Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Relay Hack for Model 3

This site may earn commission on affiliate links.
TezzyMod3

TezzyMod3

Member
May 30, 2019
215
86
London
#1
I was wondering whether anyone technical out there knew the answer to this.

How easy is it to relay hack the Model 3 given that the card works at such low proximity and the app is connected via Bluetooth? I will be adding Pin to drive when it arrives but it’ll be interesting to know.

Also, from people who already have delivery, if the car is on the drive and your phone on the window sill — is the car unlocked? Don’t want to disable Bluetooth every time I get home.

edit: window sill as it’s the closest point in the house to the car.
 
#3
Relay of the card is almost impossible, it has no active power source. You'd need a bloody big antenna to activate it at any distance.

Relay of bluetooh requires specialised hardware and hasn't been done in the wild as far as I'm aware.. there are a number of mitigations possible if it becomes a thing in the future (verify GPS location, disable BT radios when the phone is not moving, latency measurements, that kind of thing)..

The car won't open the door unless the bluetooth device is less than a couple of feet away. Not sure how it determines that but I can leave my phone in the living room right next to the car & well within bluetooth range, and it won't open.
 
  • Like
  • Informative
Reactions: Gatsojon, Andywil and Roy W.
#6
I was looking at getting a key fob for the M3 (especially while im waiting for the car to be linked to my tesla account) but you cant get them in the UK and it would also suggest the car doesnt have the hardware for passive entry like the S and X do because it clearly states on key fob that it doesnt do passive entry.

NFC chips that are in the cards are a passive device so they need an NFC reader quite close in order to work. I would still recommend having PIN to drive enabled though.
 
  • Like
Reactions: Roy W.
#7
Tony Hoyle said:
Relay of the card is almost impossible, it has no active power source. You'd need a bloody big antenna to activate it at any distance.

Relay of bluetooh requires specialised hardware and hasn't been done in the wild as far as I'm aware.. there are a number of mitigations possible if it becomes a thing in the future (verify GPS location, disable BT radios when the phone is not moving, latency measurements, that kind of thing)..

The car won't open the door unless the bluetooth device is less than a couple of feet away. Not sure how it determines that but I can leave my phone in the living room right next to the car & well within bluetooth range, and it won't open.
Click to expand...

I'm not sure that those are accurate statements at all. In fact, it is demonstrably not true. As I understand it, un more private circles the Model 3 was proven vulnerable in 2018 to SARA (Signal Amplification Relay Attack). In the past week this has been reaffirmed by Twitter user Kevin2600.

"Although Tesla thinks they are protected from the Relay attack with PIN2Drive. But we are still able to open the door. So risk still there. Anyway, we just purely enjoy the research. I hope you guys like this one :p" Kevin2600 on Twitter

"So this is a free to share call proved by Tesla. We have managed to find a design flaw in order to relay the Tesla NFC key tag. But Tesla dont think it's a problem. Time to submit then "
Kevin2600 on Twitter

As far as the specialized hardware for Relay of bluetooth, I'm pretty sure you could use something like GATTacker.
securing/gattacker

BTLEJack
virtualabs/btlejack

Although more clunky BTLEJuice could probably pull it off as well.
DigitalSecurity/btlejuice

Latency is going to be the main killer of attempts at proof of concept on BLE.

There is a private slack group for folks playing around with things of this nature if anyone is interested send me a PM, and I can get you an invite. Kevin2600 is one of the members of the group now. We are collectively trying to get folks in the scene that are working in parallel, to work together, and shortcut each others man hours for research.

Pwn2own is a potential driver for some of the folks, others are just having fun with research.
Tesla returns to Pwn2Own hacking competition with Model 3 as target and prize
 
  • Informative
Reactions: NewbieT
#9
Smiddy said:
I was looking at getting a key fob for the M3 (especially while im waiting for the car to be linked to my tesla account) but you cant get them in the UK and it would also suggest the car doesnt have the hardware for passive entry like the S and X do because it clearly states on key fob that it doesnt do passive entry.

NFC chips that are in the cards are a passive device so they need an NFC reader quite close in order to work. I would still recommend having PIN to drive enabled though.
Click to expand...
Key fobs are on the UK store now and I think the new version does have passive entry..

