How likely is keyless theft 2023

[Neilman]

I've never enabled my phone as a car key.
It's Bluetooth linked for communications but nothing more.
I bought a Fob just before collecting the car and have it on my house key ring.
I believe the Fob "goes to sleep" when left still so it would be dead to any relay attack after a few minutes?
The switches on the Fob come in handy often for bonnet, boot and charge port opening but for entry and driving the Fob simply has to be in my pocket.
At home I keep the Fob in a Faraday "jewel box".
I usually put the Fob in a Faraday key-pouch when out and about especially if I'm still in relatively close proximity to the car.
P2D has been set from the start.

Only aggravation I've had with P2D was when I went for a Tesla service and they changed the PIN and only told me what it was after I paid the bill. I was given to understand the PIN would revert to my own one but it didn't and I had to follow the "forgot PIN" process.

 

[Skie]

One warning about P2D is make sure your Tesla account password doesn’t have any characters not available on the cars onscreen keyboard. Can’t reset it after a service visit otherwise

 

[MrBadger]

One warning about P2D is make sure your Tesla account password doesn’t have any characters not available on the cars onscreen keyboard. Can’t reset it after a service visit otherwise

Never had to revert to having to use account password after any service visit.

Also you can now remotely enable P2D from the app of the main driver.

 

[Irata]

Even with the Bluetooth attack, they were within 25 meters, line of sight from the car and they used a specific phone. They had to complete the handshake within 30ms, some phones are likely too slow for the attack.

It wasn't demonstrated with numerous phone models and being upstairs inside a house. It shouldn't be interpreted as a universal threat.

 

[Alistairuk]

Also you can now remotely enable P2D from the app of the main driver.

You can also bypass the pin to drive and start the car from your Tesla app on the main drivers phone (handy, when I collected mine from service centre after they closed and it wouldn't accept my pin)

 

[WannabeOwner]

It’s double insured (regular and replacement new car gap insurance), P2D isn’t a requirement of either so I’m not worried about it.

Huge hassle though, if something like "car knicked" happens. I'd prefer the few seconds of P2D hassle rather than the sort-out-insurance and wait-for-a-new-car and poxy-insurance-rental-in-meantime hassle

 

[speedyranger74]

Huge hassle though, if something like "car knicked" happens. I'd prefer the few seconds of P2D hassle rather than the sort-out-insurance and wait-for-a-new-car and poxy-insurance-rental-in-meantime hassle

I agree.
It's enough only one time. Better safe than sorry.

 

[FastLaneJB]

+1 for P2D. I like the fact I can jump out for a few seconds, knowing a chancer can't just jump in and drive off, even if the phone/fob is in the car.

They'd probably nick your phone though and that could be worth more on the used market than a Tesla these days

 

[GRiLLA]

Im going to go against the grain here and say I’d rather they relay attack it compared to the alternative which is the give me your keys or I’ll knife you approach.

We’ve actually seen not real world evidence that thieves can steal a model 3/Y with a relay attack so even then, I’m not sure it adds any real benefit except where you live your keys in the car.

It’s double insured (regular and replacement new car gap insurance), P2D isn’t a requirement of either so I’m not worried about it.

I know it’s not the right attitude but at the end of the day, if someone wants it badly enough they’ll take it and I’d rather not be held at knife point for the P2D code.

I'm not really sure the logic here really adds up. Do you think that once someone who has completed a successful relay attack given how technically challenging that is would then ring your doorbell and threaten you with a knife in order to get you to tell them the pin. Why waste time with the relay attack, just demand keys/code anyway. Different threats, different types of criminal.

If we consistently all applied Pin2Drive then there's little value to thieves to bother trying to figure out how to relay of Tesla bluetooth, so then we are all safer from people getting into our cars.

Yes, not the right attitude.

 

[Skie]

Never had to revert to having to use account password after any service visit.

Also you can now remotely enable P2D from the app of the main driver.

I could still use the service centre applied pin, but to change it back to my own pin I’d need to login from the cars touchscreen. Which is where the problem lies. First service centre visit didn’t have this issue (I could revert to my own pin by just disabling and re-enabling it), just one more recently, so might be a bug.

