax Silver badge

                Re: You laugh

                This is why you have your own domain so you can hand out individual email addresses and cancel them when they're finished with.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: You laugh

                  Yes, I did that since then. Now I create an alias for every entity I give an email address which makes it easy to work out who has been less than careful with my personal info, and I can zap the alias if the spam gets too much..

                2. jake Silver badge

                  Re: You laugh

                  "This is why you have your own domain so you can hand out individual email addresses and cancel them when they're finished with."

                  Your email daemon still has to bounce the junk mail (or bit-bucket it, if you prefer).

                  Personally, I'd rather cancel the spammer and not have to deal with it at all.

                  1. Alumoi Silver badge

                    Re: You laugh

                    You know, in most countries, there are rules against canceling another human being.

                    Of course, spammers are not human beings but, still...

                    1. Anonymous Coward
                      Anonymous Coward

                      Re: You laugh

                      ...still, they are protected by the 1st Amendment if they are located in the USA...

                      Otherwise, they are fair game.

                      1. cmdrklarg

                        Re: You laugh

                        The First only stops the government from infringing on one's speech (theoretically). It does not protect one from private entities, nor does it protect one from any consequences of their speech.

                  2. Crypto Monad Silver badge

                    Re: You laugh

                    Your email daemon still has to bounce the junk mail (or bit-bucket it, if you prefer).

                    You could use addresses with subdomains instead. When you delete a subdomain, the sender has no way to route it, and it will be bounced at their side.

                  3. Doctor Syntax Silver badge

                    Re: You laugh

                    "Your email daemon still has to bounce the junk mail"

                    That's Mythic Beast's daemon, not mine.

                  4. RedVulture

                    Re: You laugh

                    Or get yourself simplelogin plugin from ProtonMail. It allows you create throwaway email addresses that forwards all emails to your inbox and you can deleted when done with the email. I think you may need a ProtonMail account but that's free and secure anyway.

                3. CrazyOldCatMan Silver badge

                  Re: You laugh

                  This is why you have your own domain so you can hand out individual email addresses

                  Or, like in my case, have your email address as the catchall address for the domain. Each email address I give out is in the form of [person]-[website/company]@... That way, if I start getting spam to that address, I know who has leaked my details (or is improperly using them) and can do a GDPR complaint against them.

                  And block that email variant address in the SMTP proxy on my firewall.

                  There's only a few in the block list at the moment - the most prominant of which is my linkedin variant - got *lots* of spam going to that.

              3. elsergiovolador Silver badge

                Re: You laugh

                I am having a car of different brand and they keep sending me info about some guy's car. They said they are unable to stop these notifications, they tried multiple times...

                So yeah, it's nice to receive notifications that Mr M has his service due or invites to member's only events.

                1. jake Silver badge

                  Re: You laugh

                  I get SMS "emergency" messages from Dominican University of California. I have never been enrolled at, have never worked for, nor in any other way been affiliated with Dominican. Read the rest of the stupidity here:

                  https://forums.theregister.com/forum/all/2019/11/12/gary_email_mixup_pt2_dartford_toll_bridge/#c_3913782

                  It's been over four years since that post, close to ten years since the first message. I *still* get SMS "emergency" messages from Dominican.

            3. DS999 Silver badge

              Re: You laugh

              modern cars don't come with a manual, they have an app

              They still have a manual you can download, I have a copy of it on my iPhone (stored locally so I can read it without internet access) Of course as it is 300 pages I will never read it just like I never read the paper manuals that came with past cars. I'll refer to what I need to refer to if/when the need arises.

              1. CrazyOldCatMan Silver badge

                Re: You laugh

                They still have a manual you can download

                My 5-year old Toyota came with a physical manual..

                I read it once (mostly to see how the auto-parking worked - I've never used it because I don't trust it) and it currently lives in the sideboard cupboard with all the other manuals I never read.

                1. Martin-73 Silver badge

                  Re: You laugh

                  Indeed, 5 year old citroen van came with a paper manual... which is handy, because it's VERY french

                2. cmdrklarg

                  Re: You laugh

                  My 2022 Toyota still has a physical manual as well. I pull it out of the glove box occasionally to figure out just what all the buttons with icons actually do.

            4. midcapwarrior

              Re: You laugh

              My 2020 Audi came with both

    2. Anonymous Coward
      Anonymous Coward

      You find someone else with a Tesla to unlock your car for you.

      Did you even read the article?

      ;)

      1. Anonymous Coward
        Anonymous Coward

        Though for added security, it needs to be the same color.

        1. DS999 Silver badge
          Facepalm

          I knew I shouldn't have ordered the puke green paint color!

      2. TheMaskedMan Silver badge

        "You find someone else with a Tesla to unlock your car for you."

        You certainly won't be phoning a friend

    3. Michael Wojcik Silver badge

      So, you unlock your car / house with your phone. What happens when you run out of charge and the charger is inside?

      Yes. Smartphones are terrible authenticators. They're fragile: besides the power problem, they're full of sensitive electronics that can easily go bad for any number of electrical, chemical, and mechanical reasons. (I'm careful with my phones, but since I moved from feature phones to smartphones few have lasted more than a year.) They're easy to lose, because they're small and usually not tethered to anything and people take them out all the time. They're prominent theft targets.

      They're also riddled with software security vulnerabilities and many people are prone to installing insecure or malicious applications.

      Using a smartphone as an authenticator – whether it's a primary authenticator, as in this case, or part of a multifactor scheme – is a lousy idea. It's popular with security experts because most of the users they care about already have a smartphone, so there's no additional hardware to deploy. But it introduces a host of failure modes.

