How Secure Are Teslas/Tesla Thefts

[Roy B]

Turns out metal tins aren't actually as effective a Faraday cage as one might hope:

Matt Blaze: Testing Phone-Sized Faraday Bags

BTW, reports in the Owners Club of multiple thefts and attempted thefts of Model S vehicles in recent days - including one that had PIN to drive enabled. Be careful out there!

 

[Tony Hoyle]

Yeah the stolen with pin to drive enabled is concerning, as I'd love to know how - there are a couple of ways to bypass pin to drive around but they generally require the owner to do something to enable it (like leaking their account password and not having 2FA on that).

 

[Adopado]

Turns out metal tins aren't actually as effective a Faraday cage as one might hope:

Matt Blaze: Testing Phone-Sized Faraday Bags

BTW, reports in the Owners Club of multiple thefts and attempted thefts of Model S vehicles in recent days - including one that had PIN to drive enabled. Be careful out there!

Is it still the case that no Model 3/Y have been stolen in a similar manner?

 

[Roy B]

They may currently be targeting MS (and one might imagine MX) but we know M3/MY attacks are coming down the line. Security researchers have demonstrated relay attacks against the M3 using phone key; assumed to be applicable to MY and to M3/MY fobs, too. Only a matter of time before the criminals get these tools.

Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks

Vendor: Tesla, Inc. Vendor URL: Versions affected: Attack tested with vehicle software v11.0 (2022.8.2 383989fadeea) and iOS app 4.6.1-891 (3784ebe63). Systems Affected: Attack tested on Model 3. M…

research.nccgroup.com

I'm thinking a Disklok might be in order... Anyone know if the small size fits the M3 OK?

 

[Roy B]

Yeah the stolen with pin to drive enabled is concerning, as I'd love to know how - there are a couple of ways to bypass pin to drive around but they generally require the owner to do something to enable it (like leaking their account password and not having 2FA on that).

Actually, the forgotten PIN option in the car apparently (not tested myself) doesn't enforce 2FA, even if it's enabled on the account, so if someone can unlock your car, and knows your credentials, then they can drive away. Biggest concern though is that there is no lock out if you make too many failed attempts to enter the PIN. If you have a few hours to spare, you can just try every possible PIN.

 

[MrT3]

If you have a few hours to spare, you can just try every possible PIN.

Probably don't even have to try everyone - just look at the fingerprints on the screen to narrow down the possibilities.

 

[12Pack]

Probably don't even have to try everyone - just look at the fingerprints on the screen to narrow down the possibilities.

The keypad moves each time, and you could use repeat numbers. Could still happen on a clean screen I suppose.

 

[Pajo78]

Actually, the forgotten PIN option in the car apparently (not tested myself) doesn't enforce 2FA, even if it's enabled on the account, so if someone can unlock your car, and knows your credentials, then they can drive away. Biggest concern though is that there is no lock out if you make too many failed attempts to enter the PIN. If you have a few hours to spare, you can just try every possible PIN.

9999 attempts to unlock

 

[KennethS]

So 1111 is a bad choice?

 

[WllXM]

Biggest concern though is that there is no lock out if you make too many failed attempts to enter the PIN. If you have a few hours to spare, you can just try every possible PIN.

Imagine your kids playing with the screen while charging at a SuC, typing 3 wrong codes, and you’re stuck for an hour there before you can try again…

 

[Roy B]

Imagine your kids playing with the screen while charging at a SuC, typing 3 wrong codes, and you’re stuck for an hour there before you can try again…

Unless they're also playing with the pedals, the PIN prompt won't come up!

 

[WllXM]

Unless they're also playing with the pedals, the PIN prompt won't come up!

As someone who recently had his iPhone wiped because of tiny fingers I’ve learned to never underestimate them

 

[Xdama]

As long as I’ve nothing in the boot then I wouldn’t cry too much over a nicked car personally

 

[PITA]

Here’s How Your Tesla Can Unlock With A New Bluetooth Hack​

In a recent study, it turns out attackers can take control of electric cars using Bluetooth Low Energy (BLE). The technique allows attackers to hack into the electric system of Tesla cars or any other Bluetooth devices.

