How Secure Are Teslas/Tesla Thefts

[GeorgeSymonds]

How sure are we that this latest issue is MCU1 only?

Also, the owners club really need to kick Tesla to fix this - I've long asked for a time-based immobiliser, so you can say, 10pm to 6am or whatever, the car is utterly undrivable. Won't respond to keys, won't do anything.

In my experience the owners group won't push (or be ineffectual if they do) and Tesla won't either unless it;s really simple, and given they haven't fixed it already, one imagines it's not, or at least not via software alone.

MCU1 is also dead technology as far as Tesla are concerned and pretty much all the cars are out of general warranty now. It seems to be 1 or 2 cars that have been stolen this way, and while very unfortunate for the owners, it's not a pandemic with cars going missing off every street.

(Just to add - I'm not saying I agree they shouldn't, just Tesla seem to be more preoccupied with the next new thing than looking after anythng old)

 

[srichards]

The normal public won't see it as one model with potentially one configuration that can be stolen but as all Teslas can be stolen. It could affect sales of all models.

The quicker the thieves are in prison the better too.

 

[ebyard]

In my experience the owners group won't push (or be ineffectual if they do) and Tesla won't either unless it;s really simple, and given they haven't fixed it already, one imagines it's not, or at least not via software alone.

MCU1 is also dead technology as far as Tesla are concerned and pretty much all the cars are out of general warranty now. It seems to be 1 or 2 cars that have been stolen this way, and while very unfortunate for the owners, it's not a pandemic with cars going missing off every street.

(Just to add - I'm not saying I agree they shouldn't, just Tesla seem to be more preoccupied with the next new thing than looking after anythng old)

Problem is that there are a ton of cars with MCU2 that have either been upgraded from MCU1, or were of the year where MCU2 started being rolled out - and so thieves won't know until they've smashed the window.

If Tesla won't/can't fix this directly, then fine - but give ALL owners more security by adding in extra functionality as I described above.

 

[yessuz]

I wanted to thank everyone for their questions, comments and suggestions following the theft of my car last week, and also to update you ... there's still no sign of it, but a neighbour who lives just 200m away has now also had his Model S stolen this morning!

It was recovered nearby a few hours later, but had been damaged. We met up today to talk it over and this looks like a new type of attack, well at least new to us. Both cars had their passenger window smashed indicating that it was not a cloned key fob or relay attack, both cars had their alarms silenced, and both had pin 2 drive enabled, but both were still driven away in the early hours. The MO was identical in all ways as far as we can tell. Whatever the method, it seems that only physical access was required.

On the recovered car, the underside of the dash had been ripped out to gain access to the electronics and wiring. The thieves were also seen carrying a rucksack so I favour the view that they brought equipment that could be connected into the wiring loom to trick the car into powering up and being driven, possibly a cloned vehicle identity which avoided the pin 2 drive altogether? I don't know this for certain but the evidence of two incidents suggests this.

A word of warning, particularly for Model S owners in the Yorkshire/Derbyshire/Nottinghamshire areas - I'm not sure that a reliance on the electronic security measures is now enough to prevent theft so it might be wise to add a physical layer of security temporarily (steering lock, bollards, or just by blocking the car in on your drive), until this vulnerability is better understood. Anything which makes it harder to take.

Does anyone have a contact number for somebody at Tesla who might be willing to talk this through? It seems like key information they would want to know but whenever I call them I get generic answers and GDPR quoted at me and its so hard to reach anyone in authority. If so, perhaps one of the moderators could exchange our contact info? Be careful out there - there's definitely a heightened risk at the moment.

regarding wires...

start with 1:55 if you are not that into russian language intro
additionally, remove sim, wrap mirror with foil.. and voila

in this video, guy wraps antennas with foil (mirror), then disables alarm (unplugs siren), opens the boot and adds some distortion signal; opens gap in window (here's the breakage of the glass possibly) to open the door, add distortion to another circuit, disconnects the MCU - from there MCU is in Service mode, so he can disable alarms and p2d... and drives of without a key (as not required)

 

[yessuz]

It'll be shipped overseas to a country that doesn't normally have Tesla's and sold that it doesn't connect online.

