Model S gone in less than 60 seconds

[DJP31]

Isn’t it really dumb to steal this car? You can’t disable mobile app access without the account password so the owner would find this car by morning. What am I missing?

The car was a loaner so Pin to Drive couldn’t be enabled as account access isn’t available. The user didn’t disable Passive Entry, which with hindsight was a mistake and would have prevented the theft.

Once in it takes a thief 30 seconds to rip out the SIM unit so that’s the end of the tracking facility. The car will also have been in a metal container and across the English Channel within hours. Next appearance would be as parts on Ebay etc via Eastern Europe.

There were quite a few cars stolen by this method in the UK and it was the Owners Group that pushed for the Pin to Drive function.

 

[whitex]

What is the difference, this relay that you speak of?

Relay is when you amplify the signal of the fob (and the car), so effectively helping the car "hear" the fob and vice-versa - you just increase the range of the fob by relaying the radio signal. A key distinction to note here is that the car is talking to the real fob, just through a relay. Cloning is where you "listen" to the fob talking to the car, and based on that conversation you make yourself a fob you can use later, without the real fob having to be present.

As an analogy, imagine the fob was listening for a challenge question via a microphone and answering it via a speaker. Every time the car says "what is the answer to question 123343419273464" and car fob responds "the answer is 2314573586525". The car doesn't ask the same question twice, so no problem if someone overhears the answer, right? So now you have 2 attacks:
1. Relaying, imaging your fob was in another city, but you are near it and your partner is near the car - you call your partner, then you both put the phones in speaker phone mode, so the car can ask its question and the fob can reply. The phones are *relaying* the conversation.
2. Cloning - this would be equivalent to you listening to a few questions and answers between car and fob, then based on those you figure out a pattern so you can answer any question the car can ask. You've just cloned yourself a fob, because you can pretend to be one.

The OP video shows a relay attack, the person waling close to the house is holding up an antenna trying to get within range of the fob, while the other antenna is pointed at the car, relaying signals between the car and the fob, allowing them to talk to each other.

Tesla was susceptible to both, but later switched to a new system which makes cloning much harder (harder to figure out the pattern of answers from overheard transmissions), but still susceptible to relay attacks. The latter are harder to mitigate, though it is possible (for example, you can precisely measure the time it takes the fob to reply, and if the answer took too long, that indicates it's being relayed).

 

[tranzndance]

On a keychain hook, I have hanging a Faraday pouch that could hold four keys. That's probably the most universal solution and could have protected a loaner that didn't have pin to drive.

 

[SDRick]

whitex:

Thank you for your detailed answer!
Curious, how far away from a "unprotected" fob can these devices clone or relay the signal?

 

[aesculus]

Curious, how far away from a "unprotected" fob can these devices clone or relay the signal?

That's impossible to tell. Radio repeaters can be many times more powerful than the original radios themselves. For example first responders use the same technology for emergency radios and rarely use direct communications, as the power of the repeaters and their ability to "hear" signals are so much better.

As @whitex points out the secret in defeating these is the built in delay while they grab a signal, process it and send it out again. These packets are small so I am not sure how much of a delay there is. But it's probably perceptible so Tesla really needs to think about this as a prevention means.

 

[Mark_T]

On a keychain hook, I have hanging a Faraday pouch that could hold four keys. That's probably the most universal solution and could have protected a loaner that didn't have pin to drive.

Never a bad thing to use, but just disabling passive entry would have prevented this theft, if this was a loaner Tesla might want to just make it impossible to activate passive entry on their loan fleet...

 

[Ulmo]

Tesla needs to fix this. This is crazy.

Isn’t it really dumb to steal this car? You can’t disable mobile app access without the account password so the owner would find this car by morning. What am I missing?

They can pull the transmitter.

The car was a loaner so Pin to Drive couldn’t be enabled as account access isn’t available. The user didn’t disable Passive Entry, which with hindsight was a mistake and would have prevented the theft.

Once in it takes a thief 30 seconds to rip out the SIM unit so that’s the end of the tracking facility. The car will also have been in a metal container and across the English Channel within hours. Next appearance would be as parts on Ebay etc via Eastern Europe.

There were quite a few cars stolen by this method in the UK and it was the Owners Group that pushed for the Pin to Drive function.

Jesus. I'm glad UK is the s-hole location and not US (let's hope Boris is as good at fixing UK as Trump was at fixing USA). But people should really take better care of their cars. Loaners should have pins on them, too. Just tell the driver the pin, and change the pin whenever the loaner comes back in. There could also be a facial recognition setting that only requires the pin every week plus whenever your face looks wrong.