 

[Regulo]

They'd probably nick your phone though and that could be worth more on the used market than a Tesla these days

Not my phone. It only cost £49.95 new!

 

[doats1]

If we consistently all applied Pin2Drive then there's little value to thieves to bother trying to figure out how to relay of Tesla bluetooth, so then we are all safer from people getting into our cars.

Is there a stat out there that suggests that people without P2D suffer a higher of break-ins? If not I don't see why that would make us 'safer'.

The real hero here is the way Tesla have implemented the Bluetooth security. 'At the moment', it's very hard to crack in any practical sense; P2D or otherwise. If thieves can bypass that, then bypassing a 4-digit pin will be light work.

 

[GRiLLA]

Is there a stat out there that suggests that people without P2D suffer a higher of break-ins? If not I don't see why that would make us 'safer'.

The real hero here is the way Tesla have implemented the Bluetooth security. 'At the moment', it's very hard to crack in any practical sense; P2D or otherwise. If thieves can bypass that, then bypassing a 4-digit pin will be light work.

Bluetooth is something that can be relayed and there is only so much Tesla can do to mitigate attacks, Bluetooth doesn't have the required time-of-flight controls to mitigate relaying completely. Pin2Drive is something that is likely to be able for Tesla to mitigate any vulnerabilities, there have been a few already that Tesla have patched. It's very unlikely that a risk with P2D would become available to criminals faster than Tesla would mitigate it. It's not going to be 'light work' to have an active bypass of pin2drive.

The question then becomes how much value is to invest in a bluetooth relay device in that to make it worth the time for a car thief to try and use it. If no Teslas had any other protection and they could then steal the car, well it's quite valuable. If 50% have Pin2Drive then it's value goes down as you can take half the cars and for the others you could steal luggage, hope for a laptop etc. If everyone had P2D then the only value would be in finding things in the car, likely not worth bothering with. The fewer the cars which are unprotected the less value to criminals in trying.

If everyone kept all their valuables in sophisticated safes would burglars bother breaking into houses? If only 1 in 100 had the same it 's worth breaking in to see.

 

[doats1]

Bluetooth is something that can be relayed and there is only so much Tesla can do to mitigate attacks, Bluetooth doesn't have the required time-of-flight controls to mitigate relaying completely. Pin2Drive is something that is likely to be able for Tesla to mitigate any vulnerabilities, there have been a few already that Tesla have patched. It's very unlikely that a risk with P2D would become available to criminals faster than Tesla would mitigate it. It's not going to be 'light work' to have an active bypass of pin2drive.

The question then becomes how much value is to invest in a bluetooth relay device in that to make it worth the time for a car thief to try and use it. If no Teslas had any other protection and they could then steal the car, well it's quite valuable. If 50% have Pin2Drive then it's value goes down as you can take half the cars and for the others you could steal luggage, hope for a laptop etc. If everyone had P2D then the only value would be in finding things in the car, likely not worth bothering with. The fewer the cars which are unprotected the less value to criminals in trying.

If everyone kept all their valuables in sophisticated safes would burglars bother breaking into houses? If only 1 in 100 had the same it 's worth breaking in to see.

No security measure (in a car) is impenetrable, which is why I caveated my point with 'at the moment'. But the ability to practically relay a Bluetooth connection probably won't be available to your average car thief right now.

Also, there have been virtually no reports that I've seen here or anywhere that 3/Y's have been stolen via relay attacks, and there certainly haven't been reports that a thief has been thwarted by P2D in any great measure if at all (though I'll happily be proven wrong on that). Yes, it's an additional layer of protection but without having a legit key card/fob/phone, I doubt a car thief would be able to get that far 'at the moment', anyway.

And if they were, they would have sophisticated kit with them. I doubt P2D would be as difficult to bypass.

The fact is, Tesla's with Bluetooth security are pretty secure right now, and you can activate P2D or not; that car isn't moving without a key inside the cabin.