The 30 minutes would suggest some kind of brute force attack, perhaps Tesla could mitigate that somehow with a retry limit. They clearly need to address the issue. The locking and keys on Model S are very different to Model 3/Y, so let's hope that this attack isn't transferrable. It does seem like a higher risk for the thieves to be present for that long, but clearly, they weren't troubled for both of these incidents.

I almost can guarantee that it will be sold as parts only...

 

[ebyard]

regarding wires...

start with 1:55 if you are not that into russian language intro
additionally, remove sim, wrap mirror with foil.. and voila

Jesus - that's sobering. Time to glue the connectors in and some other stuff. It took longer to hotwire Metros in the 90s

 

[yessuz]

Jesus - that's sobering. Time to glue the connectors in and some other stuff. It took longer to hotwire Metros in the 90s

that's why there's an insurance for that.

to be fair - there is no un-stealable or something cars... it depends on the resources needed vs result.

 

[GeorgeSymonds]

Problem is that there are a ton of cars with MCU2 that have either been upgraded from MCU1, or were of the year where MCU2 started being rolled out - and so thieves won't know until they've smashed the window.

If Tesla won't/can't fix this directly, then fine - but give ALL owners more security by adding in extra functionality as I described above.

The time out immobilser is ok until somebody want to use their car when they weren't expecting it.

I think most people understand security is a game of cat and mouse, people find a weakness and it then generally gets plugged, you can't for instance open the frunk on later cars like in the video, you can only open it if the 12v battery is dead using a 9v battery attached to wires behind the two hook. The relay theft is being addressed by fobs that sleep when not moved. So the issue with the MCU1 cars may have been fixed on later cars, but no retrospective.

Things like P2D I don't use. I find it ironic that we like the convenience of comfort access and saving a second to press a button on a key fob as we approach a car and then delay the drive off while you type in a 4 digit code. Not everyone thinks the same, and it may be a reflection of where I live, and there is no right and wrong. Tesla are occasionally stolen, as @yessuz says thats why we have insurance, but we're a long way from the days when you could open a Ford with half a tennis ball.

Tesla would do well fitting deadlocks on the cars, they don't, but that would have prevented access to the car in the video.

 

[ebyard]

It is cat & mouse; absolutely - the difference is Tesla can do what almost no other OEM can - rapid updates to fix security holes. There is a fool-proof way to allow people to disable their cars (you could also just set the speed limiter, already implemented, to zero) if they so choose. There is simply no excuse for allowing owners cars to be stolen when the fix is probably quite simple.

 

[WllXM]

It is cat & mouse; absolutely - the difference is Tesla can do what almost no other OEM can - rapid updates to fix security holes. There is a fool-proof way to allow people to disable their cars (you could also just set the speed limiter, already implemented, to zero) if they so choose. There is simply no excuse for allowing owners cars to be stolen when the fix is probably quite simple.

Not all vulnerabilities are dependent on software. Some are hardware related and cannot be overcome.
As detailed in the posts above, most thefts first step consists in cutting all comms between the car and Tesla servers, then resetting the MCU, so trying to disable the car from your app or setting a speed limit would be of absolutely no use.

 

[Pink Duck]

At least with Sentry Mode active the thieves would get a visual and auditory alert on approach, that might be sufficient to put off some. Should the door be unlatched from inside while locked the Sentry Alarm state would be entered, brightening screen and playing loud music as form of alarm should the wing-mirror’s aerials be defeated by foil wrap. That’s at least something and better than a generic motion sensor technology. Just being nearby and awake at the time of the attempt should be enough to call police with property theft emergency.

