Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Switch off "Passive Entry" NOW!!

PW.S75D

Member
May 6, 2018
8
9
Bury St. Edmunds
I have twice now had my car opened by what is probably a "relay attack".
Both times i returned to the car (2017 Model S) to find the courtesy lights on and the door handles presented.
As it was night time in both cases in an unlit car park area i could it from probably 60 Metres away.
Tesla seems to think it is ok as other manufactures cars suffer from the same attacks.
I don't know if other owners received this email from Tesla, so if you did not here is a copy:-

We would like to share some tips for ensuring the safety of your Tesla. When enabled, our Passive Entry setting will automatically unlock the doors of your Model S when you approach it with your key. Relay attacks, a type of vehicle break-in that can be targeted at vehicles from many manufacturers including Tesla, allows an attacker to transmit a signal from your key in one location to your car in another location, thereby creating the potential for unauthorised access and entry.
You can decrease the likelihood of unauthorised entry by disabling Passive Entry when parked in public spaces or storing your key in a holder which blocks electromagnetic transmissions, such as a RFID-blocking sleeve or Faraday cage.
To disable Passive Entry, touch Controls > Settings > Doors & Locks > Passive Entry > OFF. Please note that you must press the brake pedal to power Model S on before you can change this setting.
 

boaterva

Supporting Member
Supporting Member
Apr 2, 2016
7,588
3,829
Northern Virginia, USA
As far as we’ve seen (anyone?) this email has appeared only in Europe and other places where this attack has occurred. I don’t think it’s been seen in the continental US.

As for disabling Passive Entry, definitely anyone can do so and see if the peace of mind is worth the extra inconvenience.

Another option is as mentioned to keep keys in a faraday bag at home so drive bys can’t capture the signal. (Depends how busy your home road is, of course!).

Sorry to hear the practice has reached your area!
 
  • Like
Reactions: .jg.

widodh

Model S 85 and 100D
Jan 23, 2011
6,860
2,823
Venlo, NL
In Europe this is very, very, very common indeed. Even Tesla owner I meet I advise them to turn it off.

It's a matter of time before this reaches the US and Model S/X are stolen using this attack. So please, indeed, turn it OFF!
 
  • Like
Reactions: .jg.

E-Ryc

Member
Jun 6, 2018
154
131
Prague, CZ (EU)
@PW.S75D Why would anyone open the car twice and do/steal nothing? Not mentioning that once the fob is no longer "nearby" the car locks again. I'd guess that either someone uses 433MHz range extender nearby for some other purpose (and your car unlocked is just side effect) or there are some exceptional conditions and for works from longer distance than usual.
 

J1mbo

Active Member
Aug 20, 2013
1,609
1,459
UK
60 meters does seem quite a distance for a relay attack, most I've seen online are maybe 5-10meters between the two pieces of equipment.

I wonder if someone's running a good old fashioned jammer in that car park. This just prevents the car from being locked when you click the button. Many people don't check that their car has locked once they click the remote, and that means the miscreants can rummage through unlocked cars for loot without setting off any alarms.

Just make sure you have walk-away locking enabled and PE disabled.
 

boaterva

Supporting Member
Supporting Member
Apr 2, 2016
7,588
3,829
Northern Virginia, USA
Also not downplaying, I also did this once. Closed my driver’s door all the way but not quite. And from there the power close won’t work. And you can’t do it remotely. Eek! I saw the door open on Remote S later and rushed back and it was open about an inch.

Allen has a wish list entry from me for some sort of notification setting in the app for this.

But for OP’s being one or the other, your own risk tolerance will have to decide whether you disable PE or not.
 

boaterva

Supporting Member
Supporting Member
Apr 2, 2016
7,588
3,829
Northern Virginia, USA
60 meters does seem quite a distance for a relay attack, most I've seen online are maybe 5-10meters between the two pieces of equipment.

I wonder if someone's running a good old fashioned jammer in that car park. This just prevents the car from being locked when you click the button. Many people don't check that their car has locked once they click the remote, and that means the miscreants can rummage through unlocked cars for loot without setting off any alarms.

Just make sure you have walk-away locking enabled and PE disabled.
Btw this is why we want the walkaway lock sound added to the S and X as well as the 3! :D
 

Joe F

Disruption is hard.
Sep 19, 2016
2,013
9,450
Outside Philly
Out of an abundance of caution, I have had PE disabled since this issue first surfaced. Annoying, especially once in the S and sometimes have to use the fob to unlock before starting and have to unbuckle and dig it out of my pocket. Perhaps worth the peace of mind though if this ever becomes a thing in the USA.

One funny episode: Had to drop the car off for its yearly State Inspection (read money grab) and watch as the mechanic tried to unlock the car by repeatedly waving the fob at the B pillar. Had a good chuckle out of that, and had to go out and show him how to unlock it.
 
  • Funny
Reactions: Lasairfion

.jg.

Member
Feb 27, 2018
449
386
Weston Super Mare, England
I was under the impression that update 2018.18 changed the default setting of Passive Entry to OFF (but it can be re-enabled in settings).