      1. veti Silver badge

        (I'm careful with my phones, but since I moved from feature phones to smartphones few have lasted more than a year.)

        For real? What do you do with them?

        My current smartphone is almost five years old and (touch wood) showing no serious signs of failure yet - battery is still strong, screen is slightly scratched but not obtrusively so. The memory card is getting a bit full, I need to delete some data, but that's about all that's wrong with it.

        The charging cable is another story, that is really past it, but fortunately the charging port is interchangeable with everything else.

  3. 7teven 4ect

    But physical keys can be hacked

    Especially in the digital age. Check out Deviant Olam on youtube.

    Keys can be copied from pictures of keys, any lock can be defeated.

    The illusion of security keeps insurers and sheep happy, but not the wise.

    1. Anonymous Coward
      Anonymous Coward

      Re: But physical keys can be hacked

      Did you read the article? What you describe is somebody who is intending to break in. It's known that keys can be copied. I've seen a locksmith open a door because of a lost physical key, took 5 minutes with a battery drill, none of the neighbors noticed.

      But here, the driver broke in the wrong Tesla without intending to, without even noticing. It's a whole new level of crap lock.

      1. Arty Effem

        Re: But physical keys can be hacked

        "I've seen a locksmith open a door because of a lost physical key, took 5 minutes with a battery drill,"

        That person had no business describing himself as a locksmith.

        1. Stork

          Re: But physical keys can be hacked

          Depends. I’ve seen it done in a case where the key had broken inside

          1. Anonymous Coward
            Anonymous Coward

            Re: But physical keys can be hacked

            There's a special hook for that, comes with just about every set of lock picks (don't ask me how I know).

            That too would not need a drill.

            1. jake Silver badge

              Re: But physical keys can be hacked

              Usually doesn't even need "a special hook". Keys get work-hardened at the point where the twisting force is maximized. They break right at the top of the cylinder, with no twisting in the body of the lock. Usually a bit of chewing gum or bluetack will wiggle the busted bit out ... if your multitool can't grab it.

              1. Neil Barnes Silver badge

                Re: But physical keys can be hacked

                Quote=The LPL: And that's all I have for you this time...

          2. jake Silver badge

            Re: But physical keys can be hacked

            The OP said the key was lost, not broken off inside..

      2. werdsmith Silver badge

        Re: But physical keys can be hacked

        But here, the driver broke in the wrong Tesla without intending to, without even noticing. It's a whole new level of crap lock.

        Nothing new about it. I recounted this event right here on Register comments not too long ago. I drove several metres before I realised the interior trim on my car had changed colour. Decades ago, my first company car. I had got into another Ford the same colour and drove it away. Using the good old fashioned key, which nobody ever lost, or bent. In a good old fashioned lock that nobody ever turned using a screwdriver blade, or half a tennis ball.

        1. Anonymous Coward
          Anonymous Coward

          Re: But physical keys can be hacked

          Yeah seriously, there have easily been a dozen model cars over the years that repeated the same mistake, using too few standard key blanks on the production line resulting in mixed up cars at mall parking lots, grocery stores, etc.

          The amazing thing here is how it would happen to a phone based or digital key, where they really aught not be making those mistakes. You can only have so many pins/wafers/tumblers/levers in a regular keyway before things get silly. The locks on a Tesla shouldn't have that problem in a phone app. That is either a nasty bug, or a serious faceplant in the design of the system. As cheap as binary bits are, collisions between two devices should be something that happens on geologic time scales.

          Even if the door is stuck with a simpler reader, it should be triggering an out of band handshake if it can't support sufficient entropy to prevent people driving off in each others cars.

          1. Neil Barnes Silver badge

            Re: But physical keys can be hacked

            If only there were some sort of index number easily visible on the vehicle... I mean, particularly if you're parked next to an other similar car, wouldn't you check which was yours?

            1. Rich 11 Silver badge

              Re: But physical keys can be hacked

              The neighbour's kids have kindly helped me to readily identify my car, by spray-painting 'Dickhead!' on the driver's door.

              I'm just impressed that they knew where to use a capital letter.

              1. Mike 125

                Re: But physical keys can be hacked

                > kids have helped me to readily identify my car, by spray-painting 'Dickhead!'

                Dumbass kids.

                Smart kids would've sprayed Dickhead on the neighbour's car to confuse you.

                1. General Purpose

                  Re: But physical keys can be hacked

                  Really smart kids spray it on every car except one, so everyone knows who to blame.

            2. werdsmith Silver badge

              Re: But physical keys can be hacked

              If only there were some sort of index number easily visible on the vehicle... I mean, particularly if you're parked next to an other similar car, wouldn't you check which was yours?

              It wasn't parked next to it. It was in a very similar adjacent car park. I mean, wouldn't you just assume they were next to each other even though the comment never mentioned them being next to each other. ? FFS what a thicko.

              .

            3. John Brown (no body) Silver badge

              Re: But physical keys can be hacked

              "If only there were some sort of index number easily visible on the vehicle... I mean, particularly if you're parked next to an other similar car, wouldn't you check which was yours?"

              Good point. But in a hurry and they "key" just unlocked the car and probably flashed the lights so "obviously" that must be "yours" :-)

          2. CrazyOldCatMan Silver badge

            Re: But physical keys can be hacked

            using too few standard key blanks on the production line

            Or, like my old Cortina, having locks so badly made that they could be opened with a screwdriver..

            (Or like the old guy that does the Morris Minor servicing - he turn up in a 1930's Austin - it doesn't have door locks at all because they didn't think they were needed.)

            1. Strahd Ivarius Silver badge
              Joke

              Re: But physical keys can be hacked

              And some previous version didn't have any door at all!