 

[GeorgeSymonds]

At least with Sentry Mode active the thieves would get a visual and auditory alert on approach, that might be sufficient to put off some. Should the door be unlatched from inside while locked the Sentry Alarm state would be entered, brightening screen and playing loud music as form of alarm should the wing-mirror’s aerials be defeated by foil wrap. That’s at least something and better than a generic motion sensor technology. Just being nearby and awake at the time of the attempt should be enough to call police with property theft emergency.

Seems another one got stolen yesterday although quickly recovered. MCU1 cars seem to be the target at the moment, maybe for parts as these cars will be out of warranty, but either way, I suspect many will be AP HW2 or before and therefore not have sentry mode, even if they wanted to use it.

 

[Undecided_2]

that's why there's an insurance for that.

to be fair - there is no un-stealable or something cars... it depends on the resources needed vs result.

Agreed. At the end of the day, it’s just a car. If they really want it, they’ll take it. I feel bad for people facing parts crime. They’re left with a shell. One owner had front doors, seats and other bits removed in less than 60 seconds. It happened twice and was recorded on CCTV.

The Police can’t prosecute and have to hand the parts back as they can’t be identified due to no serial numbers.

Impressive if it wasn’t so upsetting. I’d prefer my car to disappear.

 

[Pink Duck]

Unfortunately can’t tell MCU1 definitively until sat inside the car cabin, having smashed the window and pulled the non-deadlocked internal latch. Tesla Service may give a hint, if outstanding eMMC recall.

 

[Will Fealey]

Hi Everyone, I've highlighted this 'new' theft issue to Tesla UK Management and also the vulnerability team this week to get some answers / push for change etc. I'm now aware of 3 or possibly 4 thefts this week so clearly something is going on. In the meanwhile we've updated this article (How to Defeat Tesla Thieves - Tesla Owners UK) which may help anyone who isn't aware of some of these vulnerabilities, that said if I had a MCU1 Model S in the vulnerable areas (Surrey, Yorkshire, Derbyshire & Nottinghamshire) I'd personally be considering a physical barrier to prevent thefts right now (e.g. blocking the car in with another car / bollards etc) along with the normal things like Passive Entry Off / Pin to Drive on / CCTV at ground level etc etc. Also for anyone affected ensure you send ALL the information about the theft (including your VIN) to [email protected]

 

[Pink Duck]

That first theft had passive entry off, P2D on, secured fobs/phone, opposite facing CCTV, alarm activation, window smash (perhaps the frameless glass inflator tool was at excess pressure), yet was still driven away around 40 minutes later. I'm not sure what more Tesla could do to mitigate after forced entry to alarmed cabin (perhaps the real issue is ability to reset MCU1 by wiring/power intercept without credential), beyond that point needs someone to be awake to realise and request rapid-response law enforcement. Or pay for 24-hour monitoring of a VHF tracker, costing more than the inevitable hit to insurance premium, to get your Tesla returned in a damaged state.

 

[Irata]

Tesla can update the firmware on most components within the car, so can sneak safeguards all over the place if they choose.

There is plenty they can do to mitigate, the car is drive by wire.

Obviously any change needs to be cautious and not introduce a safety risk, but I wouldn't say the game is over.

 

[Pink Duck]

The steering is still physical linkage but with power-assisted control, so a suitable steering lock might mitigate (in terms of requiring power tools to remove).

 

[srichards]

Would a simple way of avoiding the car being driven away be to have a lock out on the charge cable release when the owner is at home so you could only do it via the app and no other method? If you can't unlock the cable from inside the car you cannot drive away. If the tesla wallbox won't let go either then they cannot drive away. You could set hours of operation so if the app didn't work you can at least disconnect the car if the app goes silly.

If you can't leave it plugged in then it's more difficult. But I'd think some kind of additional security or a time based lock out that clearly shows the car cannot be started between certain hours would again stop these people for now while a permanent fix is put in place.

Good old fashioned dongle addition? Take it out of the car and it just makes the car play dead until it's plugged in.

 

[Tony Hoyle]

The pin that holds the charge cable in isn't that strong.. someone who is prepared to trash the MCU isn't going to hesitate breaking it.