TMC is an independent, primarily volunteer organization that relies on ad revenue to cover its operating costs. Please consider whitelisting TMC on your ad blocker and becoming a Supporting Member. For more info: Support TMC
Start a Discussionhttps://teslamotorsclub.com/tmc/tags/

How were these Tesla's stolen?

Discussion in 'Technical' started by apacheguy, Aug 15, 2017.

Tags:
  1. apacheguy

    apacheguy S Sig #255

    Joined:
    Oct 21, 2012
    Messages:
    4,535
    Location:
    So Cal
    Someone posted this is another thread, but there was never an in depth analysis. How does this work?

    Tesla is working on a new software update to help prevent theft after spike in stolen Teslas in Europe

    Firstly, how can the laptop "relay" the key fob signal if is out of range? Secondly, if it does somehow relay a legitimate signal, how can Tesla possibly address this via software?

    Also, removing the SIM quickly is not trivial. Even a professional would take over 1 hour to remove the dash and MCU to remove the SIM. I am skeptical that these car thieves were able to do this.
     
  2. KarenRei

    KarenRei KarenRei KarenRei KarenRei KarenRei KarenRei

    Joined:
    Jul 18, 2017
    Messages:
    1,381
    Location:
    Iceland
    #2 KarenRei, Aug 15, 2017
    Last edited: Aug 15, 2017
    Sounds like they're using this trick:

    Just Two of These $11 Gadgets Can Steal a Car

    The short of it: they build a repeater. One end is put somewhere near your keyfob, the other near the vehicle. Everything the fob transmits is picked up by the repeater near it and broadcast on the other end near the car, and vice versa; they don't need to crack anything, they just effectively make your keyfob very long range.

    Way for manufacturers to defeat the attack: the transmission time needs to be tightly controlled, so that a signal from further away comes in too late.

    Way for owners to defeat the attack: keep your keyfob in a faraday cage (metalized or wire mesh pouch).

    As for disabling the sim, wouldn't disabling the 12V system be enough? Or parking in a metal crate (even a car trailer) for that matter?
     
    • Informative x 2
  3. apacheguy

    apacheguy S Sig #255

    Joined:
    Oct 21, 2012
    Messages:
    4,535
    Location:
    So Cal
    Disabling the 12 V will also disable the vehicle. But yes, they could park it in shielded area. I'm just surprised that they could do that so quickly.
     
  4. apacheguy

    apacheguy S Sig #255

    Joined:
    Oct 21, 2012
    Messages:
    4,535
    Location:
    So Cal
    Also, it seems that this technique requires two people and one of them has to be within mere feet of the key fob. This does not seem consistent with the info provided in the Electrek article. I am skeptical this was the method used.

    "One hacker holds a device a few feet from the victim's key, while a thief holds the other near the target car. The device near the car spoofs a signal from the key. "
     
  5. KarenRei

    KarenRei KarenRei KarenRei KarenRei KarenRei KarenRei

    Joined:
    Jul 18, 2017
    Messages:
    1,381
    Location:
    Iceland
    Car trailer around the corner sounds like a really easy solution. Another option is that their chop shop is nearby, so it doesn't matter if they kill the vehicle. Or kill it once it's on a flatbed. Or a variety of other things.
     
  6. KarenRei

    KarenRei KarenRei KarenRei KarenRei KarenRei KarenRei

    Joined:
    Jul 18, 2017
    Messages:
    1,381
    Location:
    Iceland
    How do you find that inconsistent with the data from the article? The article describes nothing of who was near the owners. It does describe who was near one of the cars, and it was a guy with a laptop, making it look like a relay attack. The article then says it was likely a relay attack.
     
  7. apacheguy

    apacheguy S Sig #255

    Joined:
    Oct 21, 2012
    Messages:
    4,535
    Location:
    So Cal
    Granted, he may have had an accomplice.

    But more concerning is the fact that the other transmitter must be within a few feet of the key fob. If this were at a house, then the thieves would have to know precisely where the owner stored his key in the house and it would assume that they could approach to the appropriate vicinity. In my house, my fob is on the kitchen counter which is 15 feet away from the exterior.

    If this were in an apartment, the thieves would have to gain access to the apartment complex and know precisely which unit the owner lived in. Neither scenario seems terribly likely.
     
  8. KarenRei

    KarenRei KarenRei KarenRei KarenRei KarenRei KarenRei

    Joined:
    Jul 18, 2017
    Messages:
    1,381
    Location:
    Iceland
    "A few feet" is an exaggeration; even a simple cantenna can vastly increase a fob's detectable range. It's all about gain.
     
  9. apacheguy

    apacheguy S Sig #255

    Joined:
    Oct 21, 2012
    Messages:
    4,535
    Location:
    So Cal
    Ok. So let's say this is a relay attack then.

