Pentester pops open Tesla Model 3 using low-cost Bluetooth module Tesla Model 3 and Y owners, beware: the passive entry feature on your vehicle could potentially be hoodwinked by a relay attack, leading to the theft of the flash motor. Discovered and demonstrated by researchers at NCC Group, the technique involves relaying the Bluetooth Low Energy (BLE) signals from a smartphone that has …
As I understand it, and I'm willing to concede that there may be some subtlety here that I haven't grasped, the root of the problem is that "passive" devices to unlock a car are always going to be open to relay attacks if they're always broadcasting / responding to broadcasts. Relying on limited range is a pretty obvious security weakness.
What's wrong with having a key fob with a button you have to press? At least then the window of opportunity to perform an attack is vastly limited?
When you live in a country where it goes below freezing; physical lock cylinders freeze solid and have to be thawed before a physical key works.
Keyless entry and remote start are essential features in some countries.
Penguin because they would need keyless entry........
What's wrong with having a key fob with a button you have to press?
Agreed. My new car came with keyless entry which must be disabled every time you lock the car if you don't want it. I never use it.
Its one saving grace is that the key is only active for a few seconds after it's been moved. If left sitting on a table it becomes quiescent. That way it works when you're carrying it to the car, but can't be used for an unattended relay, which is quite a neat solution.
Sounds like a good feature.
My key has to live in a pouch which is a Faraday cage and at home the pouch lives in a steal box. Works for a keyfob but doesn't make much sense for a phone.
Mind there are days when keeping the phone in a Faraday cage sounds like bliss.
Its one saving grace is that the key is only active for a few seconds after it's been moved. If left sitting on a table it becomes quiescent. That way it works when you're carrying it to the car, but can't be used for an unattended relay, which is quite a neat solution.
While a nice idea, that only gets you so far.
It wouldn't be much use against a pair of thieves working together where one follows you around a shopping centre, for example, while the other waits by your car.
"Its one saving grace is that the key is only active for a few seconds after it's been moved. If left sitting on a table it becomes quiescent."
My car is older and the key fob doesn't do anything unless a button is pressed. It just sits there in an off state. It's the smart fobs that lend themselves to relay attacks and phone mediated systems too. Obviously, you can't be as lazy if you have to get your phone out, unlock and access an app over having only to have the phone in your pocket/bra and powered on.
"What's wrong with having a key fob with a button you have to press? At least then the window of opportunity to perform an attack is vastly limited?"
Well you're asking a bit much from your average Tesla user - note not driver. They expect to walk into a car while watching videos and to continue to be driven while watching video, as the recent England & Wales legislation allows them to do, whilst either mowing down cyclists or being driven to their death - in a game called Tesla roulette.
So I would say pressing a button is beyond most Tesla users capabilities.
"So I would say pressing a button is beyond most Tesla users capabilities."
So they have cars that don't have a key hole or even door handles given the latest prototype Cybertruck. I'm glad my car has a mechanical lock. Not too long ago the battery in my fob went flat and I had to use the key. No itch and I picked up a replacement battery that day while out running errands. What do you do if you are relying on your phone to use your car and drop it in the loo? Did you hear the one about the woman that dropped her phone in a "vault" toilet and fell in trying to retrieve it?
I know someone who never locked their car. There was never anything in there to steal, and they reasoned that it'd save a massive clean up operation from him if the local dickhead smashed a window to discover he had nothing in the car.
One morning in December he went down to the car to drive to work and some dickhead had smashed the window. Didn't even try the door.
So while it's awful that a Tesla can be hacked like this, all cars can be hacked easily with a brick. No matter what the owner does.
Haven't I seen ads where the owner uses their phone app to have the car drive out of tight parking spaces?
So not only can the thief open the car and drive it away, they can probably persuade the car to drive into the middle of the road without needing to actually get into the car.
"Haven't I seen ads where the owner uses their phone app to have the car drive out of tight parking spaces?"
I seem to remember a huge advertising campaign stuck at the start of many VHS tapes and DVDs. IIRC, the strapline was "you wouldn't steal car, would you?". Clearly advertising doesn't work as it doesn't seem to have reduced let alone stopped car theft. Unless, I missed the point of the ad.
"So not only can the thief open the car and drive it away, they can probably persuade the car to drive into the middle of the road without needing to actually get into the car."
GTA can set you up for a stay in the pokey, but a teen looking for fun might be very intrigued to see if an exploit they find on the internet will work to move a connected car to the middle of the street from their bedroom window at oh dark thirty. They may even have a laugh at turning on the lights and blasting the stereo at the same time.
"cutting latency"
I think the point was the owner can be _just_ outside the activation range, and the small added relay latency still allows the car to unlock. So in a large carpark you could have a criminal mastermind on a skateboard next to the car, a henchman (likely a him) walking near the owner, and the car could be driven away before the owner reaches the stairs. Convenience indeed.
But where is the market for stolen Teslas? All the features that make them Teslas need the phone-home enabled.
But where is the market for stolen Teslas? All the features that make them Teslas need the phone-home enabled.
Never having looked seriously at a Tesla (way beyond my price range), is it possible that once unlocked, started and driven off it's possible to pair another phone? Instant new key. Unless of course there is some kind of 2FA involving an email to a previously-arranged account or sommat.
M.