        2. DJO Silver badge

          Re: But physical keys can be hacked

          Same as it ever was.

          Many many years ago a company I was at bought 4 brand new Ford Escort vans, two of them had exactly the same key. Actually in that circumstance it was useful.

      3. vtcodger Silver badge

        Re: But physical keys can be hacked

        FWIW, one physical key working in multiple, otherwise unrelated, cars is a well-known situation.

        ... pause while internet is consulted ... ah yes, here it is.

        In fact, major car manufacturers such as Honda, Toyota, and Ford use approximately 3500 distinct key combinations. Therefore, the odds are reasonably good that someone else out there may have the same keys you do.... Locksmithhttps://www.txpremierlocksmith.com › twin-car-keys-key-..

        That reflects the physical limitations of practical physical keys -- the number of tumbler positions and levels at each position that will work reliably even after years of wear. One might think that electronic locks could have enough bits for every key to be unique, but apparently not.

        1. Crypto Monad Silver badge

          Re: But physical keys can be hacked

          Honda, Toyota, and Ford use approximately 3500 distinct key combinations. Therefore, the odds are reasonably good that someone else out there may have the same keys you do....

          The birthday problem/paradox then says you only need to have sqrt(3500) = 59 of the same model of car, before it's likely that at least one pair of them will share the same key.

    2. usbac

      Re: But physical keys can be hacked

      Or, check out TheLockpickingLawyer's channel.

      1. ITMA Silver badge
        Devil

        Re: But physical keys can be hacked

        Oh for the days when a dent-puller would quite neatly remove the barrel from most car locks...

        Did I say that?

        I wasn't there - honestly officer!

    3. jake Silver badge

      Re: But physical keys can be hacked

      Who needs keys, much less pictures of keys?

      All locks do is prevent crimes of opportunity. Determined crooks will either defeat them, or go around them. Usually in a minute or two at the most.

      1. veti Silver badge

        Re: But physical keys can be hacked

        "Determined crooks" can get around, or through, anything. That's the basis of many tedious movies.

        But only a tiny handful of crooks are "determined". The vast majority are looking for a soft target, they're not going to spend hours of time on planning or training or researching how to steal your car when your neighbour has made theirs that much easier, by leaving the keys in.

  4. aregross

    Cop Car Keys

    Back in the early '70s I owned a '67 Chevy Cop Car that had a special ignition key.... it would unlock the doors and fit the ignition of almost any GM product back to ~'64. I only tried it on peeps cars I knew and had permission from but still, it was pretty surprising!

    1. Anonymous Coward
      Anonymous Coward

      Re: Cop Car Keys

      Back at the end of the 70s a school friend was given his dad's old Ford Capri, I had a special key that would open it and almost any Ford of that period. It was called a screw driver. To be fair it wasn't just Fords you could often open with a screw driver.

      1. Diamandi Lucas

        Re: Cop Car Keys

        Australian Fords came with the special key built in, it's the Automatic Transmission Dipstick. Dad's 1984 Falcon Station Wagon was stolen and found with part of the Auto dipstick in the ignition.

    2. Doctor Syntax Silver badge

      Re: Cop Car Keys

      I had a Subaru with a key and/or lock so worn that the key could be taken out of the ignition without turning it off first. I found out by discovering the key had fallen out whilst I was driving. Great for cold mornings; start the car, take out the key, lock the car and go back indoors until it had defrosted the windows.

  5. Anonymous Coward
    Anonymous Coward

    Electronic keys can never be secure. Ever.

    I send the key.

    You see the key and unlock,

    You change the key,

    The key changes.

    In theory by a five year old this is perfect but anyone with half a brain asks the following of what would happen if.

    You send the key.

    It doesn't get the key.

    Someone else then sends that key.

    They get the new key.

    Their key is now the key and your key won't work.

    No amount of encryption is ever going to fix that.

    Add to that whatever lazy arse programming (or avoiding customer issues and associated costs) was put into this and it's a recipe for disaster.

    At the end of the day even physical keys are pretty useless but they take time. This is one of the basic tenets of life. If you can design something then someone can look at that design and break it. Look at Windows ME. Nearly every single device manufacturer managed to break that with simple device drivers and they weren't even trying to.

    1. John H Woods

      Whilst you're not wrong ...

      ... that remote keys can be defeated, rolling key codes are a thing, and it's not quite as simple as your "anyone with half a brain" scenario suggests.

      If someone has a previous capture of your keyfob transmission, there is usually a limited time window in which they can use it (provided they defeated your vehicle from receiving it, and rolling to the next code). And even if they use it in that window, it's often a one-time thing - they don't have "the new key" without a bit more work. They could, for instance, very well find they have opened the car but can't drive it off.

      1. Anonymous Coward
        Anonymous Coward

        No that was pretty much all wrong. As were many "wireless key" and garage door openers.

        I give a pass to the really old stuff in the pre or barely transistor era. To make those secure you needed to be clever, and the results were expensive.

        These days there should be no excuses, but there is plenty of hot garbage being passed off on the public. But lets be clear, this is a solved problem, on basic hardware, and probably since the mid 90's. But the same type of idiots that developed the first 15 years of WiFi protocols made most car remotes, garage door openers(that still can't be programmed to accept the signal from your car remote, unless it has a dedicated garage door button), swipe cards for access control systems, etc. etc, ad nauseum

        This is basic encryption, and can be safely handled with public keys, time based one time passwords, or symmetric keys with a wrapper and proper salting. But the manufacturers seem allergic to anything that makes round trip/bi-directional communications necessary. The government also hasn't been great at allocating a small slice of dedicated frequency in one of the good bands for a modern remote or wireless key system. They ought to have the FCC cough up a slice to the winner of a NIST competition like the other encryption standards. One protocol family, independently designed, and standard to all manufacturers that are allowed to use the band. On a frequency that isn't limited to line of sight in a normal building and can reach at least part way across a parking lot.

