How were these Tesla's stolen?

[apacheguy]

Someone posted this is another thread, but there was never an in depth analysis. How does this work?

Tesla is working on a new software update to help prevent theft after spike in stolen Teslas in Europe

Firstly, how can the laptop "relay" the key fob signal if is out of range? Secondly, if it does somehow relay a legitimate signal, how can Tesla possibly address this via software?

Also, removing the SIM quickly is not trivial. Even a professional would take over 1 hour to remove the dash and MCU to remove the SIM. I am skeptical that these car thieves were able to do this.

 

[KarenRei]

Sounds like they're using this trick:

Just Two of These $11 Gadgets Can Steal a Car

The short of it: they build a repeater. One end is put somewhere near your keyfob, the other near the vehicle. Everything the fob transmits is picked up by the repeater near it and broadcast on the other end near the car, and vice versa; they don't need to crack anything, they just effectively make your keyfob very long range.

Way for manufacturers to defeat the attack: the transmission time needs to be tightly controlled, so that a signal from further away comes in too late.

Way for owners to defeat the attack: keep your keyfob in a faraday cage (metalized or wire mesh pouch).

As for disabling the sim, wouldn't disabling the 12V system be enough? Or parking in a metal crate (even a car trailer) for that matter?

 

[apacheguy]

Disabling the 12 V will also disable the vehicle. But yes, they could park it in shielded area. I'm just surprised that they could do that so quickly.

 

[apacheguy]

Also, it seems that this technique requires two people and one of them has to be within mere feet of the key fob. This does not seem consistent with the info provided in the Electrek article. I am skeptical this was the method used.

"One hacker holds a device a few feet from the victim's key, while a thief holds the other near the target car. The device near the car spoofs a signal from the key. "

 

[KarenRei]

Disabling the 12 V will also disable the vehicle. But yes, they could park it in shielded area. I'm just surprised that they could do that so quickly.

Car trailer around the corner sounds like a really easy solution. Another option is that their chop shop is nearby, so it doesn't matter if they kill the vehicle. Or kill it once it's on a flatbed. Or a variety of other things.

 

[KarenRei]

Also, it seems that this technique requires two people and one of them has to be within mere feet of the key fob. This does not seem consistent with the info provided in the Electrek article. I am skeptical this was the method used.

"One hacker holds a device a few feet from the victim's key, while a thief holds the other near the target car. The device near the car spoofs a signal from the key. "

How do you find that inconsistent with the data from the article? The article describes nothing of who was near the owners. It does describe who was near one of the cars, and it was a guy with a laptop, making it look like a relay attack. The article then says it was likely a relay attack.

 

[apacheguy]

Granted, he may have had an accomplice.

But more concerning is the fact that the other transmitter must be within a few feet of the key fob. If this were at a house, then the thieves would have to know precisely where the owner stored his key in the house and it would assume that they could approach to the appropriate vicinity. In my house, my fob is on the kitchen counter which is 15 feet away from the exterior.

If this were in an apartment, the thieves would have to gain access to the apartment complex and know precisely which unit the owner lived in. Neither scenario seems terribly likely.

 

[KarenRei]

"A few feet" is an exaggeration; even a simple cantenna can vastly increase a fob's detectable range. It's all about gain.

 

[apacheguy]

Ok. So let's say this is a relay attack then.

You're saying Tesla can simply tighten the timing tolerances such that they can differentiate between a relay and a legitimate signal? If this is true, then why wasn't this done years ago?

 

[KarenRei]

Ok. So let's say this is a relay attack then.

You're saying Tesla can simply tighten the timing tolerances such that they can differentiate between a relay and a legitimate signal? If this is true, then why wasn't this done years ago?

Who said anything about "simply"? The length of time it takes radio waves to travel one meter between a car and a fob is one one hundred millionth of a second. Putting in timing constraints might not even be possible with the hardware onboard to do directly, although I could envision some creative solutions. It depends on how much ability they have to reprogram the both the receiver and the fob itself. Most probably they have to entirely switch transmission methods.

Relay attacks are fairly new... maybe as early as 2014? Originally just for opening car doors... stealing the cars came later.

 

[SageBrush]

Apos'trophes in the middle. Dangerous stuff

 

[apacheguy]

Yes, I appreciate that radio waves travel at the speed of light. But you implied that sending it through 2 relays would introduce a detectable delay (provided that I understood your post correctly).

 

[KarenRei]

Yes, I appreciate that radio waves travel at the speed of light. But you implied that sending it through 2 relays would introduce a detectable delay (provided that I understood your post correctly).

Yes, the speed of light delay is the minimum delay. The signal is going over a longer distance. It's possible that a repeater might impose additional delays, but it's not fundamentally something that must occur.

 

[apacheguy]

Yeah, I suppose if they have really sophisticated hardware they could minimize the delay to less than 1 ms.

But, having experience with a home wifi repeater, the latency is always 2-3 ms greater if I connect to the repeater vs directly to the wifi router at similar signal strengths.

 

[Rockster]

I reaffirm my desire for an optional "drive away" PIN that one could activate, as desired. If the owner has configured a PIN, then the fob alone would only unlock the car.

 

[verygreen]

Ok. So let's say this is a relay attack then.

You're saying Tesla can simply tighten the timing tolerances such that they can differentiate between a relay and a legitimate signal? If this is true, then why wasn't this done years ago?

Software security issues are nothing new, so why don't Tesla close all known ones before the release? Why not fix all buffer overruns, tighten privileges and the like? They are just like any other SW organization out there.

Same deal with these keyfobs, they just did not think about it for whatever reason.

And yes crude relay that catches a signal, reencodes it to be sent to a different device, and then transmits it near the car would introduce a fair bit of latency due to all the processing. Now if you just somehow attach a super antenna to both the keyfob and the car - then the speed of light would make sure you can hardly tell if the fob is nearby or a block away.

 

[apacheguy]

I think it would have helped if Tesla had confirmed this was a relay attack and explained that this is a fairly new attack vector and that it has been patched already. That certainly would have answered all my questions.

 

[deonb]

But, having experience with a home wifi repeater, the latency is always 2-3 ms greater if I connect to the repeater vs directly to the wifi router at similar signal strengths.

Not the same thing. A WiFi repeater isn't just a radio frequency repeater - it is an IP router.

Presumably here all that is needed here is a radio frequency repeater.

But this however:

Who said anything about "simply"? The length of time it takes radio waves to travel one meter between a car and a fob is one one hundred millionth of a second.

is actually pretty simple. We can measure the distance that light travels very accurately. That's how lidar works, or even just a simple laser distance measuring device. Even a $50 laser measure is accurate to 1/16th of an inch.

 

[verygreen]

is actually pretty simple. We can measure the distance that light travels very accurately. That's how lidar works, or even just a simple laser distance measuring device. Even a $50 laser measure is accurate to 1/16th of an inch.

The difference here is the laser measure emits the light and then catches it back.
Now FOB is a whole different device, car does not just bounce the signal off fob so you need to play all sorts of games to catch the latency, like having a really precise clock in the fob that you can trust and some measures so that the foreign signal does not impersonate it.
And there's more of course.

 

[S'toon]

Don't know if this was used or not, but:
How thieves use electronic devices to steal cars