TMC is an independent, primarily volunteer organization that relies on ad revenue to cover its operating costs. Please consider whitelisting TMC on your ad blocker and becoming a Supporting Member. For more info: Support TMC

Relay Hack for Model 3

Discussion in 'The UK and Ireland' started by TezzyMod3, Sep 13, 2019.

  1. TezzyMod3

    TezzyMod3 Member

    Joined:
    May 30, 2019
    Messages:
    211
    Location:
    London
    I was wondering whether anyone technical out there knew the answer to this.

    How easy is it to relay hack the Model 3 given that the card works at such low proximity and the app is connected via Bluetooth? I will be adding Pin to drive when it arrives but it’ll be interesting to know.

    Also, from people who already have delivery, if the car is on the drive and your phone on the window sill — is the car unlocked? Don’t want to disable Bluetooth every time I get home.

    edit: window sill as it’s the closest point in the house to the car.
     
  2. davidmc

    davidmc Active Member

    Joined:
    May 20, 2019
    Messages:
    1,105
    Location:
    Leicester
    You have to be really close for the doors to unlock, sometimes I have to wave my trouser pocket at the door which can look a bit odd! :confused: So I would say within a meter of the car, definitely less not more.
     
    • Informative x 1
  3. Tony Hoyle

    Tony Hoyle Member

    Joined:
    May 7, 2019
    Messages:
    540
    Location:
    Stockport, UK
    Relay of the card is almost impossible, it has no active power source. You'd need a bloody big antenna to activate it at any distance.

    Relay of bluetooh requires specialised hardware and hasn't been done in the wild as far as I'm aware.. there are a number of mitigations possible if it becomes a thing in the future (verify GPS location, disable BT radios when the phone is not moving, latency measurements, that kind of thing)..

    The car won't open the door unless the bluetooth device is less than a couple of feet away. Not sure how it determines that but I can leave my phone in the living room right next to the car & well within bluetooth range, and it won't open.
     
    • Like x 2
    • Informative x 1
  4. bhanorthy

    bhanorthy Member

    Joined:
    Jul 16, 2019
    Messages:
    53
    Location:
    Sussex
    Call me paranoid but I feel more secure using Keycard only along with pin to drive.

    Any kind of easy entry seems open to attack albeit Bluetooth being more secure than traditional key fobs.
     
  5. Fraank

    Fraank Member

    Joined:
    Jul 21, 2019
    Messages:
    215
    Location:
    UK
    :D Now I'm just picturing Mr Bean and the hand dryer.
     
    • Funny x 2
  6. Smiddy

    Smiddy Supporting Member

    Joined:
    Jun 7, 2019
    Messages:
    127
    Location:
    South West UK
    I was looking at getting a key fob for the M3 (especially while im waiting for the car to be linked to my tesla account) but you cant get them in the UK and it would also suggest the car doesnt have the hardware for passive entry like the S and X do because it clearly states on key fob that it doesnt do passive entry.

    NFC chips that are in the cards are a passive device so they need an NFC reader quite close in order to work. I would still recommend having PIN to drive enabled though.
     
    • Like x 1
  7. kfinisterre

    kfinisterre Member

    Joined:
    Jan 22, 2020
    Messages:
    5
    Location:
    State of Confusion
    I'm not sure that those are accurate statements at all. In fact, it is demonstrably not true. As I understand it, un more private circles the Model 3 was proven vulnerable in 2018 to SARA (Signal Amplification Relay Attack). In the past week this has been reaffirmed by Twitter user Kevin2600.

    "Although Tesla thinks they are protected from the Relay attack with PIN2Drive. But we are still able to open the door. So risk still there. Anyway, we just purely enjoy the research. I hope you guys like this one :p" Kevin2600 on Twitter

    "So this is a free to share call proved by Tesla. We have managed to find a design flaw in order to relay the Tesla NFC key tag. But Tesla dont think it's a problem. Time to submit then "
    Kevin2600 on Twitter

    As far as the specialized hardware for Relay of bluetooth, I'm pretty sure you could use something like GATTacker.
    securing/gattacker

    BTLEJack
    virtualabs/btlejack

    Although more clunky BTLEJuice could probably pull it off as well.
    DigitalSecurity/btlejuice

    Latency is going to be the main killer of attempts at proof of concept on BLE.

    There is a private slack group for folks playing around with things of this nature if anyone is interested send me a PM, and I can get you an invite. Kevin2600 is one of the members of the group now. We are collectively trying to get folks in the scene that are working in parallel, to work together, and shortcut each others man hours for research.

    Pwn2own is a potential driver for some of the folks, others are just having fun with research.
    Tesla returns to Pwn2Own hacking competition with Model 3 as target and prize
     
  8. kfinisterre

    kfinisterre Member

    Joined:
    Jan 22, 2020
    Messages:
    5
    Location:
    State of Confusion
  9. Bobly

    Bobly Member

    Joined:
    Sep 29, 2019
    Messages:
    116
    Location:
    UK
    Key fobs are on the UK store now and I think the new version does have passive entry..

    “No hands required. Locking and unlocking your Model 3 has never been easier. Keep your key fob in your pocket and simply pull on the door handle for easy entry. Same with the trunk. Your key fob is automatically enabled when you pair with your vehicle.”
     

    Attached Files:

    • Like x 1
  10. IanB

    IanB Member

    Joined:
    Jul 11, 2019
    Messages:
    103
    Location:
    Merseyside
    haha, me too, that and a load of office workers at the window "That guy really does love his car, a little too much!!!!"
     
    • Funny x 1
  11. VanillaAir_UK

    VanillaAir_UK P plates

    Joined:
    Jun 17, 2019
    Messages:
    4,195
    Location:
    Surrey, UK
    I think PIN to drive is more useful to prevent someone jumping in and driving off whilst for example you are loading your shopping in the boot than accidentally leaving the car unlocked whilst unattended.
     
  12. rohan3au

    rohan3au Member

    Joined:
    Oct 27, 2017
    Messages:
    315
    Location:
    Newcastle, Australia
    There was a case last week here in Australia where the thief just got in the Model 3 and drove away because the owners phone was only 3 metres away (through a wall) which was still close enough to be able to start the car. Guy got about 5km away when he put it in park, but couldn't get it back into drive again without the phone or keycard. Car was recovered with no damage or anything missing (although the guy who stole it posted a photo and video on instagram of him driving it, moron). So Pin to drive would have prevented this.
     
    • Informative x 1
    • Like x 1
  13. Daverh

    Daverh Member

    Joined:
    Jul 7, 2019
    Messages:
    249
    Location:
    Newcastle
    I've already had a neighbour comment on how much I must like the car because they often see me, in their words, dry humping it :oops:

    With my phone in my right pocket the doors often don't open on the first attempt.

    Relay attacks are a double edged sword - as much as I'd hate the car to be stolen, I'd rather someone do it that way than forcing their way into my house and threatening my family with their weapon of choice.
     
    • Like x 3

Share This Page

  • About Us

    Formed in 2006, Tesla Motors Club (TMC) was the first independent online Tesla community. Today it remains the largest and most dynamic community of Tesla enthusiasts. Learn more.
  • Do you value your experience at TMC? Consider becoming a Supporting Member of Tesla Motors Club. As a thank you for your contribution, you'll get nearly no ads in the Community and Groups sections. Additional perks are available depending on the level of contribution. Please visit the Account Upgrades page for more details.


    SUPPORT TMC