 

[DCEV]

What they should do is add an accelorometer to the keyfob and stop transmitting 10 seconds after inactivity.

No more relay attacks if the keyfob stops transmitting.

I personally wish the keyfob had an "off" switch so rather than stick the keyfob in a Farraday enclosure, you can just flip the switch off in certain situations.

 

[retepnivlag]

As I have mention in an earlier post that if you place your key fob inside a RFID credit card protector thieves can't lift your codes.
You can stand next to your car and the door handles will not open.

 

[whitex]

whitex:

Thank you for your detailed answer!
Curious, how far away from a "unprotected" fob can these devices clone or relay the signal?

Significantly farther than usual, because they can use directional antenna and good amplifiers. The corresponding analogy would be using a directional dish microphone and a good amplifier - you can hear someone from way farther away than just using a omnidirectional microphone without an amplifier. Return path would be like using a megaphone.

My guess it wouldn't be very difficult to relay 100 feet through some walls. The longer distance you want to relay, the better equipment you need, but it also gets harder to aim the directional antenna (easy to aim at a fox 100 feet away as compared to one 1000 feet away as the target gets smaller).

 

[whitex]

Tesla needs to fix this. This is crazy.

Just for perspective. This is not a Tesla unique problem. Vast majority of cars on the road with passive entry are susceptible to this. Tesla is using an off the shelf solution like everybody else. For Model 3 they tried to reinvent it using the phone as a fob, which theoretically offers amazing options with all the processing power of a smartphone, but the issue they ran into there is the very large number of different phones this would need to work with makes it hard to optimize (you have to aim at the lowest common denominator) and impossible to thoroughly test. Some day when "phone a fob" will be standardized, and all phone manufacturers (instead of car manufacturers) will test to make sure their phones are compliant with the standard, phones will be a good alternative (think, a phone is a $500-$1000 fob, with all the processing power that comes with that price tag and the battery size you can go a lot).

 

[whitex]

What they should do is add an accelorometer to the keyfob and stop transmitting 10 seconds after inactivity.

No more relay attacks if the keyfob stops transmitting.

Sounds good on the surface, but not very practical solution. As with all such features, the "devil in the details" - if your fob goes to sleep after 10 seconds of inactivity. For example women who leave the fob in the purse will have a problem, they put the purse in the car, they walk around the car for more than 10 seconds, the car locked and they are locked out! There are other drawbacks, but the key point here, any solutions needs to be thoroughly thought out, usecases analyzed, robustly implemented and then thoroughly tested - there is a reason why Elon didn't re-invent the fob (yet), it's not trivial.

 

[whitex]

As @whitex points out the secret in defeating these is the built in delay while they grab a signal, process it and send it out again. These packets are small so I am not sure how much of a delay there is. But it's probably perceptible so Tesla really needs to think about this as a prevention means.

There are a number of other methods besides timing. Timing can be expensive to implement, as precise timing references are expensive to put in fobs, electronics get slower of faster based with age, temperature, or battery state of charge. Other methods could be for example you can play with tx signal levels (change them and observe the relative pattern, not absolute signal strengh), you can put multiple antennas on the car and triangulate the fob position (much harder to relay and spoof), or if money is no object and you're willing to live with a fob you have to plug in to charge periodically, put a GPS in the fob and have the car compare its position to the fob and limit the range.

Anyhow, many ways to solve this problem, but they all have trade-offs, including price, longevity, size, battery life, fob size, etc. Also, as with all security things, it's always a cat and mouse game, new protections are developed, then new attack methods defeat them, "rinse, lather, repeat..."

 

[aesculus]

Timing can be expensive to implement, as precise timing references are expensive to put in fobs, electronics get slower of faster based with age, temperature, or battery state of charge.

I hear you but it only needs to be done in the car and also only needs to be relative to recent signals.

But now we are doing Tesla's design work for them.

 

[whitex]

I hear you but it only needs to be done in the car and also only needs to be relative to recent signals.

Not quite correct. If the fob responses get slower as the battery wears down, of because the fob is hot because it was sitting out in the sun, or simply because it's getting old, the timing on the car will place the fob far away and decline to open the car. Imagine coming home from the beach "anyone has some ice to cool off the fob, because the car won't respond to a hot fob"

As I mentioned earlier, "the devil always in the details".

But now we are doing Tesla's design work for them.

Not unless they are designing their own keyfob, rather than using off the shelf automotive grade solutions (and as Tesla learned recently - automotive grade matters - just because it works on the bench or for Elon's morning commute, doesn't make it a good solution).