I too would like a sound to confirm that the car is locked when you walk away (ideally, the sound should be programmable).
 
  • Like
Reactions: mburnet6

PW.S75D

Member
May 6, 2018
8
9
Bury St. Edmunds
I always check that the car locks with walk away locking selected, because i do not trust it.
It can sometimes be annoying because i have to stop walking, If not i will be loosing sight of the car before it locks.
So both times it was defiantly locked.
 

Need

Active Member
Nov 22, 2017
3,031
2,337
Rancho Cucamonga
I always check that the car locks with walk away locking selected, because i do not trust it.
It can sometimes be annoying because i have to stop walking, If not i will be loosing sight of the car before it locks.
So both times it was defiantly locked.

But if someone uses this method to unlock your car and got in to steal stuff, the car would not have stayed unlock when you got back. Once they left, the car locked back up itself.

Here in the US, thieves use a more primitive method... smash and grab. No need to fiddle with technology.
 
  • Like
  • Funny
Reactions: MarkKW and mburnet6

Ande

Member
Jul 28, 2017
743
623
Norway
As far as we’ve seen (anyone?) this email has appeared only in Europe and other places where this attack has occurred. I don’t think it’s been seen in the continental US.

Unless US is kind of technologically impaired, it's going on in US too, ... on the other hand ... you are still using the imperial system, so maybe even thieves are technologically impaired there :)

SOLUTION : @elonmusk (surely won't be reading this)
Tesla, being the cleaver headed company it is, should be the first to implement a time-of-flight check like this:
The method below verifies the time-of-flight for actual proximity, and won't be susceptible to relay or replay attacks:

0-CAR broadcasts for FOB response (FOB only transmits when near car)
1-FOB responds
2-CAR: Sends the FOB a cryptographic challenge (and stores the nanosecond count when the transmit buffer were emptied):
3-FOB: right after receiving the last bit of that message, transmit a 32bit timestamp.
4-CAR: measures the time from it's transmission to the first byte of this "timestamp" (subtracting a FOB's internal delay too)
5-CAR: if CAR-FOB communication timestamps happened up to 3 nanoseconds apart, the owner is ~9m away. if that is within limit: proceed:
6-FOB: encrypt a response to the challenge+"timestamp" , send it.
7-CAR: verify timestamp" time for sanity , if step "5" indicated closer proximity then preset x meters, accept fob command/proxmimity action.

It's most likely that this would require a FOB & FOB receiver upgrade.. unless they can do that magic by firmware upgrade of the microcontrollers in-car and only new FOB is needed... but hey, Tesla would be the first company to solve it !
 

E-Ryc

Member
Jun 6, 2018
154
131
Prague, CZ (EU)
They probably use standard OEM components so there is (most probably) no easy solution w/o hardware change. And as the future is in phone and Bluetooth (which may be even more vulnerable by this type of attack), I wouldn't put too much hope in it,
 

f205v

Member
May 12, 2018
649
769
Tessin, Switzerland
Very interesting read!
I disabled my PE today, getting scared by the first post, but then I asked myself: is there a keyfob pouch with Faraday's cage that you can suggest?
Thanks in advance for your suggestions.
 

J1mbo

Active Member
Aug 20, 2013
1,609
1,459
UK
IMO there should be an option to keep PE on, but force the owner to present the key to the built-in RFID reader in the cabin (below the 12V socket) before the car will start. The fobs were not designed for heavy use of the buttons.
 

ShockOnT

⚡️⚡️⚡️⚡️⚡️
Jun 26, 2016
3,411
3,197
Sydney
As far as we’ve seen (anyone?) this email has appeared only in Europe and other places where this attack has occurred. I don’t think it’s been seen in the continental US.

As for disabling Passive Entry, definitely anyone can do so and see if the peace of mind is worth the extra inconvenience.

Another option is as mentioned to keep keys in a faraday bag at home so drive bys can’t capture the signal. (Depends how busy your home road is, of course!).

Sorry to hear the practice has reached your area!
The problem with the faraday cage is that fishing the fob out of a pouch is the same inconvenience level as just clicking the fob.
I’d just switch off passive entry and get used to clicking.
This will change if/when Tesla implements phone-as-key for Model S and X. I would guess this system requires an encrypted handshake which is something a relay can’t do (or at least would require two relays).
And lastly, the reason this hack is only in Europe is that the US doesn’t have a landbridge to Albania/Bulgaria/Ukraine etc etc.
 

Products we're discussing on TMC...

About Us

Formed in 2006, Tesla Motors Club (TMC) was the first independent online Tesla community. Today it remains the largest and most dynamic community of Tesla enthusiasts. Learn more.

Do you value your experience at TMC? Consider becoming a Supporting Member of Tesla Motors Club. As a thank you for your contribution, you'll get nearly no ads in the Community and Groups sections. Additional perks are available depending on the level of contribution. Please visit the Account Upgrades page for more details.


SUPPORT TMC
Top