While the hack has only been demonstrated on electric cars, the researchers say that it could also be used on cars with other types of electronic systems, like those that use keyless entry. The Bluetooth relay system uses the phone key of Tesla cars to hack into the security system.

How Does The Hack Work?​

Khan explains the hack using two attackers, Attacker 1 and Attacker 2 to hack the locking system on a Tesla Model Y for the demonstration. Attacker 1 is standing near the Tesla’s location while Attacker 2 is in close proximity to the car’s owner.

The proximity matters as the first attacker are out of the range of the owner’s authenticating phone. Whereas the second one has a direct internet connection with Attacker 1 and is right in the proximity of the authenticating phone.

Attacker 1 sends authenticating signal to Tesla Model Y impersonating the owner’s credentials using Bluetooth enables the device.

Attacker 1 transfers the Tesla Model Y authentication request received in response from the car to the Attacker 2.

The owner’s phone responds to the authentication request received on Attacker 2’s device.

Attacker 2 captures the automatic authentic credential response and relays the message to Attacker 1 promptly.

Here's How Your Tesla Can Unlock With A New Bluetooth Hack - Vehiclesuggest

In a recent study, it turns out attackers can take control of electric cars using Bluetooth Low Energy (BLE). The technique allows attackers to hack into the electric system of Tesla cars or any other Bluetooth devices. While the hack has only been demonstrated on electric cars, the researchers...

www.vehiclesuggest.com

 

[GeorgeSymonds]

I thought these sorts of attacks were being defeated by the round robin timing of the requests backwards and forwards between the car and the fob/phone. The extra time to relay the request and respond to it could be detected. Maybe one for a future update.

One thing for sure, criminals will always try to keep one step ahead.

 

[PITA]

I thought these sorts of attacks were being defeated by the round robin timing of the requests backwards and forwards between the car and the fob/phone. The extra time to relay the request and respond to it could be detected. Maybe one for a future update.

One thing for sure, criminals will always try to keep one step ahead.

The reason I've put all my physical security in place on our Cars, is because no matter how much you know... the Criminals will know more.

They're at the bleeding edge of their craft, especially electronics... and often we are just playing catchup.

Well... I'd rather just try and keep things a bit physical ... just like the old days.

Physical security means they're going to be delayed, and inconvenienced... which might just be enough to avoid these zero-hour vulnerabilities they seem to find.

I know the lock-picking-lawyer YouTube University is there, but they've still got to be prepared for multi-layer security.

 

[Roy B]

I thought these sorts of attacks were being defeated by the round robin timing of the requests backwards and forwards between the car and the fob/phone. The extra time to relay the request and respond to it could be detected. Maybe one for a future update.

One thing for sure, criminals will always try to keep one step ahead.

It can be done, but it's not trivial. The speed of light is approximately one foot per nanosecond, so even if you're 100m away that still adds less that 1µs to the round trip time. On the other hand the latency of a typical remote entry system may be tens of milliseconds, so that extra microsecond just isn't detectable.

It *is* possible to do - BMW's new ultra-wideband (UWB) keyfobs claim to do this - but it certainly won't be just a software update.

 

[yessuz]

I just force close the app which kills the Bluetooth connection it has to one of the vehicle’s BT proximity sensors so it no longer can be used to open the vehicle until I launch the app again. I find the app noticeably drains my battery so I kill it anyway after I return home and won’t use the car again for a while.

what you think happens, when you have your phone, not touching an app, walk to a car, touch handle and it unlocks?

 

[MrT3]

what you think happens, when you have your phone, not touching an app, walk to a car, touch handle and it unlocks?

If I force close the app then nothing happens when I touch the door handle, I cannot get in. Killing the app closes any active BT connection and doesn't establish a new one.

 

[Casss]

If I force close the app then nothing happens when I touch the door handle, I cannot get in. Killing the app closes any active BT connection and doesn't establish a new one.

This is correct, you can actually see the active Bluetooth connection (albeit a ‘passive’) one when the app is open in the background on iPhone.