
Tesla Model S Can Be Stolen in Seconds by Cloning Its Key Fob - rubenbe
https://www.esat.kuleuven.be/cosic/fast-furious-and-insecure-passive-keyless-entry-and-start-in-modern-supercars/
======
lathiat
A couple of relevant tweets from one of the authors on twitter:

"Tesla responded to this by upgrading key fobs’ encryption in June and adding
an optional PIN to cars last month. If your Model S is older than June, you
can get a new key fob, turn on a PIN, or disable passive (no-click) unlocking"
[https://twitter.com/a_greenberg/status/1039202487822106624](https://twitter.com/a_greenberg/status/1039202487822106624)

"Just one more thing. Everybody is making fun of Tesla for using a 40-bit key
(and rightly so). But Tesla at least had a mechanism we could report to and
fixed the problem once informed. @McLarenAuto, @KarmaAutomotive, and
@UKTriumph use the same system and ignored us."
[https://twitter.com/TomerAshur/status/1039245324441792513](https://twitter.com/TomerAshur/status/1039245324441792513)

------
lathiat
Most keyless systems are insecure in several other ways to a surprising degree
for this decade.

Even in more recent years, most of them seemingly do not implement

(1) Time of flight checks, e.g. that a radio relay isn't being used to get to
the keyfob many more meters away in the house using a relay/amplifier. This is
a commonly exploited theft method currently. The Apple watch implements this
to unlock your MacBook Pro(!) This has also been shown to be a viable attack
method on many contactless payment terminals.

(2) Replay protection - another possible common attack is to receive the
rolling code from transmitter, jam it so the car can't hear it and wait for
the remote to transmit a second one. Then you jam that also, store that code,
but then re-transmit the first code and the car unlocks and now you have a
second code to use to unlock the car later. It's possible to both receive and
jam the code by using a very precise tuned receiver, and jam in the
surrounding the frequencies which in most cases the actual receiver (e.g. car)
won't have filtered out. This works particularly well on most garage doors.

(3) Let alone having some kind of recoverable/brute forcible ID scheme, which
as we can see here, is also true. I'm sure these aren't the only ones.

It's kindof silly really. I'd be curious to know if any manufacturers have
been fixing this in the last couple of years.

~~~
cjrp
> Time of flight checks, e.g. that a radio relay isn't being used to get to
> the keyfob many more meters away in the house using a relay/amplifier.

That one's surprising. What's to stop someone following you into a supermarket
after you've parked your Porsche, standing next to you with a relay device
transmitting via the cell network, and someone else in the car park with the
equivalent receiver/relay?

------
perilunar
Not just Model S:

"We have only been able to verify our attack on a Tesla Model S in practice.
However, Tesla did not design this system themselves but purchased it from
Pektron. ... Pektron also designed keyless entry solutions for manufacturers
such as McLaren, Karma and Triumph. ... This leads us to believe that the
attack described here also affects the other manufacturers."

~~~
slivym
It seems odd to make that claim about other companies without actually
checking. It could be true, but it also wouldn't surprise me at all if Tesla
were cutting corners here in a way that McLaren doesn't for the really obvious
reason that they're selling £185k cars, not £70k cars.

------
walrus01
Oh dear. Seriously, 24-bit and 40-bit crypto of any variety?

Was it really so hard in the year 2013 to put at least a 128-bit AES key in
the card?

With a sufficient directional panel antenna you could impersonate a car and
query pocketed fobs in whole crowds of somewhat wealthy individuals. Aim the
antenna and rig at the seating area of a trade show for middle/upper
management types in the technology industry, for instance.

~~~
tropo
The obvious choice is to sort of skip the crypto entirely. The key fob can
hold more than enough 128-bit random numbers to last the life of the car.
Think about how much we can put on a little USB device these days. Cross off
codes as they are used. This only requires a 1-way signal and a transmit
button.

If the car can just ask for a code, without a button being pressed, then you
have the problem of a foe tunneling the keyfob signal over a long-distance
repeater link. Dealing with that requires timing measurements to measure the
distance that the signal has traveled.

