Technical question re Bluetooth

G4WFT · Nov 29, 2020

A question for the technical experts:

I know from experience that my Android phone will show that it is connected to my M3P from, very roughly, 7 or 8 metres away. I also know that I wouldn't be able to unlock the car with the phone until it's physically much closer than that. My question is - given the the car only knows that the phone is connected, how does it detect proximity? Is it simply a question of Bluetooth signal strength?

98dizzard · Nov 29, 2020

I would hope not as that makes it very vulnerable to relay attacks.

G4WFT · Nov 29, 2020

98dizzard said:
I would hope not as that makes it very vulnerable to relay attacks.

Indeed, my thought too!

NorfolkMustard · Nov 29, 2020

I've seen it make two connections. one to "Tesla Model 3" which is for the phone/music sharing and another to a unique id. I think it's this second one which is used for authentication. They may also do what apple do for the apple watch unlocking a macbook and use time-in-flight checks for the signal.

98dizzard · Nov 29, 2020

G4WFT said:
Indeed, my thought too!

I don't know if Bluetooth has any mitigation against relay attacks, I suspect not. It's only a matter of time before the thieves find a way to do it though if it's vulnerable. Most car thefts in my area are now relay thefts of keyless entry cars, and I can't keep my phone in a Faraday bag.

Sure I can turn off Bluetooth, but then I can't use my phone for Bluetooth headphones etc... at home. Pin to drive will help, but that's a loss of convenience and they still get access to strip the interior, which is also a big issue.

Watts_Up · Nov 29, 2020

98dizzard said:
I don't know if Bluetooth has any mitigation against relay attacks, I suspect not. It's only a matter of time before the thieves find a way to do it though if it's vulnerable. Most car thefts in my area are now relay thefts of keyless entry cars, and I can't keep my phone in a Faraday bag.

Sure I can turn off Bluetooth, but then I can't use my phone for Bluetooth headphones etc... at home. Pin to drive will help, but that's a loss of convenience and they still get access to strip the interior, which is also a big issue.

You can set the PIN to drive, but this might not practical to use all the time?
I still feel strange when using the voice command "Open the Glove Box" and have to use the screen to enter a PIN number.

I wonder if using a fob instead of a phone would less vulnerable, but at least you could more easily put the fob in an RFID protected pouch.

I have a Blackvue dashcam connected to the cloud, so I get an alert when the can weak up,
or if there are some motion detection when the dashcam is running when the Sentry Mode is on.

Irata · Nov 29, 2020

My guess is that it uses round trip timing. How long does a challenge response take to be received after a request.

Signal strength is very unreliable, a phone in a pocket or bag for example.

MrBadger · Nov 29, 2020

Irata said:
Signal strength is very unreliable, a phone in a pocket or bag for example.

Sounds like the sort of problems that people have reported with their Model 3 then...

Irata · Nov 29, 2020

VanillaAir_UK said:
Sounds like the sort of problems that people have reported with their Model 3 then...

Round trip timing can have the same problems, some phones are faster than others. Also power saving differences increase latency. It fits with the issues people have.

jmaddr · Nov 29, 2020

I would be worried about Bluetooth security (much). It’s like being worried about https security or your VPN security. It can use AES or ECSHE for encryption. It’s an established protocol which will be difficult to crack and once (if) it is, then the protocol should be patchable. Now, I don’t know Tesla’s specific implementation but I would think they used the highest possible for the key lock function. Could it be hacked? Potentially, but hacks usually invoke insanely powerful computers which need time and high dollar to operate or physical access to the keys (in your phone and in the car) to circumvent.

Using a traditional RF fob is certainly more vulnerable but I have no idea what protocols the Tesla model 3/Y (and the one for the X/S as they are different) uses.

Now for the proximity feature, remember Tesla is likely measuring the RSSI of an “authenticated” key fob. So for a hacker to spoof the key, they would have to authenticate to the car first, and then get close enough to open the door. Second, RSSI is entirely up to the chip manufacturer and why iPhones have a stable operation as RSSI is easily tested to work well with different iOS settings. Androids have a ton of different chip manufacturers and Tesla has to set what RSSI level to unlock the car - which may be a different level depending on what chip they use. Couple that with OS and device Bluetooth settings and consistency gets more difficult.

