Model X opened driver door itself

[jboy210]

Yeah... I don't know how they come up with numbers for that sort of thing, but you will be hard pressed to get BT LE to work at 100 meters. Even passing through a single wall you can expect a 10 dB attenuation. So inside a house, I would still only expect the thing to work at 50 feet.

If this really is from accidental button presses, there is a problem with the design of the key fob to allow false operation so easily. It's like telling your kids it's ok to play with the lawn darts, just be careful with them.

See this Bluetooth Low Energy - Wikipedia

Scroll down to spec part about range.

I do agree with attenuation, but have never seen any formulas to perform attenuation calculations.

Bjorn Nyland did some testing on his Model X fob and came close to the 100 meter number in the spec

 

[gnuarm]

See this Bluetooth Low Energy - Wikipedia

Scroll down to spec part about range.

I do agree with attenuation, but have never seen any formulas to perform attenuation calculations.

Bjorn Nyland did some testing on his Model X fob and came close to the 100 meter number in the spec

If the Tesla remote control operates at 100 meters, I figure that is a defect. One of the few ways people can steal a Tesla is to use a transponder to relay the signal to the car while you are shopping. With a 100 meter range there are many instances where they don't need a transponder.

This past weekend I found my door standing open twice. And that is since I've taken to carefully lock the car after I leave it. I recall last weekend when I found the car unlocked while in a food court, so I used my phone to lock it. Of course I could have possibly forgotten to lock it, but I thought they were supposed to auto lock when you are out of range. This was more like 200 meters and through a wall. I couldn't even see the car when I walked outside.

 

[CyberShy]

In the early 90s, 30ft was the range of 315MHz keyfobs. Today, 100 meters is on the high end. (I don’t know if the X is Bluetooth or 315mhz.)

I say it’s unintended button pressing.

It’s easy enough for OP to test the range. 50ft is easy for today’s RF key fobs.

Otherwise, only wet circuits cause a malfunction like this. Or flaky software in the body controller.

 

[jboy210]

If the Tesla remote control operates at 100 meters, I figure that is a defect. One of the few ways people can steal a Tesla is to use a transponder to relay the signal to the car while you are shopping. With a 100 meter range there are many instances where they don't need a transponder.

This past weekend I found my door standing open twice. And that is since I've taken to carefully lock the car after I leave it. I recall last weekend when I found the car unlocked while in a food court, so I used my phone to lock it. Of course I could have possibly forgotten to lock it, but I thought they were supposed to auto lock when you are out of range. This was more like 200 meters and through a wall. I couldn't even see the car when I walked outside.

I believe autolock is one of the options. So you might want to check and make sure it is enabled. My car auto locks and side mirrors fold in when I walk 30-40 feet away. I use the folding side mirror as my verification.

All BT Low Energy implementations for devices I have seen use encryption to prevent man-in-the-middle attacks. With the sender and receiver having unique 128-bit encryption keys. Once they have been by service personnel the devices will only accept the proper keys to establish a link. Only after this authentication has been successfully and link established can commands (ex. open door) are sent in encrypted format (using the specific device keys). This is considerably different from the older style remote auto keys.

One thing I have noticed on the key fobs is the buttons are very easy to click. So easy that if you have your key in your front pocket with little change it will sometimes click the buttons. So these days I make sure I never have anything in my pocket but the fob, and I never have more that one key on my fob cover. My wife makes sure hers is in a protected area of her purse and not down there with the rest of the stuff.

 

[gnuarm]

I believe autolock is one of the options. So you might want to check and make sure it is enabled. My car auto locks and side mirrors fold in when I walk 30-40 feet away. I use the folding side mirror as my verification.

Yes, it is set for auto lock. I also click the remote once to lock it and watch for the parking lights to blink.

All BT Low Energy implementations for devices I have seen use encryption to prevent man-in-the-middle attacks. With the sender and receiver having unique 128-bit encryption keys. Once they have been by service personnel the devices will only accept the proper keys to establish a link. Only after this authentication has been successfully and link established can commands (ex. open door) are sent in encrypted format (using the specific device keys). This is considerably different from the older style remote auto keys.

Man in the middle isn't what the thieves use on the Tesla. They use a very simple relay that lets the car see your remote from a long distance away. Tesla should use a time of flight measurement to see how far away the fob is. Then it could lock at some distance regardless of signal strength.

One thing I have noticed on the key fobs is the buttons are very easy to click. So easy that if you have your key in your front pocket with little change it will sometimes click the buttons. So these days I make sure I never have anything in my pocket but the fob, and I never have more that one key on my fob cover. My wife makes sure hers is in a protected area of her purse and not down there with the rest of the stuff.

The buttons seem to be easy to click accidentally, but I don't find them easy to click without taking it out of my pocket. It's a big fob and I try to push it through the material of the pocket so I don't have to take it out, but that seldom works well.

 

[mxnym]

Man in the middle isn't what the thieves use on the Tesla. They use a very simple relay that lets the car see your remote from a long distance away. Tesla should use a time of flight measurement to see how far away the fob is. Then it could lock at some distance regardless of signal strength.

What you describe here is the standard method of attack for standard RF keyfobs. While it seems technically feasible that the same thing could be done with simplicity in the sense that there are signals in the air, I've never heard of any sort of Bluetooth extender, much less one that is effectively simply a relay, and it wouldn't make sense to create one solely for a dark market when it could have many very useful legitimate purposes. In theory, because bluetooth communication is a form of network communication with a handshake, you would need to spoof both the MAC address of the fob and the MAC address of the car in order to repeat Bluetooth, and if that is accurate, you are a man in the middle and the certificate requirement could very well mitigate the possibility. Do you have any evidence to counter this (articles or technical documents specifically discussing this with Bluetooth, for instance)?