~~~
FullyFunctional
Exactly (the last part). There's a fundamental weakness here. Fixing the
obvious weakness in the single sided authentication and weak crypto isn't
enough to fundamentally solve it. Not sure there's _any_ way to fully make
this secure. AFAIK, Model 3 doesn't have this feature & vulnerability.

~~~
tropo
Proposal for expensive cars that don't require a button press:

The key fob and car contain identical pre-shared random data. (could be
gigabytes) Each transaction uses 4 tokens, 2 going in each direction, with
each token being 128 bits.

Upon a button press, the key fob selects and destroys the next 1-time-use
token it contains. It begins to transmit.

First the key fob sends a token. The car must respond with the correct token,
which is checked by the key fob. Failure causes radio silence. After a few
padding bits to allow for that checking, the car sends another token. The key
fob XORs this one with the key fob's second token, which is then transmitted.
The car takes note of the latency.

Each 100 ns delay (a single bit at 10 megabit/second) is worth about 30 meters
at the speed of light. The car can use this to exclude key fobs that are
excessively distant.

Now consider the repeater attack. The key fob is somehow mistakenly activated.
The attacker forwards the signal over a microwave relay to the car, and does
likewise for the signal going back to the key fob. Responses arrive late,
causing rejection.

You don't much need crypto here. It's just XOR with a 1-time pad. Cheaper cars
should just to that alone, with 1-way transmission. Expensive cars should do
2-way and measure the timing, but they don't need fancier crypto.

~~~
walrus01
This is not a bad idea but I can think of two problems in real world
execution:

a) Car companies won't want to hand out fobs that have any sort of writable
memory, takes battery, and risks write memory wearout. Never seen a fob or
smartcard that has memory which is written with every individual transaction.
Having the fob do a computation on every transaction means it will need a lot
more battery (in Wh per year) compared to a regular remote-unlock key fob for
an ordinary passenger car.

b) High precision RF travel/distance timing, onboard computer system in the
car capable of reliably determining to within 100ns timing interval, taking
into account randomness in the real world environment such as reflections from
nearby low-e class windows, metal structures, and such, may not be cheap or
easy to implement.

~~~
Slartie
> Never seen a fob or smartcard that has memory which is written with every
> individual transaction.

Actually every SIM card does this. At least when used by a phone to join a
mobile network, a SIM writes some timestamp or counter to persistent internal
memory. This caused a funny case of SIM cards with very limited lifetime for a
German provider (I think it was Congstar), who had a problem in its network
that caused frequent authentications of handsets, thereby having them chew
through the write cycles of their SIM cards way faster than projected for
normal use. The cards became "dead" afterwards.

If I remember correctly, all chip enabled payment cards also have a
transaction counter that is updated on every successful transaction.

------
Rebelgecko
There's no excuse in 2018 for using a 40-bit key. Hopefully Tesla gives its
customers the upgraded fobs for free.

~~~
craftyguy
These cars were made ~5 years ago, but there's still no excuse for using a
40-bit key (which is transformed into a 24-bit response, lol) ~5 years ago.

~~~
walrus01
There was really no excuse even in 2009, nevermind 2013, if you were doing
some sort of proximity card public/private key crypto...

~~~
dchichkov
Actually, a very good excuse was provided precisely in 2009 -
[https://xkcd.com/538/](https://xkcd.com/538/)

~~~
walrus01
I don't disagree with the premise of that cartoon, but it's more about the
concept of putting full disk encryption on your laptop, crossing the border
into Uzbekistan, and then refusing to give up the password.

By that logic, anything that is protected by crypto, if you threaten the owner
with violence, it can be stolen from them. Which is just about everything on
earth, if you're willing to apply sufficient violence.

~~~
dchichkov
I was referring mostly to the concept of "A crypto nerd's imagination".

Seriously, it is unlikely someone would put the money and R&D effort required
to replicate the researcher's solution with the goal of stealing these camera
systems on the wheels that can be disabled remotely.

So I'd rather advocate for Tesla to continue using inexpensive and secure
enough solution to unlock doors. And focus their efforts on making the thing
actually safer, like not accelerating into and colliding with concrete
barriers.

~~~
walrus01
I can totally see people stealing Teslas, if you bring $100 worth of jamming
equipment with you, it won't be disabled remotely. The cellular frequencies
that a Tesla uses for M2M connections back to the mothership are not rocket
science to jam.

At least not before it's driven into a warehouse somewhere and cut apart to be
cannibalized for repair parts, then parts shipped overseas.

~~~
dchichkov
Repair parts for what? Who will purchase these?

~~~
hyperdimension
All the people who have been waiting for months+ for a body shop to find
Tesla-approved replacement parts, presumably.

------
village-idiot
I thought software was supposed to be Tesla's killer advantage. It seems like
they are doing a lot of amateur hour stuff on their vehicles.

------
beneTleilax
Yikes!

    
    
      0xFFFFFFFFFF :: 1,099,511,627,776
    

A 5 character password protects these vehicles.