“No hands required. Locking and unlocking your Model 3 has never been easier. Keep your key fob in your pocket and simply pull on the door handle for easy entry. Same with the trunk. Your key fob is automatically enabled when you pair with your vehicle.”
 

Attachments

  • 6AF69117-590A-415A-A0A7-1B46D5F3A161.png
    6AF69117-590A-415A-A0A7-1B46D5F3A161.png
    253.9 KB · Views: 150
  • Like
Reactions: drewpost
#12
There was a case last week here in Australia where the thief just got in the Model 3 and drove away because the owners phone was only 3 metres away (through a wall) which was still close enough to be able to start the car. Guy got about 5km away when he put it in park, but couldn't get it back into drive again without the phone or keycard. Car was recovered with no damage or anything missing (although the guy who stole it posted a photo and video on instagram of him driving it, moron). So Pin to drive would have prevented this.
 
  • Like
  • Informative
Reactions: CMc1 and Adopado
#13
Fraank said:
:D Now I'm just picturing Mr Bean and the hand dryer.
Click to expand...

I've already had a neighbour comment on how much I must like the car because they often see me, in their words, dry humping it :oops:

With my phone in my right pocket the doors often don't open on the first attempt.

Relay attacks are a double edged sword - as much as I'd hate the car to be stolen, I'd rather someone do it that way than forcing their way into my house and threatening my family with their weapon of choice.
 
  • Like
Reactions: GoTLSAGo, pow216 and mswlogo
#14
Tony Hoyle said:
Relay of the card is almost impossible, it has no active power source. You'd need a bloody big antenna to activate it at any distance.

Relay of bluetooh requires specialised hardware and hasn't been done in the wild as far as I'm aware.. there are a number of mitigations possible if it becomes a thing in the future (verify GPS location, disable BT radios when the phone is not moving, latency measurements, that kind of thing)..

The car won't open the door unless the bluetooth device is less than a couple of feet away. Not sure how it determines that but I can leave my phone in the living room right next to the car & well within bluetooth range, and it won't open.
Click to expand...


Tesla uses apple's iBeacon and the BLE protocol to determine distance in milimeters. The antena is somewhere in the center console.
 

Attachments

  • ibeacon.PNG
    ibeacon.PNG
    208.6 KB · Views: 107
#15
rohan3au said:
There was a case last week here in Australia where the thief just got in the Model 3 and drove away because the owners phone was only 3 metres away (through a wall) which was still close enough to be able to start the car. Guy got about 5km away when he put it in park, but couldn't get it back into drive again without the phone or keycard. Car was recovered with no damage or anything missing (although the guy who stole it posted a photo and video on instagram of him driving it, moron). So Pin to drive would have prevented this.
Click to expand...

I find that hard to believe. The PhoneKey is required to be inside the car to drive away. The iBeacon quite accurately measures distance. Maybe he (inadvertently) set the car into KeylessDrive mode.
 
#16
3m is quite believable if the wall was thin and/or the phone antenna was particularly good. The distance measurement is somewhat variable - some people have reported it working from quite a distance and others it doesn't work if it's in their back pocket. Obviously that's improving with software updates.

It's not using iBeacon. Tesla is not an apple product, and tesla mostly avoid using 3rd party solutions when they can develop their own (even when they shouldn't).

There are 4 bluetooth BLE antennas for the key. Front, back and both mirrors. They use triangulation to measure both distance and direction for accuracy. On some phones you can actually see the 5 separate connections when you're near the car.
 
Last edited:
You must log in or register to reply here.

Similar threads

bradknit
Dead 2020 Model 3 - outside of warranty
Replies
34
Views
3K
Model 3
rlsd
R
Jasian22
Model 3 RWD 2022 Drive Unit Failure Pyrofuse
Replies
9
Views
939
The UK and Ireland
Adopado
Adopado
emptyspaces
2018 Model 3 Flashing Hazard Lights when driving off
Replies
2
Views
286
Software: Firmware Updates, Features, Tesla App
emptyspaces
emptyspaces
C
First Tesla: Model Y Performance 😮
Replies
36
Views
3K
The UK and Ireland
trigger2007
T
E
Model 3 Bluetooth Re-Pairing Problem
Replies
5
Views
3K
Model 3: User Interface
drtimhill
drtimhill
Top
Back
Blog
New
Forum list
Marketplace
Menu