        IN broad strokes the remote would chirp a short alert that the door/car/device would listen for. The device would chirp back a nonce the remote would use to build it's reply, which the device can then validate without exposing the remotes private key. It's not rocket science or brain surgery.

    2. Mayday
      Facepalm

      Electronic keys

      I presume you’ve never used a proximity card to enter an office building, data centre or some other facility then?

    3. Anonymous Coward
      Anonymous Coward

      The rolling key algorithm is a bit like 2FA, it needs a shared secret to work. That's why criminals tend to longline the radio signal of the actual owner's key, it's much harder to break the code. This is also why a new key needs to be synched against the vehicle's system - that is when the key exchange takes place.

      Not all of these systems are perfect so there have been some rather embarassing problems but overall it seems to work because otherwise you would no longer be able to insure a car against theft. Heaven forbid an insurance would actually have to pay out - trust them to be pretty much immediately on the manufacturer's case.

      Of course, with Tesla they would either have to tweet to Musk or send a summons to the actual company to get anyone to talk to them, but in general insurance companies like to avoid giving back any of the loot they get off their customers so they'll be knocking on your door pretty quickly if you have a volume problem - which Tesla seems to have. Again.

      1. Anonymous Coward
        Anonymous Coward

        https://www.thisismoney.co.uk/money/cars/article-6828053/The-keyless-car-crime-loophole-thieves-use-electronic-trickery-insurers-refuse-pay-out.html

        They just don't pay out or in fact refuse to insure.

        https://www.thetimes.co.uk/article/thefts-make-keyless-range-rover-bmw-and-mercedes-cars-uninsurable-vtnthfht5#:~:text=%E2%80%9CIt's%20slowly%20happening%20but%20certain,fob%2C%20which%20contains%20a%20transmitter.

    4. Solviva

      Simple just like any other smart card (although manufacturers may go the dumb route). Key says "hello" to car, car replies "calculate the answer to X using your private key". Key replies with correctly calculated answer. You can record this, but unless the car asks the same question twice, your recording isn't of any use,

      Then there's the relays used for stealing cars when the key is still in the house - it shouldn't be difficult to calculate the latency of the comms to decide how close the actual key is i.e. 1m away or 5m away.

    5. claimed Silver badge

      Never heard of https then?

      You don’t need to send the key, just prove you have it.

      1. Michael Wojcik Silver badge

        Which has exactly what to do with HTTPS? (Please, for the love of god, don't let any auto manufacturer be using HTTP in their door-unlocking protocol.)

        Perhaps you meant "asymmetric cryptography", which is very much not co-extensive with HTTPS. Nor is it a particularly good way to implement a door-unlocking protocol. TOTP is better, though clock synchronization after power failure is a problem for devices that don't have access to a relatively trustworthy external time source. Rolling codes is the most common solution; challenge-response, if both devices have sufficient capability, is better.

        Asymmetric cryptography is overly resource-intensive and over-engineered for the problem, since (as jake pointed out) locks only exist to deter crimes of opportunity anyway.

  6. Eclectic Man Silver badge
    Unhappy

    Is this your car, Sir?

    While I'm glad it all ended well for Rajesh and Mahmoud, I wonder what the insurance situation was? In the 10 minutes Rajesh was driving someone else's car without their permission or knowledge he was almost certainly not insured. And on being stopped by the police and asked if it was his car, Rajesh could have been in quite a bit of trouble.

    Admittedly the AA does this thing where you can have yourself rather than the car covered for car breakdowns*, so that if you are being given a lift you can call them out to help, but I don't think any insurance companies cover taking someone else's car without their permission, unless you are a police officer requisitioning the vehicle for official business.

    BTW I recently had a mechanic come round to repair my car and he was insistent that I should only use the buttons on the key to lock and unlock the car as it can affect the immobiliser if I just turned the key on the lock.

    Life is just getting too complicated for a bear of very little brain**, such as myself.

    *Just car breakdowns, mental ones are done by the NHS, if you are lucky.

    **Now out of copyright.

    1. Solviva

      Re: Is this your car, Sir?

      Wouldn't be a problem in Sweden where rather sensibly the car is insured, not the driver.

      1. that one in the corner Silver badge

        Re: Is this your car, Sir?

        > rather sensibly the car is insured, not the driver.

        The car is insured - for *any* driver, not just the named ones on the policy?

        So if I - ahem - borrow - your car (with every intention of bringing it back before you wake up, no "intent to deprive" here) I'l be fully insured during the joyride? Sounds good.

        1. An_Old_Dog Silver badge
          Happy

          Re: Is this your car, Sir?

          Similarly, is the insurance restricted to a specific class of vehicle? If I've got "car insurance" in Sweden, can I borrow a long-haul truck-tractor from a friend, hop in, (at least try to) drive off, and still be "insured"?

          1. jake Silver badge

            Re: Is this your car, Sir?

            "If I've got "car insurance" in Sweden, can I borrow a long-haul truck-tractor from a friend, hop in, (at least try to) drive off, and still be "insured"?"

            Here in California, the insurance I have for my Peterbilt will cover me and an alternative vehicle, should I see the need to borrow (or rent ... which has it's own insurance) another vehicle. There are limits to how long this insurance transfer lasts, but it can be invoked as needed with a phone call. Likewise, the insurance I have for passenger cars follows me when I have a need to drive an alternative passenger car, but no phone call needed. Same for motorcycles. None of the above cost me a dime extra ... but then my record is clean.

