Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Technical question re Bluetooth

A question for the technical experts:

I know from experience that my Android phone will show that it is connected to my M3P from, very roughly, 7 or 8 metres away. I also know that I wouldn't be able to unlock the car with the phone until it's physically much closer than that. My question is - given the the car only knows that the phone is connected, how does it detect proximity? Is it simply a question of Bluetooth signal strength?
 

NorfolkMustard

Active Member
Apr 18, 2019
2,230
2,224
M3P w/FSD
I've seen it make two connections. one to "Tesla Model 3" which is for the phone/music sharing and another to a unique id. I think it's this second one which is used for authentication. They may also do what apple do for the apple watch unlocking a macbook and use time-in-flight checks for the signal.
 
  • Like
Reactions: 98dizzard

98dizzard

Member
Nov 24, 2020
74
39
England
Indeed, my thought too!
I don't know if Bluetooth has any mitigation against relay attacks, I suspect not. It's only a matter of time before the thieves find a way to do it though if it's vulnerable. Most car thefts in my area are now relay thefts of keyless entry cars, and I can't keep my phone in a Faraday bag.

Sure I can turn off Bluetooth, but then I can't use my phone for Bluetooth headphones etc... at home. Pin to drive will help, but that's a loss of convenience and they still get access to strip the interior, which is also a big issue.
 

Watts_Up

Active Member
Mar 4, 2019
3,855
2,815
In a galaxy far, far away
I don't know if Bluetooth has any mitigation against relay attacks, I suspect not. It's only a matter of time before the thieves find a way to do it though if it's vulnerable. Most car thefts in my area are now relay thefts of keyless entry cars, and I can't keep my phone in a Faraday bag.

Sure I can turn off Bluetooth, but then I can't use my phone for Bluetooth headphones etc... at home. Pin to drive will help, but that's a loss of convenience and they still get access to strip the interior, which is also a big issue.
You can set the PIN to drive, but this might not practical to use all the time?
I still feel strange when using the voice command "Open the Glove Box" and have to use the screen to enter a PIN number.

I wonder if using a fob instead of a phone would less vulnerable, but at least you could more easily put the fob in an RFID protected pouch.

I have a Blackvue dashcam connected to the cloud, so I get an alert when the can weak up,
or if there are some motion detection when the dashcam is running when the Sentry Mode is on.
 

jmaddr

Active Member
Mar 29, 2019
1,071
1,071
Florida
I would be worried about Bluetooth security (much). It’s like being worried about https security or your VPN security. It can use AES or ECSHE for encryption. It’s an established protocol which will be difficult to crack and once (if) it is, then the protocol should be patchable. Now, I don’t know Tesla’s specific implementation but I would think they used the highest possible for the key lock function. Could it be hacked? Potentially, but hacks usually invoke insanely powerful computers which need time and high dollar to operate or physical access to the keys (in your phone and in the car) to circumvent.

Using a traditional RF fob is certainly more vulnerable but I have no idea what protocols the Tesla model 3/Y (and the one for the X/S as they are different) uses.

Now for the proximity feature, remember Tesla is likely measuring the RSSI of an “authenticated” key fob. So for a hacker to spoof the key, they would have to authenticate to the car first, and then get close enough to open the door. Second, RSSI is entirely up to the chip manufacturer and why iPhones have a stable operation as RSSI is easily tested to work well with different iOS settings. Androids have a ton of different chip manufacturers and Tesla has to set what RSSI level to unlock the car - which may be a different level depending on what chip they use. Couple that with OS and device Bluetooth settings and consistency gets more difficult.

I believe it’s much more secure than RF key fobs with proprietary implementations.

if you want to geek out, check:
Understanding Bluetooth Security
 

98dizzard

Member
Nov 24, 2020
74
39
England
The issue with RSSI, it doesn't matter what encryption you use, it's susceptible to a relay attack. All it needs is a box in between the car and the key/phone that is amplifying the signals. It's not the same as key cloning, it doesn't care what data is being transmitted, it just amplifies it so the two think they are closer to each other than they are. Relay attacks are by far the most common theft method here.

For now relay attacks have been limited to 433mhz, but I'm sure it can be adapted to find the right 2.4ghz band for Bluetooth.

If it does become an issue and can be fixed with software, then Tesla have been quite good at pushing fixes for similar vulnerabilities on the S and X. I'm not massively concerned, as I've not seen any evidence of this being actually being used, or even being possible in this instance. But it would be nice to understand if they have specific mitigations against relay type attacks.
 
Last edited:

NewbieT

Active Member
Aug 16, 2019
1,289
895
North West
A few thoughts:

Most people don’t use headphones when asleep. Apple shortcuts can turn off Bluetooth at night and on again in the morning. Works for me- you can’t relay if there is no signal to relay.

The Bluetooth range is quite far 10m through brick wall.

Your NFC keycards also want protection if you’re concerned about relay attacks.
 
I don't know if Bluetooth has any mitigation against relay attacks, I suspect not. It's only a matter of time before the thieves find a way to do it though if it's vulnerable. Most car thefts in my area are now relay thefts of keyless entry cars, and I can't keep my phone in a Faraday bag.

Sure I can turn off Bluetooth, but then I can't use my phone for Bluetooth headphones etc... at home. Pin to drive will help, but that's a loss of convenience and they still get access to strip the interior, which is also a big issue.
Surely you only have deregister you phone as a car key?
 

GRiLLA

Active Member
Jul 5, 2020
1,125
1,178
UK
The Model 3 Keyfob has a motion sensor, so stops offering to connect when it's stationary.

The Tesla iPhone app does have additional mitigations that I haven't seen anyone thoroughly document. There seems to be some kind of GPS related element. It's also easy to demo that it shows connection from some distance, but then the doors remain locked until you are nearer, and we've seen this behaviour is inconsistent on some Android phones. My phone shows connected from within the house, but I can't open the doors.

In addition for both there is no known relay ability for bluetooth, and I've seen no reports about Model 3 being stolen in relay attacks. Yes that might change in the future. Setting pin to drive is a sensible precaution for everyone, solves many risks.

Model X and Y use a different type of RF key, and in the past had significant amounts of theft through relay attacks.
 

Products we're discussing on TMC...

About Us

Formed in 2006, Tesla Motors Club (TMC) was the first independent online Tesla community. Today it remains the largest and most dynamic community of Tesla enthusiasts. Learn more.

Do you value your experience at TMC? Consider becoming a Supporting Member of Tesla Motors Club. As a thank you for your contribution, you'll get nearly no ads in the Community and Groups sections. Additional perks are available depending on the level of contribution. Please visit the Account Upgrades page for more details.


SUPPORT TMC
Top