Relay Hack for Model 3

[TezzyMod3]

I was wondering whether anyone technical out there knew the answer to this.

How easy is it to relay hack the Model 3 given that the card works at such low proximity and the app is connected via Bluetooth? I will be adding Pin to drive when it arrives but it’ll be interesting to know.

Also, from people who already have delivery, if the car is on the drive and your phone on the window sill — is the car unlocked? Don’t want to disable Bluetooth every time I get home.

edit: window sill as it’s the closest point in the house to the car.

 

[davidmc]

You have to be really close for the doors to unlock, sometimes I have to wave my trouser pocket at the door which can look a bit odd! So I would say within a meter of the car, definitely less not more.

 

[Tony Hoyle]

Relay of the card is almost impossible, it has no active power source. You'd need a bloody big antenna to activate it at any distance.

Relay of bluetooh requires specialised hardware and hasn't been done in the wild as far as I'm aware.. there are a number of mitigations possible if it becomes a thing in the future (verify GPS location, disable BT radios when the phone is not moving, latency measurements, that kind of thing)..

The car won't open the door unless the bluetooth device is less than a couple of feet away. Not sure how it determines that but I can leave my phone in the living room right next to the car & well within bluetooth range, and it won't open.

 

[bhanorthy]

Call me paranoid but I feel more secure using Keycard only along with pin to drive.

Any kind of easy entry seems open to attack albeit Bluetooth being more secure than traditional key fobs.

 

[Fraank]

You have to be really close for the doors to unlock, sometimes I have to wave my trouser pocket at the door which can look a bit odd! So I would say within a meter of the car, definitely less not more.

Now I'm just picturing Mr Bean and the hand dryer.

 

[Smiddy]

I was looking at getting a key fob for the M3 (especially while im waiting for the car to be linked to my tesla account) but you cant get them in the UK and it would also suggest the car doesnt have the hardware for passive entry like the S and X do because it clearly states on key fob that it doesnt do passive entry.

NFC chips that are in the cards are a passive device so they need an NFC reader quite close in order to work. I would still recommend having PIN to drive enabled though.

 

[kfinisterre]

Relay of the card is almost impossible, it has no active power source. You'd need a bloody big antenna to activate it at any distance.

Relay of bluetooh requires specialised hardware and hasn't been done in the wild as far as I'm aware.. there are a number of mitigations possible if it becomes a thing in the future (verify GPS location, disable BT radios when the phone is not moving, latency measurements, that kind of thing)..

The car won't open the door unless the bluetooth device is less than a couple of feet away. Not sure how it determines that but I can leave my phone in the living room right next to the car & well within bluetooth range, and it won't open.

I'm not sure that those are accurate statements at all. In fact, it is demonstrably not true. As I understand it, un more private circles the Model 3 was proven vulnerable in 2018 to SARA (Signal Amplification Relay Attack). In the past week this has been reaffirmed by Twitter user Kevin2600.

"Although Tesla thinks they are protected from the Relay attack with PIN2Drive. But we are still able to open the door. So risk still there. Anyway, we just purely enjoy the research. I hope you guys like this one " Kevin2600 on Twitter

"So this is a free to share call proved by Tesla. We have managed to find a design flaw in order to relay the Tesla NFC key tag. But Tesla dont think it's a problem. Time to submit then "
Kevin2600 on Twitter

As far as the specialized hardware for Relay of bluetooth, I'm pretty sure you could use something like GATTacker.
securing/gattacker

BTLEJack
virtualabs/btlejack

Although more clunky BTLEJuice could probably pull it off as well.
DigitalSecurity/btlejuice

Latency is going to be the main killer of attempts at proof of concept on BLE.

There is a private slack group for folks playing around with things of this nature if anyone is interested send me a PM, and I can get you an invite. Kevin2600 is one of the members of the group now. We are collectively trying to get folks in the scene that are working in parallel, to work together, and shortcut each others man hours for research.

Pwn2own is a potential driver for some of the folks, others are just having fun with research.
Tesla returns to Pwn2Own hacking competition with Model 3 as target and prize

 

[kfinisterre]

 

[Bobly]

I was looking at getting a key fob for the M3 (especially while im waiting for the car to be linked to my tesla account) but you cant get them in the UK and it would also suggest the car doesnt have the hardware for passive entry like the S and X do because it clearly states on key fob that it doesnt do passive entry.