No, to pair a new key (physical or phone key) you need one of the existing actual RFID keycards to authorise it, so it's 'safe' from that point of view.
It's also the case that once you park up and walk away, you will then be unable to get in and drive the car again without redoing the attack, which coupled with the fact the car will be reporting its GPS position to Tesla and the owner via the app means overall this is of pretty limited value for anything more than a one-off joyride.
Pin to drive also defeats it, such that the only thing it allows you to do is get into the vehicle, which as others have said can be done with the use of a brick or similar anyway...
I feel like a lot of people who steal cars (and other things) are usually too stupid to research whether they'd still be able to use it after they've knicked it. Criminal masterminds they are not.
Besides they tend to either crash it, burn it (or both), or thrash it straight to the nearest chop shop where it's shredded for parts and valuable metals. None of those situations needs the thief to know or care about pairing new keys.
"It's also the case that once you park up and walk away, you will then be unable to get in and drive the car again without redoing the attack,"
So you're saying that once started, the best move is to drive it into an enclosed truck/trailer that prevents the car from phoning home before its comms are disabled?
"But where is the market for stolen Teslas?"
Parts. The headlight for a Model 3 from Tesla is $880. The windshield is $1,200. All of the parts with a VIN number stamped into them can just be binned or sold as scrap. Is the big one piece casting that Sandy Munro was gushing over in use on Teslas or still in development. I know Tesla bought a couple of the casting machines. That's a big hunk of easy to recycle Aluminium that once cut up isn't particularly recognizable if the coppers are looking for a complete vehicle.
Is this possible to be classed as security through obscurity - in a loose sense?
I'm a total hater of auto unlocking vehicles if the fob/gadget is within a certain distance.
A friend of mine had a Beemer, which would auto-unlock when the keyfob got into proximity. Therein lay the problem.
Drive forward into parking space
Lock car
Walk to boot, open boot.
Lock
Go inside the house....
Go back out to move bins for tomorrow.
Car unlocked, and you didn't know... because the bins were at the same range.
It happened numerous times. A lot of the time he giveaway was that the wing mirrors had gone into normal position rather than folded - if you saw them.
There is a price to pay for convenience, and it is a big one when it cost £40K plus!!
I am foolish enough to own a Vauxhall. If you accidentally press the unlock button (by keeping your car key in your pocket, for example) it will indeed lock after (I think) 10 minutes. If you keep the unlock button pressed for a few seconds(again, possibly accidentally by having your car key in your pocket), then all the windows wind down and the car stays unlocked. For some reason this tends to happen to me when it's raining, of course.
Vauxhall offer no way to disable this lovely feature, and cannot understand why I would want one.
Ah "comfort opening" and "comfort closing". You can disable them but you need a Tech 2 or whatever they use now to get into the body control module and switch them off
Vauxhall could, indeed should do it for you if you want to pay them the "diagnostic" charge to plug the computer in for a few minutes and fiddle with the settings.
There are plenty of non-Vauxhall garages who can perform this if you don't want to pay Vauxhall's excessive diagnostic tax.
"A friend of mine had a Beemer, which would auto-unlock when the keyfob got into proximity. Therein lay the problem."
That could be an issue, but many cars will re-lock if a door isn't opened within a short period of time. Mine will do that if I unlock it with the fob and don't open a door right away. I'm used to it now so if I'm unlocking the car and need to load things in, I'll open a door so it stays unlocked and I don't need to fumble in my pockets to do it again. The thing that worries me is if the car might re-lock for some reason that I don't expect and my keys are inside.
The ability to just walk up to the car and have it unlock saves time. The same thing with the charge port door opening automatically when you bring the charging plug close to it. What could possibly go wrong?
I'm a total nerd with it comes to gadgets but I also value the K.I.S.S. principle. For something like a car, I don't want loads of "features" that can go wrong. If the medium fan setting stops working, I can deal with that. If a patch on a touch screen stops working, that might be $3k in a replacement cost if the car is out of warranty. If you break said touch screen accidentally, it's certainly not covered under warranty and if you don't have it repaired (can't buy the parts to do it yourself), it's more than the stereo that doesn't work anymore. I've had all sorts of strange things happen in a car. I put a bag of shopping in the passenger footwell and a soda can hit the seat rail and got a puncture. Sticky liquid all over the place. A coffee creamer pod sat out on the center console in the sun popped spraying artificial moo all over. Just one bizarre incident could render a car with massive single points of failures completely useless and expensive to fix. When it works, it's all very clever, When it doesn't, it's a very bad day.
People have had keyless entry cars stolen through similar attacks for years - they stick the keys on the hall table, thieves boost the key signal & jack the car from the outside the house. Any kind of proximity system is vulnerable to this.
The mitigations to this sort of thing are fairly simple. Don't enable this keyless entry by default and require constant contact between the car and the key. If contact is lost the car should slow to a halt and alert the owner. The app could even track the vehicle, call the police, putting the car into a "distress" mode or whatever.
Seems there are quite some security concerns with all EVs.
It's rather interesting that you can open the 'filler' cap on a Tesla with a simple replay attack using a cheap SDR transmitter (and perhaps even cheaper with off the shelf RF remote control modules)
The inclusion of V2L/V2G capability in the Tesla and many other EVs leads to some interesting possibilities for power theft or just outright damage/mischief.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