          2. Solviva

            Re: Is this your car, Sir?

            No, "your" car insurance covers the vehicle you're insuring for you and anyone else to drive, but won't cover you if you were offered the use of an uninsured car. Not sure how it is with commercial vehicles though as I don't have one.

        2. Ptol

          Re: Is this your car, Sir?

          In New Zealand, my car insurance covers the car for any driver. If i name a person as a driver on the insurance, it knocks NZ$ 400 off the excess in the event of a claim. Car insurance here is much simpler because there is no personal injury aspect to it, it is simply about repairing cars and stationary objects. ohh, and car insurance is optional. If i'm hit by an uninsured driver, then my insurance company will take them to court for the accident costs and collect the money from their wages over the next 5-10 years.

          What about the personal injury and medical costs? In New Zealand there is universal accident cover for everyone in New Zealand. ACC will cover your health costs, rehabilitation and lost earnings - even if you stow away on a containership and break your leg jumping onto the harbour dock in Auckland.

          There is no pain and suffering compensation, we are made of tougher stuff, and just get on with it. :)

          1. jake Silver badge

            Re: Is this your car, Sir?

            California here ... my insurance covers my passenger vehicles for any legal driver, and similarly, in the event of a claim there are financial incentives to name a second (third ...) driver specifically for he vehicle(s) covered on that policy. Usually, but not always, the extra driver(s) is(are) a dependent.

        3. jake Silver badge

          Re: Is this your car, Sir?

          "So if I - ahem - borrow - your car (with every intention of bringing it back before you wake up, no "intent to deprive" here) I'l be fully insured during the joyride?"

          No, because you are breaking the law by stealing the car.

          1. Michael Wojcik Silver badge

            Re: Is this your car, Sir?

            In the US, some insurance coverage might still apply, which is particularly important for injuries to others or their property. Depends on the state. But the insurance company will certainly do its best to claw any payout back from the thief.

          2. PerlyKing

            Re: you are breaking the law by stealing the car

            Define "steal". In English law the definition includes the intention to permanently deprive the owner of their property. I may have got the wording wrong, but the consequence is that joyriding (where the vehicle is abandoned at the end of the ride) is not theft, and a new offence of "taking without owner's consent" had to be created.

        4. Solviva

          Re: Is this your car, Sir?

          Interesting question, if you bring the car back in one piece then insurance is moot. If you were to have an accident then that would be dealt with as vehicle taken without consent, in which case I've no idea what happens as I don't plan to borrow a vehicle without consent :)

    2. Anonymous Coward
      Anonymous Coward

      Jurisdiction dependent

      But the insurance usually follows the car in the US and a "Standard policy" will cover another driver if they are also insured. The owner faces some additional liability. In CA that used to be about 5 grand, but it may have gone up in the decade since I got run over by a loaned BMW.

      Some policies are named drivers only, usually to get better rates, or for exotic or vintage cars. In that case you'd get into the weeds, as the swap was accidental.

      Still, glad that we got to see the press cover a case where the owner of the cars didn't act like the owner of the company. Not everyone in a white model 3 is watching the lord of the rings extended editions or is a coked up sociopath trying to have sex in the back seat on their ride to work.

  7. Jellied Eel Silver badge

    Do not disturb

    ...most people opt for the phone. You're going to be taking that out with you come what may, obviating the need to carry around another item to lock the car.

    I don't. I sometimes intentionally leave the phone at home because I don't want to be any more disturbed than I already am. Especially after phones expanded to dimensions that exceed most convenient pockets. Once you break the phone anxiety habit, you can relax more without having to check your phone every few minutes in case you missed a beep notifying you that there's an exciting new offer for something you don't want. Or, because for a lot of these unlock services to work, you have to keep location services on. So by the time you've been flooded with, and deleted all the special offers from businesses near you, your battery is flat and you can't unlock your car. Or house.

    I guess with a house, there could be a market for adding weatherproof USB or wireless chargers to your door furniture. I guess it might be harder to accidently lock yourself out given the phone won't detect it's outside the threshold. Or it might use it's essential health monitoring functions to detect that you've left it home alone, and lock the door out of spite.

    1. usbac

      Re: Do not disturb

      I usually take mine long just in case of a car breakdown. I figure that Murphy will catch up with me if I don't (the one time I don't have phone with me, etc.). I just leave the thing turned off.

      I typically don't have it turned on at home either. I keep getting emails from my wireless carrier wondering if I'm having problems with my account...

      1. Stork

        Re: Do not disturb

        One of the things I changed after selling our business was not to have email on my phone. Most things can wait now.

        1. Michael Wojcik Silver badge

          Re: Do not disturb

          My phone has my personal email account and the joint one I share with my wife both set up on it, but I have synchronization disabled. I only let it download messages if I know there's one I actually need then, and I'm not at home. It happens maybe once a year.

          But then I turn off email notifications on my personal and work computers too. The whole point of asynchronous communication is to not interrupt you.

    2. Anonymous Coward
      Anonymous Coward

      Wire a usb into the boot

      and tuck it behind the bumper cover or wheel well. You may now charge your device in the event of a dead battery. Might not help if you lose it entirely, but will save you if you kill the battery roxing out while you are jogging or take one to many selfies at brunch.

      Of course in the old days I did the same thing with an stiff coat hanger just in case I locked the keys in the car or lost them. I figure if any other idiot could slim jim my car open I might as well be able to myself.