 

[mxnym]

As follow-up to the post above, did Tesla go to Bluetooth for the Model X, and if so, when? If they did, I assume it was sometime after the Model 3 came out, and I believe gnuarm has an older Model X than that, in which case his fob should be rf and shouldn't have that range, right?

 

[ABC2D]

@mike2016 - did you have SC look at the car? Any updates if the issue was diagnosed or resolved?

 

[gnuarm]

What you describe here is the standard method of attack for standard RF keyfobs. While it seems technically feasible that the same thing could be done with simplicity in the sense that there are signals in the air, I've never heard of any sort of Bluetooth extender, much less one that is effectively simply a relay, and it wouldn't make sense to create one solely for a dark market when it could have many very useful legitimate purposes. In theory, because bluetooth communication is a form of network communication with a handshake, you would need to spoof both the MAC address of the fob and the MAC address of the car in order to repeat Bluetooth, and if that is accurate, you are a man in the middle and the certificate requirement could very well mitigate the possibility. Do you have any evidence to counter this (articles or technical documents specifically discussing this with Bluetooth, for instance)?

You still aren't getting it. There is no need to spoof anything. The "relay" can be a radio receiver and transmitter with no data demodulation. I suppose it has to have two parts to prevent self interference. The first part is near the fob and receives the signal from the fob, mixes it to another frequency and broadcasts it at a high level to the other device which does the same thing, but mixes it back to the original frequency near the car. Then the link frequency doesn't interfere with the original signal. If two way comms are needed there is a reverse link. Either that, or the fob signal has to be received and decoded at the bit level only, then retransmitted at a stronger level so the car can receive it. This does not require any knowledge of what the bits mean or how the message is composed.

I don't know for sure which of these two approaches are used by the thieves. The first method would work pretty well and I can't see an effective method of countering it. The second would introduce measurable delay in the signal path and could easily be detected if the link is two way.

I read about this some months ago and I'm not going to search for it. What I read made perfect sense technically.

I have no idea what you mean about the dark market vs. "legitimate purposes". Thieves have a lot of incentive to steal $100,000 cars. It's not so hard to create either of these devices. They don't have to be productized or mass produced. You can throw together some lab equipment that will fit in a briefcase size. I know someone who created a cell phone jammer from lab equipment he carried in a shopping bag. The incentive for him was just the fun of it. He would be bothered by someone talking loud in a restaurant on a cell phone and boom, the call would drop. Imagine how much effort someone would put into a similar gadget that would let you drive off in a $100,000+ car!

 

[gnuarm]

I almost forgot. Today I got into my car to drive and when I tried to drive away I found a FWD to be open! It wasn't open when I climbed in. These fobs are far too easy to false trigger. I'm going to have to figure out a case to put the fob in while it is in my pocket.

 

[jboy210]

I almost forgot. Today I got into my car to drive and when I tried to drive away I found a FWD to be open! It wasn't open when I climbed in. These fobs are far too easy to false trigger. I'm going to have to figure out a case to put the fob in while it is in my pocket.

They have hard shell cases for the fobs. Or you start wearing really baggy pants.

 

[BigMskiman]

I used to king of not triple clicking fob by pocket accidents, but it's happened twice recently, once on wife, once on me.
I vote for making the triple click "close-ALL" event smarter. Like "one click-delay-double click" or something way to complicated to happen by accident in the pants pocket.

old |v2018.50.6|AP2,MCU1,PUP|
new |v2019.8.3|AP2,MCU1,PUP|

 

[mxnym]

I used to king of not triple clicking fob by pocket accidents, but it's happened twice recently, once on wife, once on me.
I vote for making the triple click "close-ALL" event smarter. Like "one click-delay-double click" or something way to complicated to happen by accident in the pants pocket.

old |v2018.50.6|AP2,MCU1,PUP|
new |v2019.8.3|AP2,MCU1,PUP|

Is it possible that an update (or profile change) turned the "single-click unlock" setting back on for you? I had problems with doors closing when I didn't want to a lot until I turned this setting off to make it triple-click only, and I've heard of other settings changing during an update (plus it could be stored per profile), so this seems like a logical thing to check if the issue is suddenly plaguing you after not being a bother for some time.

 

[BigMskiman]

Is it possible that an update (or profile change) turned the "single-click unlock" setting back on for you? I had problems with doors closing when I didn't want to a lot until I turned this setting off to make it triple-click only, and I've heard of other settings changing during an update (plus it could be stored per profile), so this seems like a logical thing to check if the issue is suddenly plaguing you after not being a bother for some time.

Yer right, thanks! A switch is there to have single or triple click close, so I unselected it.
old |v2019.8.3|AP2,MCU1,PUP|
new |v2019.8.5|AP2,MCU1,PUP|

 

[gnuarm]

I'm really surprised there can be accidental double clicks while in my pocket. I try to double click to open doors without removing it from my pocket and it often does not work. If it is that hard to operate intentionally, how can it accidentally open so easily?

 

[mxnym]

I'm really surprised there can be accidental double clicks while in my pocket. I try to double click to open doors without removing it from my pocket and it often does not work. If it is that hard to operate intentionally, how can it accidentally open so easily?

I had issues frequently when I kept my fob in my pocket. These issues were far worse when the fob was in one of the silicon cases my service center uses for loaner fobs. I've found that hanging my fob from a belt loop works much better. It's not ideal (publicly visible, takes time to attach/detach, etc), but it has mostly solved the problem for me, and I usually know if and how I accidentally double/triple clicked now when I do.