Switch off "Passive Entry" NOW!!

[PW.S75D]

I have twice now had my car opened by what is probably a "relay attack".
Both times i returned to the car (2017 Model S) to find the courtesy lights on and the door handles presented.
As it was night time in both cases in an unlit car park area i could it from probably 60 Metres away.
Tesla seems to think it is ok as other manufactures cars suffer from the same attacks.
I don't know if other owners received this email from Tesla, so if you did not here is a copy:-

We would like to share some tips for ensuring the safety of your Tesla. When enabled, our Passive Entry setting will automatically unlock the doors of your Model S when you approach it with your key. Relay attacks, a type of vehicle break-in that can be targeted at vehicles from many manufacturers including Tesla, allows an attacker to transmit a signal from your key in one location to your car in another location, thereby creating the potential for unauthorised access and entry.
You can decrease the likelihood of unauthorised entry by disabling Passive Entry when parked in public spaces or storing your key in a holder which blocks electromagnetic transmissions, such as a RFID-blocking sleeve or Faraday cage.
To disable Passive Entry, touch Controls > Settings > Doors & Locks > Passive Entry > OFF. Please note that you must press the brake pedal to power Model S on before you can change this setting.

 

[boaterva]

As far as we’ve seen (anyone?) this email has appeared only in Europe and other places where this attack has occurred. I don’t think it’s been seen in the continental US.

As for disabling Passive Entry, definitely anyone can do so and see if the peace of mind is worth the extra inconvenience.

Another option is as mentioned to keep keys in a faraday bag at home so drive bys can’t capture the signal. (Depends how busy your home road is, of course!).

Sorry to hear the practice has reached your area!

 

[widodh]

In Europe this is very, very, very common indeed. Even Tesla owner I meet I advise them to turn it off.

It's a matter of time before this reaches the US and Model S/X are stolen using this attack. So please, indeed, turn it OFF!

 

[E-Ryc]

@PW.S75D Why would anyone open the car twice and do/steal nothing? Not mentioning that once the fob is no longer "nearby" the car locks again. I'd guess that either someone uses 433MHz range extender nearby for some other purpose (and your car unlocked is just side effect) or there are some exceptional conditions and for works from longer distance than usual.

 

[JeroenNL]

I have had something similar twice already. In both cases, it turned out I hadn't fully closed one of the doors and the car simply hadn't locked itself. I'm not trying to downplay the risk of the relay attack, but I find it highly unlikely that someone opened the doors and then did nothing...

 

[J1mbo]

60 meters does seem quite a distance for a relay attack, most I've seen online are maybe 5-10meters between the two pieces of equipment.

I wonder if someone's running a good old fashioned jammer in that car park. This just prevents the car from being locked when you click the button. Many people don't check that their car has locked once they click the remote, and that means the miscreants can rummage through unlocked cars for loot without setting off any alarms.

Just make sure you have walk-away locking enabled and PE disabled.

 

[boaterva]

Also not downplaying, I also did this once. Closed my driver’s door all the way but not quite. And from there the power close won’t work. And you can’t do it remotely. Eek! I saw the door open on Remote S later and rushed back and it was open about an inch.

Allen has a wish list entry from me for some sort of notification setting in the app for this.

But for OP’s being one or the other, your own risk tolerance will have to decide whether you disable PE or not.

 

[boaterva]

60 meters does seem quite a distance for a relay attack, most I've seen online are maybe 5-10meters between the two pieces of equipment.

I wonder if someone's running a good old fashioned jammer in that car park. This just prevents the car from being locked when you click the button. Many people don't check that their car has locked once they click the remote, and that means the miscreants can rummage through unlocked cars for loot without setting off any alarms.

Just make sure you have walk-away locking enabled and PE disabled.

Btw this is why we want the walkaway lock sound added to the S and X as well as the 3!

 

[Joe F]

Out of an abundance of caution, I have had PE disabled since this issue first surfaced. Annoying, especially once in the S and sometimes have to use the fob to unlock before starting and have to unbuckle and dig it out of my pocket. Perhaps worth the peace of mind though if this ever becomes a thing in the USA.

One funny episode: Had to drop the car off for its yearly State Inspection (read money grab) and watch as the mechanic tried to unlock the car by repeatedly waving the fob at the B pillar. Had a good chuckle out of that, and had to go out and show him how to unlock it.

 

[.jg.]

I was under the impression that update 2018.18 changed the default setting of Passive Entry to OFF (but it can be re-enabled in settings).