      1. Michael Wojcik Silver badge

        Re: Wire a usb into the boot

        in the old days I did the same thing with an stiff coat hanger just in case I locked the keys in the car or lost them

        When I first started driving, I had a spare key made. I cut most of the bow off it, so it was basically just shoulder and blade, to make it smaller, then tucked it in my wallet. I don't know that I ever had to use it, but I was glad it was there.

        With a later car I got one of those magnetic hide-a-key things and tucked it up in a wheel well, stuck a bit under the plastic underbody cladding so that it wouldn't shake loose. Then not only did I have a spare, but so did any friend if I had to have them pick the car up from somewhere. A thief wouldn't have bothered to look for it, just jimmy the door open, as you say, so there's no additional risk to doing something like that.

        Of course, with modern transponder keys, you don't want to do that, unless you put it in a Faraday cage.

        A couple of "how I was an idiot with my transponder key" stories:

        - Went swimming with the extended family in Lake Michigan, at Sturgeon Bay Beach, up at the northwest tip of the LP. A small but nice beach, and very isolated; it's often deserted, and you'd have to go some miles to get a phone signal, at least at the time. My swim trunks had a pocket with a zipper closure, so I put the car key in that, and then we spent some hours swimming and lying in the sun and playing with the kids in the surf and so on. When we got back to the car, it occurred to me that immersing the key in Lake Michigan for half an hour or so at a time might not have been the best idea. I was very relieved when it worked.

        - Then a couple of years later I did that again, at a hot spring in New Mexico – not one of the commercial ones, but a little one down in the Rio Grande Gorge. Except this time I had the key in an inside pocket of my swim trunks, and when I remembered it was there, after getting in the water, I checked and it was no longer there. I was with my older granddaughter, who was 8 at the time but already accomplished at scornful evaluation of the failings of her elders.

        You do not get a phone signal in the Rio Grande Gorge. We started the walk back to the car, about half a mile, looking for the key on the ground as we went. I was figuring we'd have to walk the road back out of the gorge and then walk a couple of miles until I could get a decent phone signal and call someone. I didn't want to make my granddaughter do that walk, but I couldn't leave her by herself.

        When we got back to the car we still hadn't found the key but I had to try the door anyway ... and it opened. I figured the key must be on the ground by the car, but we searched and couldn't find it. Tried to start the car; it started. Looked inside the cabin for the key, didn't find it. Finally I thought to search my swim trunks in their entirety and not just the pockets, and found the key had worked itself out of its pocket and was now just floating around in the netting, conveniently in a position where I couldn't feel it as I was walking.

        Since then my granddaughter has been under strict instructions to ask me where the car key is every time we go swimming.

      2. Potty Professor
        Boffin

        Re: Wire a usb into the boot

        I once found a wallet on a park bench, so took it to the local cop shop. I accidentally locked my car keys inside the car (1972 Ford Cortina) whilst at the cop shop, so, knowing the local panda cars were of the same make as mine, and that their garage would probably have several spare keys, I returned to the front desk and explained the situation.

        The desk sergeant told me to go and wait by the car and a bobby would come out and open the car for me. Young Mr. Plod duly arrived, took one look at the car, and said "Don't look". He then removed his cap, opened the sweatband and removed a doubled length of plastic strapping. He slid it through the gap between the door pillar and the rubber seal of the door, and maneuvered it to snag the lock release button, which he pulled up to unlock the door. He then returned the strapping to his hat and said "There you are".

        I have since used this trick to open a work colleagues car in the company car park when he had also locked his keys inside.

        I don't suppose this would work on modern cars, the lock knobs don't have enlarges caps on them now.

    3. Stork

      Re: Do not disturb

      I also felt really old with the comment about using the phone to pay - I haven’t yet had the urge to set it up.

      1. Michael Wojcik Silver badge

        Re: Do not disturb

        I haven't yet figured out why anyone would want to.

        1. PerlyKing
          Facepalm

          Re: Do not disturb

          You must be so proud.

        2. John Brown (no body) Silver badge

          Re: Do not disturb

          Me neither. Standing in the queue to pay at the supermarket, it used to be the old ladies looking through their bag for their purse that held the queue up. Now it "tech bros" fumbling with their phone and drawing "gestures" or entering PINs to activate the payment. On the other hand, some people just seem to pick their phone out and tap it on the reader, so maybe there are different system or some people are a little more security conscious than others.

  8. Gomez Adams

    How the heck can someone drive an apparently identical car for 10/15 minutes without realising it was the wrong car?. As soon as I sit in my car after the garage has done some work on it I know this is not the car I left them with as the seat and steering wheel positions are not the same. It would be an extraordinary coincidence for the mechanic who worked on my car to be the same size and shape as me with the same driving position preferences.

    1. Anonymous Coward
      Anonymous Coward

      You might not know with a Tesla. It would apparently be a valid assumption that the wheel setting was off because it was just in the process of coming off..

    2. Ian Mason

      I can't speak for the Teslas, but my car carries the settings for the electric seats and mirrors in the keyfob memory. If I open the car with my keyfob, it recalls my settings. If SWMBO uses her keyfob, then the seat and mirrors are set for her.

      It sounds like a gimmick but if you're as sensitive to your seating position being 'just right' as I am then it's a really useful feature, no fiddling about getting back where you left it if 'er indoors uses the car, or indeed if a mechanic's shifted it. It's not an option I'd have chosen to pay for, but I bought mine secondhand, it came with electric seats, and having experienced the convenience I might actual pay for it in the future should the situation arise.

      1. Anonymous Coward
        Anonymous Coward

        Are you sure it stores that info in the keyfob? These systems usually just remember which settings belong to which key/fob but the storage of the settings is in the car.