NFC chips that are in the cards are a passive device so they need an NFC reader quite close in order to work. I would still recommend having PIN to drive enabled though.

Key fobs are on the UK store now and I think the new version does have passive entry..

“No hands required. Locking and unlocking your Model 3 has never been easier. Keep your key fob in your pocket and simply pull on the door handle for easy entry. Same with the trunk. Your key fob is automatically enabled when you pair with your vehicle.”

 

[IanB]

Now I'm just picturing Mr Bean and the hand dryer.

haha, me too, that and a load of office workers at the window "That guy really does love his car, a little too much!!!!"

 

[MrBadger]

I think PIN to drive is more useful to prevent someone jumping in and driving off whilst for example you are loading your shopping in the boot than accidentally leaving the car unlocked whilst unattended.

 

[rohan3au]

There was a case last week here in Australia where the thief just got in the Model 3 and drove away because the owners phone was only 3 metres away (through a wall) which was still close enough to be able to start the car. Guy got about 5km away when he put it in park, but couldn't get it back into drive again without the phone or keycard. Car was recovered with no damage or anything missing (although the guy who stole it posted a photo and video on instagram of him driving it, moron). So Pin to drive would have prevented this.

 

[Daverh]

Now I'm just picturing Mr Bean and the hand dryer.

I've already had a neighbour comment on how much I must like the car because they often see me, in their words, dry humping it

With my phone in my right pocket the doors often don't open on the first attempt.

Relay attacks are a double edged sword - as much as I'd hate the car to be stolen, I'd rather someone do it that way than forcing their way into my house and threatening my family with their weapon of choice.

 

[svenvv]

Relay of the card is almost impossible, it has no active power source. You'd need a bloody big antenna to activate it at any distance.

Relay of bluetooh requires specialised hardware and hasn't been done in the wild as far as I'm aware.. there are a number of mitigations possible if it becomes a thing in the future (verify GPS location, disable BT radios when the phone is not moving, latency measurements, that kind of thing)..

The car won't open the door unless the bluetooth device is less than a couple of feet away. Not sure how it determines that but I can leave my phone in the living room right next to the car & well within bluetooth range, and it won't open.

Tesla uses apple's iBeacon and the BLE protocol to determine distance in milimeters. The antena is somewhere in the center console.

 

[svenvv]

There was a case last week here in Australia where the thief just got in the Model 3 and drove away because the owners phone was only 3 metres away (through a wall) which was still close enough to be able to start the car. Guy got about 5km away when he put it in park, but couldn't get it back into drive again without the phone or keycard. Car was recovered with no damage or anything missing (although the guy who stole it posted a photo and video on instagram of him driving it, moron). So Pin to drive would have prevented this.

I find that hard to believe. The PhoneKey is required to be inside the car to drive away. The iBeacon quite accurately measures distance. Maybe he (inadvertently) set the car into KeylessDrive mode.

 

[Tony Hoyle]

3m is quite believable if the wall was thin and/or the phone antenna was particularly good. The distance measurement is somewhat variable - some people have reported it working from quite a distance and others it doesn't work if it's in their back pocket. Obviously that's improving with software updates.

It's not using iBeacon. Tesla is not an apple product, and tesla mostly avoid using 3rd party solutions when they can develop their own (even when they shouldn't).

There are 4 bluetooth BLE antennas for the key. Front, back and both mirrors. They use triangulation to measure both distance and direction for accuracy. On some phones you can actually see the 5 separate connections when you're near the car.

 

[Mr H]

You have to be really close for the doors to unlock, sometimes I have to wave my trouser pocket at the door which can look a bit odd! So I would say within a meter of the car, definitely less not more.

Like this.....

 

[davidmc]

Like this.....

View attachment 624906

Crap, didn't realise my sentry video leaked on to YouTube

 

[NewbieT]

You just need two Oompa Loompas

Car stolen without using a key

Birmingham 'relay' car thefts: Police chief demands action

[First two Vids not a Tesla].

Tesla Model S Stolen in 30 Seconds Using Keyless Hack