I too would like a sound to confirm that the car is locked when you walk away (ideally, the sound should be programmable).

 

[PW.S75D]

I always check that the car locks with walk away locking selected, because i do not trust it.
It can sometimes be annoying because i have to stop walking, If not i will be loosing sight of the car before it locks.
So both times it was defiantly locked.

 

[ABC2D]

I choose to keep PE on for its convenience but to prevent relay attack, I keep my fob in a faraday pouch at home

 

[Need]

I always check that the car locks with walk away locking selected, because i do not trust it.
It can sometimes be annoying because i have to stop walking, If not i will be loosing sight of the car before it locks.
So both times it was defiantly locked.

But if someone uses this method to unlock your car and got in to steal stuff, the car would not have stayed unlock when you got back. Once they left, the car locked back up itself.

Here in the US, thieves use a more primitive method... smash and grab. No need to fiddle with technology.

 

[Ande]

As far as we’ve seen (anyone?) this email has appeared only in Europe and other places where this attack has occurred. I don’t think it’s been seen in the continental US.

Unless US is kind of technologically impaired, it's going on in US too, ... on the other hand ... you are still using the imperial system, so maybe even thieves are technologically impaired there

SOLUTION : @elonmusk (surely won't be reading this)
Tesla, being the cleaver headed company it is, should be the first to implement a time-of-flight check like this:
The method below verifies the time-of-flight for actual proximity, and won't be susceptible to relay or replay attacks:

0-CAR broadcasts for FOB response (FOB only transmits when near car)
1-FOB responds
2-CAR: Sends the FOB a cryptographic challenge (and stores the nanosecond count when the transmit buffer were emptied):
3-FOB: right after receiving the last bit of that message, transmit a 32bit timestamp.
4-CAR: measures the time from it's transmission to the first byte of this "timestamp" (subtracting a FOB's internal delay too)
5-CAR: if CAR-FOB communication timestamps happened up to 3 nanoseconds apart, the owner is ~9m away. if that is within limit: proceed:
6-FOB: encrypt a response to the challenge+"timestamp" , send it.
7-CAR: verify timestamp" time for sanity , if step "5" indicated closer proximity then preset x meters, accept fob command/proxmimity action.

It's most likely that this would require a FOB & FOB receiver upgrade.. unless they can do that magic by firmware upgrade of the microcontrollers in-car and only new FOB is needed... but hey, Tesla would be the first company to solve it !

 

[E-Ryc]

They probably use standard OEM components so there is (most probably) no easy solution w/o hardware change. And as the future is in phone and Bluetooth (which may be even more vulnerable by this type of attack), I wouldn't put too much hope in it,

 

[SpudLime]

... you are still using the imperial system, so maybe even thieves are technologically impaired there

AHEM, those are called MURRICA units!

 

[f205v]

Very interesting read!
I disabled my PE today, getting scared by the first post, but then I asked myself: is there a keyfob pouch with Faraday's cage that you can suggest?
Thanks in advance for your suggestions.

 

[ABC2D]

Very interesting read!
I disabled my PE today, getting scared by the first post, but then I asked myself: is there a keyfob pouch with Faraday's cage that you can suggest?
Thanks in advance for your suggestions.

I am using this one https://www.amazon.com/gp/product/B072LT73RP?tag=tmc064-20

 

[J1mbo]

IMO there should be an option to keep PE on, but force the owner to present the key to the built-in RFID reader in the cabin (below the 12V socket) before the car will start. The fobs were not designed for heavy use of the buttons.

 

[Shock-On-T]

As far as we’ve seen (anyone?) this email has appeared only in Europe and other places where this attack has occurred. I don’t think it’s been seen in the continental US.

As for disabling Passive Entry, definitely anyone can do so and see if the peace of mind is worth the extra inconvenience.

Another option is as mentioned to keep keys in a faraday bag at home so drive bys can’t capture the signal. (Depends how busy your home road is, of course!).

Sorry to hear the practice has reached your area!

The problem with the faraday cage is that fishing the fob out of a pouch is the same inconvenience level as just clicking the fob.
I’d just switch off passive entry and get used to clicking.
This will change if/when Tesla implements phone-as-key for Model S and X. I would guess this system requires an encrypted handshake which is something a relay can’t do (or at least would require two relays).
And lastly, the reason this hack is only in Europe is that the US doesn’t have a landbridge to Albania/Bulgaria/Ukraine etc etc.