        1. Anonymous Coward
          Anonymous Coward

          I think that was just shorthand for the keyfob determining which profile gets loaded.

          Keyfob = ID, car memory = settings.

    3. Anonymous Coward
      Anonymous Coward

      Fair,

      though it also sounds like one or more of your dimensions are non-standard. :-)

      For me it's not such a surprise considering the interior of a white model 3. One of the most spart... I mean minimalist interiors.

      I liked the cockpit of the earlier model S, the Y and 3 bug the crap out of me honestly.

      Unless you are a car packrat, there just isn't much to see. My old roommates had similar issues spotting their Prius, probably one reason so many are covered with stickers.

  9. Anacharsis

    Keys don't work for cars

    Stealing any car made before chipped security keys is trivial. Google the problems with kia boyz.

    Once you realize that the key does basically nothing and its the chip and the ignition interlock preventing theft, then you can remove the needless key.

    It was also possible to open other people's cars with your car key in the world before chips. That should actually be possible to eliminate with electronic key fobs, but trust Tesla to screw that up.

  10. Mayday
    FAIL

    Call me old fashioned, but

    I’d like my key to be able to open my car. I’d also like it to be _only_ my key which can open my car. Not someone else’s key. I also have little interest in opening someone elses car.

    This is unless you drive a HQ Holden which had 7 different keys for the entire production run. A mate locked his keys in the car at a large even one day and was a little lost as a result. A fellow HQ owner walked past and thought he’d talk this other HQ owner having a concern with his car. Explaining that he locked the keys inside, the other bloke said, “I’ve got a HQ too, let’s see if the 1 in 7 chance of us having the same key is in effect here.” Sure enough, the key worked and my mate was able to get inside without having to break in.

    1. Yet Another Anonymous coward Silver badge

      Re: Call me old fashioned, but

      >I’d also like it to be _only_ my key which can open my car. Not someone else’s key

      There are about 80Million cars made every year. That's quite a lot of active car locks to all require a unique key.

      Even then there is LPL's "click on one, some resistance on two ....."

      1. Ian Mason

        Re: Call me old fashioned, but

        That 80 million is only a problem for physical keys, it's too hard to have both enough key differs to cover that and have big enough mechanical tolerances to be reliable. For active electronic locks it's just a question of using a few more bits, and binary digits aren't in short supply.

        1. An_Old_Dog Silver badge

          Making More than 80 Million Unique Physical Keys

          During the 1980s, I saw some keys shaped like a flattened hexagon; there were four usable faces, and these surfaces had five divots of varying depths bored into them for the lock pins to go into. Add a long-ways notch so there's only one physically-possible* orientation which allows key insertion, and place five divots on each usable face, each divot with one of five possible depths, that's .. uhm ... the math escapes me: something factorial? 5^(5*4)? (== 95,367,431,640,625) ... a lot more than 80 million, anyway.

          *Presumes someone doesn't try to force-fit it with a sledgehammer.

          1. Anacharsis

            Re: Making More than 80 Million Unique Physical Keys

            So you've carefully done what you can to make it so that each car can have a unique physical key.

            Then someone comes along with a hammer, screwdriver and maybe some vice grips and if you don't have a chipped key anyway then they're off with your vehicle.

            I'm old as well, and I had a software engineers distrust of electronics. But I had someone tried to steal my 2000 Ranger and in seconds they were able to bypass the key system by mutilating it, but because it was one of the first Rangers with a security key they didn't get the truck, turning the ignition got them nothing.

    2. jake Silver badge

      Re: Call me old fashioned, but

      "Not someone else’s key."

      How about someone else's Morgan Nokker?

      Or coat hanger, for that matter ...

    3. Tim99 Silver badge

      Re: Call me old fashioned, but

      Maybe, as noted as above, it might be colour grouped? In the 1980s I had a light blue Volvo. Mrs Tim99 and stopped at a Little Chef on the A17 - It was drizzling. When we got back, I unlocked the door, and sat in the blue driver's seat. Then I noticed that "someone" had removed the automatic gearbox and replaced it with a manual. My car was two further along the car park behind a panel van. We quietly got out of the car, locked it again, and drove off in our car...

  11. Doctor Syntax Silver badge

    Unlocking the car and driving it away lacks ambition. Keep the car locked but have it drive itself away.

    1. Anonymous Coward
      Anonymous Coward

      That would be assuming that FSD would not actually mean "Faulty Self Driving".

      Given current progress this may happen just before the sun turns into a red dwarf.

    2. jake Silver badge

      "Keep the car locked but have it drive itself away."

      This has already been possible, and demonstrated. Search on "Jeep Cherokee hack".

      The fun one will be when 10,000+ locked and unoccupied cars all head for <insert target here> at a great rate of knots. No brakes needed. Nor obeying any traffic laws.

      Think it won't happen? Then you have more faith in humanity than I do.

      1. Doctor Syntax Silver badge

        A flash mob of cars! Where shall we send them? Not the M25, obviously, no rrom for another 10,000...

  12. elsergiovolador Silver badge

    Clones

    I wonder how long it would take if Tesla owners, apart from switching cars, also switched homes, jobs, wives... when and who exactly would have noticed they are not the people they think they are?

    1. Benegesserict Cumbersomberbatch Silver badge

      Re: Clones

      And you may find yourself behind the wheel of a large automobile...

      1. that one in the corner Silver badge

        Re: Clones

        Water flowing, underground

        Dang GPS directions, this is a storm sewer!

      2. Anonymous Coward
        Anonymous Coward

        Re: Clones

        And you may find yourself behind the wheel of a large automobile...