    You're saying Tesla can simply tighten the timing tolerances such that they can differentiate between a relay and a legitimate signal? If this is true, then why wasn't this done years ago?
     
  10. KarenRei

    KarenRei KarenRei KarenRei KarenRei KarenRei KarenRei

    Joined:
    Jul 18, 2017
    Messages:
    1,381
    Location:
    Iceland
    #10 KarenRei, Aug 15, 2017
    Last edited: Aug 15, 2017
    Who said anything about "simply"? The length of time it takes radio waves to travel one meter between a car and a fob is one one hundred millionth of a second. Putting in timing constraints might not even be possible with the hardware onboard to do directly, although I could envision some creative solutions. It depends on how much ability they have to reprogram the both the receiver and the fob itself. Most probably they have to entirely switch transmission methods.

    Relay attacks are fairly new... maybe as early as 2014? Originally just for opening car doors... stealing the cars came later.
     
  11. SageBrush

    SageBrush Active Member

    Joined:
    May 7, 2015
    Messages:
    4,372
    Location:
    Colorado
    Apos'trophes in the middle. Dangerous stuff
     
  12. apacheguy

    apacheguy S Sig #255

    Joined:
    Oct 21, 2012
    Messages:
    4,535
    Location:
    So Cal
    Yes, I appreciate that radio waves travel at the speed of light. But you implied that sending it through 2 relays would introduce a detectable delay (provided that I understood your post correctly).
     
  13. KarenRei

    KarenRei KarenRei KarenRei KarenRei KarenRei KarenRei

    Joined:
    Jul 18, 2017
    Messages:
    1,381
    Location:
    Iceland
    Yes, the speed of light delay is the minimum delay. The signal is going over a longer distance. It's possible that a repeater might impose additional delays, but it's not fundamentally something that must occur.
     
  14. apacheguy

    apacheguy S Sig #255

    Joined:
    Oct 21, 2012
    Messages:
    4,535
    Location:
    So Cal
    Yeah, I suppose if they have really sophisticated hardware they could minimize the delay to less than 1 ms.

    But, having experience with a home wifi repeater, the latency is always 2-3 ms greater if I connect to the repeater vs directly to the wifi router at similar signal strengths.
     
  15. Rockster

    Rockster Active Member

    Joined:
    Oct 22, 2013
    Messages:
    1,183
    Location:
    McKinney, TX
    I reaffirm my desire for an optional "drive away" PIN that one could activate, as desired. If the owner has configured a PIN, then the fob alone would only unlock the car.
     
  16. verygreen

    verygreen Curious member

    Joined:
    Jan 16, 2017
    Messages:
    1,166
    Location:
    TN
    Software security issues are nothing new, so why don't Tesla close all known ones before the release? Why not fix all buffer overruns, tighten privileges and the like? They are just like any other SW organization out there.

    Same deal with these keyfobs, they just did not think about it for whatever reason.

    And yes crude relay that catches a signal, reencodes it to be sent to a different device, and then transmits it near the car would introduce a fair bit of latency due to all the processing. Now if you just somehow attach a super antenna to both the keyfob and the car - then the speed of light would make sure you can hardly tell if the fob is nearby or a block away.
     
  17. apacheguy

    apacheguy S Sig #255

    Joined:
    Oct 21, 2012
    Messages:
    4,535
    Location:
    So Cal
    I think it would have helped if Tesla had confirmed this was a relay attack and explained that this is a fairly new attack vector and that it has been patched already. That certainly would have answered all my questions.
     
  18. deonb

    deonb Supporting Member

    Joined:
    Mar 4, 2013
    Messages:
    3,523
    Location:
    Redmond, WA
    Not the same thing. A WiFi repeater isn't just a radio frequency repeater - it is an IP router.

    Presumably here all that is needed here is a radio frequency repeater.

    But this however:
    is actually pretty simple. We can measure the distance that light travels very accurately. That's how lidar works, or even just a simple laser distance measuring device. Even a $50 laser measure is accurate to 1/16th of an inch.
     
  19. verygreen

    verygreen Curious member

    Joined:
    Jan 16, 2017
    Messages:
    1,166
    Location:
    TN
    The difference here is the laser measure emits the light and then catches it back.
    Now FOB is a whole different device, car does not just bounce the signal off fob so you need to play all sorts of games to catch the latency, like having a really precise clock in the fob that you can trust and some measures so that the foreign signal does not impersonate it.
    And there's more of course.
     
    • Like x 1
  20. S'toon

    S'toon Knows where his towel is

    Joined:
    Apr 23, 2015
    Messages:
    2,516
    Location:
    SK

Share This Page