Stolen Model 3

[ceekz]

I thought it was interesting that while the GPS tracking was turned off, the car was tracked via Supercharger use. I think the thief had someone on the inside to bypass the protocols.

 

[DrDabbles]

Has this been posted?

Tesla Model 3 Stolen From Mall of America Using Only a Smartphone
Tesla Model 3 rental was stolen by reusing authentication key, thief caught days later in another state

With cars becoming more connected than ever, cybersecurity is a hot-button topic that extends past your computer screen and into your car. Using a bit of technology, an alleged car thief was able to get his hands on a Model 3 at the Mall of America and drive away without needing a key. The alleged crime was reportedly committed via smartphone.

A computer forensics specialist who commented on the happenings of the incident was able to narrow down just how the alleged stolen Tesla was taken with such reported ease. The person allegedly responsible for taking the car is believed to have reached out to Tesla's customer support to add the stolen Model 3 to his Tesla account by its vehicle identification number. Once the vehicle was accessible on a smartphone that was signed into this person’s account, he was reportedly able to unlock the car and drive away without ever needing a key.

Several days later, the alleged car thief was tracked down and arrested in the stolen car in Waco, Texas, more than 1,000 miles south of its starting point in Minnesota. Since this person disabled GPS tracking on the car, the owner had to utilize a different method of tracking down the alleged crook. The owner tracked the location of the car's Supercharging and provided it to local authorities where they promptly located the car and arrested the man behind the wheel.

There are some pretty important details missed here. The person had previously rented this car, and the owners enrolled his phone as a key. Do not do this. Enrolling the phone very likely was the factor that made Tesla add it to his account after verification of details. I've seen people saying this was a masterful social engineering exploit, but it wasn't. It was a person that had every detail about the car and owner, and their phone had already been assigned to the vehicle when he rented it. By every measure, this would seem like a transfer to nearly everybody. And faking documents like a bill of sale or something is super trivial since every state/county/municipality in the US has their own janky system.

If you don't want someone to steal your model 3, hand them the key card and don't add their phone to your car's security system. This whole story is about a dumb person and a marginally smarter but also dumb person doing dumb stuff together.

Also, theft of rental cars is unbelievably common. Here's a fun story about a Ferrari being stolen from an exotics rental agency.

 

[focher]

I actually recently bought a Model 3 for my parents. After two weeks where I provided documentation (DL etc), Tesla still has not transferred the car into their Tesla account. I'm pretty confident that it's not easy to get Tesla to just transfer accounts.

 

[Mbutler888]

Toll free numbers like Tesla's number get the ANI, the ANI is very reliable. ANI cannot be blocked like Caller ID

Automatic number identification - Wikipedia

The telco gets the ANI not the call center. And anyway, with a SIP trunk, the ANI matches the caller ID, so easily spoofed.

 

[Abstrakt1]

The telco gets the ANI not the call center. And anyway, with a SIP trunk, the ANI matches the caller ID, so easily spoofed.

This is correct. The SIP trunk would be handed off the caller ID from the telco rather than the actual ANI. They do it this way for integration with other parts of the platform where they may want an account number retrieved based on the phone number calling in. It is very easy to spoof the number and contact center software is unlikely to ever handle the actual ANI.

I want the facts around this story though. The most likely story in my mind is that they logged the guys phone into the car when he rented it and never made him delete it. So they basically gave him the key and he just got in and took off without calling anyone or doing anything magical.

 

[DrDabbles]

Toll free numbers like Tesla's number get the ANI, the ANI is very reliable. ANI cannot be blocked like Caller ID

Automatic number identification - Wikipedia

The subscriber may receive the ANI, but likely does not. I've managed medium-sized telephony systems, and our LEC only offered ANI bundled with our monthly call data reports. They did not support forwarding ANI to us. When we switched from our DS lines to SIP trunks, we also changed providers and they also did not support forwarding ANI.

Also, ANI only forwards the BTN, not the calling number/extension. This is important because you can forward your calls through a service that doesn't provide ANI and effectively get that information scrubbed. The receiving telco sees an invalid number. We used to get tons of (000) 000-0000 entries in our billing reports.

The telco gets the ANI not the call center. And anyway, with a SIP trunk, the ANI matches the caller ID, so easily spoofed.

With a SIP trunk the ANI matches the billed telephone number, which is not necessarily the calling number. And many SIP providers strip the real ANI out and replace it with invalid data. Caller ID is completely separate and is populated by the subscriber. We used to have banks of hundreds of phone numbers that customers would port in, they'd send us what they wanted as caller ID info, and we'd upload that to our LEC to be populated (once a month) in their database. Every one of those caller ID entries would be the same, regardless of actual number.

They do it this way for integration with other parts of the platform where they may want an account number retrieved based on the phone number calling in. It is very easy to spoof the number and contact center software is unlikely to ever handle the actual ANI.

The second part is the most likely reason why ANI may not be used. Though, newer call center software is much better at handling the feature sets of PBXs and other Telephony systems. Cisco's agent software has tons of hooks and works really well as long as you're willing to customize it.

Anyway, CID and ANI are basically a best effort. You have to expect incorrect, stripped, or invalid data with both services. Tons more info on codes can be found NANPA : North American Numbering Plan Administration

 

[smartypnz]

I thought it was interesting that while the GPS tracking was turned off, the car was tracked via Supercharger use. I think the thief had someone on the inside to bypass the protocols.

Probably tracked by the owners 'My Tesla' page for the charging bill amounts.

But, wait a minute.... if I report my Tesla has been stolen can't Tesla disable Supercharging?

 

[SageBrush]

I read the same article earlier. Really pissed me off - seems like he must have tricked a support rep into adding the car to his app. That support rep gave him the car.

Read Kevin Mitnick, a cracker turned hacker: "social engineering" is a LOT easier than code breaking.

 

[dsvick]

I assume it is still true that you can not have the same car in multiple accounts, if you wanted to access the car from multiple cell phones you had to have the app loaded and log in with the same credentials. If that's the case then it sounds like the person who he rented it from had to have given him access to his account and then never changed the password when the rental was over. So all Tesla did was reauthorize his phone as a key, since he already had access to the account.