        Wow, that's from 1980. How time flies..

  13. Fruit and Nutcase Silver badge
    Joke

    Don't Tweet Musk

    His message to Tesla's press email bounced and another to Tesla's China unit was blocked. "I even tweeted Elon Musk," he said.

    ...to complain about one of his companies or products. Doesn't matter in the slightest that you don't work for Tweeter - he will start by sacking you from Tweeter.

  14. Howard Sway Silver badge

    Tesla Model 3

    Buy one, get as many as you want free.

    1. Anonymous Coward
      Anonymous Coward

      Re: Tesla Model 3

      .. if you wanted to.

      1. Jimmy2Cows Silver badge
        Coat

        Re: If you wanted to.

        Don't even want one, never mind 2.

    2. Dronius

      Re: Tesla Model 3

      Maybe the next hack will be to make them all "go home" to the mother factory one morning.....

      could be time for another watch of "La Cabina" ........ https://pin.it/71NTri3

      1. Fruit and Nutcase Silver badge
        Coat

        Re: Tesla Model 3

        Young Musk could well have been just the type of kid who was prone to taking the ball and going home

        1. BartyFartFast Silver badge

          Re: Tesla Model 3

          He is still that kind of kid

  15. David Nash

    It's proximity

    Clearly this happened because you don't need to press any kind of unlock button, you just try to open the door and the car will unlock if a phone registered to a valid keycard is within distance. I believe this works through Bluetooth.

    In this case the other guy's phone must have been nearby, maybe he was still there. Maybe they were returning to their cars together.

    Either way it's the downside of an admittedly incredibly convenient way to lock and unlock (just walk away) your car.

  16. MsScullz

    I'd like to know how far this flaw goes. Teslas have an optional PIN feature so that even if you get into someone else's car, you need to enter the PIN to be able to drive it. There's no mention of this in the story, so either a/ neither of these people had set up a PIN, or b/ the car also accepted the wrong one. If it's b/ then I'm going to be exceedingly concerned.

    1. JoshM

      It's not a "flaw". People should kind of be sure they're getting in their own car. Ridiculous.

  17. Anonymous Coward
    Anonymous Coward

    Ford Cortina

    Not a new trick. My Dad did this with his 1980s Ford Cortina. Bought a new one mid-80s. Got to work and found someone else in the car park with not only the same car, but same colour. He could open up and drive the other car away. When they tried the keys the other way round the other bloke could unlock but not start my Dad's car.

    This was in the days of plain physical metal keys, no immobiliser chips.

    But me I also prefer keys. I drive a 1990s Honda and worry about all the electronics that would be in my next car. Tech that is out of date and not updated. When I've been looking at second hand cars it is shocking how out of date things are. My old Honda let me swap the audio system and I currently have it all Bluetooth and connected to my music and sat nav. Newer cars just have built in systems that are obsolete when the updates stop after a few years.

  18. NXM Silver badge

    tractors

    New Holland tractors all seem to have the same key.

    So far we've not had anyone involved in a low-speed police vs tractor chase (our tractors only go at a max of 25mph)

  19. Peter Christy

    Its not only cars!

    One of my hobbies is building and flying RC model aircraft. In recent years, nearly all RC gear has switched to using 2.4 GHz spread-spectrum radio gear. Each transmitter has a unique identifying code that it transmits to identify it. The receiver needs to be "bound" to the transmitter so that it will only respond to the required transmitter.

    A few years ago, one major manufacturer managed to produce a (thankfully) small batch of transmitters with all the codes set to a string of zeroes!!!

    I think the safety hazard this presented speaks for itself!

    Mercifully word quickly got out and the sets were recalled before a major accident occurred, but it took a while for that manufacturers reputation to recover, and a number of models ended up destroyed!

    Whilst spread-spectrum radio gear has resulted in zero accidents due to frequency clashes, it seems that the old adage still holds: "Anything that can go wrong, will go wrong!".

    1. jake Silver badge

      Re: Its not only cars!

      Back in the late 1980s, there was a company in Taiwan which "recycled" MAC addresses on its clones of NE1000/2000 ethernet cards. When you got a new batch of cards which matched the MAC address of one or more cards on your existing LAN[0], much hilarity ensued. As a consultant, the first time was the worst ... after that, the symptoms were fairly obvious. I probably ran across the problem at a couple dozen small companies between '88 and '91ish, and then again (!!) in the mid-late '90s, when people started recycling old Netware kit for Windows networks at home.

      [0] An "impossible event", at least according to Novell and IEEE.

  20. jollyboyspecial

    It's been said many times before, but using your phone to unlock your house or car is a risky business. The battery in your car's fob lasts one hell of a long time. Phones not so much.

    I mentioned this to a colleague who said you could always carry a charge bank around with you. You know one one those things that's generally much bigger than a fob? But that statement just shows this stuff is just technology for the sake of technology. Hey, look what my car can do, it's so much less convenient than a key!

    I first owned a car where you never had to take the key out of your pocket twenty years ago this month. But I soon found some serious limitations. The thing about a key is that it fits nicely in the little pocket in my wetsuit and it doesn't care about getting wet. Yes there's still some technology in my current key, a passive RFID tag adding a bit of security. But way back when with that Nissan I tried a key safe under the wheel arch so I could go surfing, but the car wouldn't actually lock with the key so close.

    There was a solution in the end but it was complicated and bleeding annoying.

    I saw an advert for a modern car with such a system that showed a couple living an "active lifestyle". Presumably they were very trusting folk. Judging by their outfits as they ran down the beach from the car they had nowhere to keep the hefty fob, so the car must have remained unlocked...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like