 

[Ulmo]

There are other drawbacks, but the key point here, any solutions needs to be thoroughly thought out, use cases analyzed, robustly implemented and then thoroughly tested - there is a reason why Elon didn't re-invent the fob (yet), it's not trivial.

Any well-rounded adult full time CEO could do this work themselves in their spare time, testing all the use cases, asking people to use their car, watching how others use their car, imagining edge cases all the time.

Problem is, Elon isn't well-rounded in the life experiences category (he's kind of a billionaire with a phony high-flying billionaire lifestyle disconnected from reality), and he is not a full time CEO. Thus, all your statements apply here. Problem with younger graduates doing the designs is that they have no life experience other than a dorm room with foot transport, and their parents' home back before they even had a license, much less a real life car driving experience, unless they were real enough to do things that most degree-holders wouldn't have experienced.

 

[whitex]

Any well-rounded adult full time CEO could do this work themselves in their spare time, testing all the use cases, asking people to use their car, watching how others use their car, imagining edge cases all the time.

Problem is, Elon isn't well-rounded in the life experiences category (he's kind of a billionaire with a phony high-flying billionaire lifestyle disconnected from reality), and he is not a full time CEO. Thus, all your statements apply here. Problem with younger graduates doing the designs is that they have no life experience other than a dorm room with foot transport, and their parents' home back before they even had a license, much less a real life car driving experience, unless they were real enough to do things that most degree-holders wouldn't have experienced.

Actually, it isn't the role of the CEO to test, imaging edge cases, etc. In a traditional company it's the role of proper engineering, which the CEO should ensure the company has. Automotive companies even have standardized design processes for this. Elon is short circuiting the system by taking over the role of QA - "it worked for my commute, ship it". The catch here is, Elon is explicitly not allowing proper engineering process, because that would delay releases and slow down progress. He believes using the agile "continuous shipping and fixing in the field", a development methodology invented for web based products, is his brilliant innovation in the automotive manufacturing field and a competitive advantage. The problem is, it did allow him to ship out products faster than the competition, who take the time to thoroughly design and test things. Unfortunately, Elon's approach is a gambling approach when applied to hardware consumer products - producing hardware products in large volumes. A good example of how this can fail is the whole disaster with yellow screens - a problem they couldn't fix with software, no matter how hard they tried to sell that story to the public. There must be other costs which Tesla is eating due to their agile methodology - having to fix cars after production, retrofit things, etc (why else would service centers be so busy, majority of Teslas on the road are less than 1 year old, they should not be needing any service yet). This is a likely reason why Tesla keeps losing money, despite selling cars like crazy.

Gambling can definitely produce winners, after all someone wins the lottery almost every week. The problem is if you continue gambling, in the long term you usually will lose. You could drive your entire life without car insurance or health insurance and tell people how smart you are saving thousands of dollars, but there is also a change this land you in major debt, very ill, or even dead. Some people, like Elon, like to live on the edge.

 

[Whitmarsh]

Isn’t it really dumb to steal this car? You can’t disable mobile app access without the account password so the owner would find this car by morning. What am I missing?

Oh but you can - just pull out the SIM card, which takes a few seconds when you know how. That's what has been done with cars stolen in the UK. Very few have been recovered.

 

[Whitmarsh]

The owner probably didn't have the car transferred to him yet so couldn't set pin to drive. Given how hard it is to get the car registered to my account I wonder what Tesla do with these stolen cars. I'm sure if they can remove unlock and lock that they can brick it and tell the police where it is?

Maybe they take 7 weeks to do that too (OK, Maybe I'm bitter about this registration process )

It was a loan car!

 

[Whitmarsh]

Disabling passive entry would have protected the car. Not just "auto present door handles" but the entire passive entry, so you'd have to double click on the fob for the handles to present. A little hassle but worth it for peace of mind.

Also, I read some things saying this was a "brand new" 2019 Tesla but it doesn't look like it. It has cyclone wheels which were discontinued ~2 years ago and it also has black vents around the foglights which means this doesn't have premium upgrades, which Tesla made standard in July of 2018. Tesla also made improvements to the key fob cryptography in August of last year which is supposed to protect against relay attacks like this. I had a 2015 Model S and was able to upgrade my keys to the newer version *just in case* even though I've yet to see this type of attack in the US

EDIT: Even the YouTube video says it's a 2019. Definitely not.

It was a service loan car and Tesla don't allow P2D on those because they couldn't keep track of the PIN(s).