 

[Jason71]

Im going to go against the grain here and say I’d rather they relay attack it compared to the alternative which is the give me your keys or I’ll knife you approach.

We’ve actually seen not real world evidence that thieves can steal a model 3/Y with a relay attack so even then, I’m not sure it adds any real benefit except where you live your keys in the car.

It’s double insured (regular and replacement new car gap insurance), P2D isn’t a requirement of either so I’m not worried about it.

I know it’s not the right attitude but at the end of the day, if someone wants it badly enough they’ll take it and I’d rather not be held at knife point for the P2D code.

If you are worried about someone knifing you for your P2D then you are right you should not enable P2D. You should move.

 

[GeorgeSymonds]

How many of those using P2D have shared their Tesla token with a 3rd party? If any of those 3rd parties are compromised, your P2D is worthless, and anyone with your token can locate your car, open it without setting off the alarm and drive off in it. If you look at risk in its entirety, that’s probably as big a risk as someone getting to the point of needing the pin and being thwarted if it’s enabled.

 

[Lord Farquad]

How many of those using P2D have shared their Tesla token with a 3rd party? If any of those 3rd parties are compromised, your P2D is worthless, and anyone with your token can locate your car, open it without setting off the alarm and drive off in it. If you look at risk in its entirety, that’s probably as big a risk as someone getting to the point of needing the pin and being thwarted if it’s enabled.

Whilst you’re technically correct, the vast majority of the scrotes stealing cars are not at this level of hacking or conspiracy.

They’ll buy a relay device, or target opportunity theft (cars left unlocked).

P2D is a very decent additional layer of security against 99.999999% of the UKs criminal element.

The most likely theft would be a car jacking style event using threat or use of violence to get a phone & pin. But this is a very rare occurrence as the sentence for a “robbery” is generally more than for a “theft”.

 

[doats1]

There are some baseless facts on the effectiveness of P2D flying around in this thread.

Nothing wrong with using P2D, but making stats up doesn’t make it safer. There’s nothing out there to suggest that thieves have been thwarted by P2D.

 

[MrBadger]

How many of those using P2D have shared their Tesla token with a 3rd party? If any of those 3rd parties are compromised, your P2D is worthless, and anyone with your token can locate your car, open it without setting off the alarm and drive off in it. If you look at risk in its entirety, that’s probably as big a risk as someone getting to the point of needing the pin and being thwarted if it’s enabled.

I think you are confusing a targeted multi vector attack against typically well managed and secured resources with someone losing their phone.

 

[GRiLLA]

No security measure (in a car) is impenetrable, which is why I caveated my point with 'at the moment'. But the ability to practically relay a Bluetooth connection probably won't be available to your average car thief right now.

Also, there have been virtually no reports that I've seen here or anywhere that 3/Y's have been stolen via relay attacks, and there certainly haven't been reports that a thief has been thwarted by P2D in any great measure if at all (though I'll happily be proven wrong on that). Yes, it's an additional layer of protection but without having a legit key card/fob/phone, I doubt a car thief would be able to get that far 'at the moment', anyway.

And if they were, they would have sophisticated kit with them. I doubt P2D would be as difficult to bypass.

The fact is, Tesla's with Bluetooth security are pretty secure right now, and you can activate P2D or not; that car isn't moving without a key inside the cabin.

You are correct for today, but as you observe in the first line this isn't the case for all time. The solution to ensure ongoing security is to keep ahead of criminals with controls that don't make it 'worth-it' for them.

Bluetooth is relay vulnerability and there isn't anything that can be done to stop that, but we can make it something that isn't economically viable for anyone to try. All it takes is one shady individual to figure it out and start selling kits to car thieves, but they won't bother if the vast majority of cars have a secondary protection from P2D, there would be no point buying the kits and no point making them.

Pin2Drive is difficult to bypass, and when it is bypassed then that can be fixed by Tesla, like we have seen already. It doesn't have an inherent protocol level weakness like bluetooth.

I would also suggest that advertising in a public internet forum that Tesla owners are happy to trust just one already bypassed control isn't a great idea.