I believe it’s much more secure than RF key fobs with proprietary implementations.

if you want to geek out, check:
Understanding Bluetooth Security

98dizzard · Nov 29, 2020

The issue with RSSI, it doesn't matter what encryption you use, it's susceptible to a relay attack. All it needs is a box in between the car and the key/phone that is amplifying the signals. It's not the same as key cloning, it doesn't care what data is being transmitted, it just amplifies it so the two think they are closer to each other than they are. Relay attacks are by far the most common theft method here.

For now relay attacks have been limited to 433mhz, but I'm sure it can be adapted to find the right 2.4ghz band for Bluetooth.

If it does become an issue and can be fixed with software, then Tesla have been quite good at pushing fixes for similar vulnerabilities on the S and X. I'm not massively concerned, as I've not seen any evidence of this being actually being used, or even being possible in this instance. But it would be nice to understand if they have specific mitigations against relay type attacks.

NewbieT · Nov 29, 2020

A few thoughts:

Most people don’t use headphones when asleep. Apple shortcuts can turn off Bluetooth at night and on again in the morning. Works for me- you can’t relay if there is no signal to relay.

The Bluetooth range is quite far 10m through brick wall.

Your NFC keycards also want protection if you’re concerned about relay attacks.

Twurzel · Dec 1, 2020

98dizzard said:
I don't know if Bluetooth has any mitigation against relay attacks, I suspect not. It's only a matter of time before the thieves find a way to do it though if it's vulnerable. Most car thefts in my area are now relay thefts of keyless entry cars, and I can't keep my phone in a Faraday bag.

Sure I can turn off Bluetooth, but then I can't use my phone for Bluetooth headphones etc... at home. Pin to drive will help, but that's a loss of convenience and they still get access to strip the interior, which is also a big issue.

Surely you only have deregister you phone as a car key?

98dizzard · Dec 1, 2020

Twurzel said:
Surely you only have deregister you phone as a car key?

Every time I want to get in and out of the car? Why bother then?

GRiLLA · Dec 1, 2020

The Model 3 Keyfob has a motion sensor, so stops offering to connect when it's stationary.

The Tesla iPhone app does have additional mitigations that I haven't seen anyone thoroughly document. There seems to be some kind of GPS related element. It's also easy to demo that it shows connection from some distance, but then the doors remain locked until you are nearer, and we've seen this behaviour is inconsistent on some Android phones. My phone shows connected from within the house, but I can't open the doors.

In addition for both there is no known relay ability for bluetooth, and I've seen no reports about Model 3 being stolen in relay attacks. Yes that might change in the future. Setting pin to drive is a sensible precaution for everyone, solves many risks.

Model X and Y use a different type of RF key, and in the past had significant amounts of theft through relay attacks.

Landwomble · Dec 3, 2020

"connected" in the app means the car is talking to the app over the internet, nothing to do with Bluetooth.

Adopado · Dec 4, 2020

GRiLLA said:
Model X and Y use a different type of RF key, and in the past had significant amounts of theft through relay attacks.

Do you mean X and S ?

Adopado · Dec 4, 2020

Landwomble said:
"connected" in the app means the car is talking to the app over the internet, nothing to do with Bluetooth.

There are 2 levels of app connection ... Bluetooth gives you some live buttons and Internet the whole shooting match.

rotor2k · Dec 4, 2020

NewbieT said:
Your NFC keycards also want protection if you’re concerned about relay attacks.

NFC cards are passive devices (they have no power source), and only work when powered by a coil that has to be within a few mm to power the chip so it can respond to requests. So there is no relay attack possible because you can’t power the card remotely.

NewbieT · Dec 5, 2020

So you just need the right transceiver. In tests people have managed to read these from 50cm. Enough if you leave your card by the front door or someone walking past you in the street carrying the right kit.

I’m not saying this is happening today. But it is possible.

1st Google Hit :https://arxiv.org/pdf/2001.08143.pdf

Technical question re Bluetooth

Member

Member

Member

Active Member

Member

Well-Known Member

Active Member

Badger out

Active Member

Active Member

Member

Active Member

Member

Member

Active Member

Member

Well-Known Member

Well-Known Member

Member

Active Member

Similar threads