
Tesla gets stolen with keyfob hack on camera in seconds - bedros
https://electrek.co/2019/08/22/tesla-stolen-keyfob-hack-camera-how-to-prevent-it/
======
ladberg
Apple Watches can be used to unlock MacBooks and are immune to relay attacks
like these because the laptop only accepts signals with a small enough
roundtrip latency. Due to the speed of light, it's impossible to unlock it
from farther than a few feet away, even with a relay. Why don't key fobs do
the same thing? It must take more expensive radios/hardware, but I feel like
it would be worth it for a car like a Tesla.

~~~
panpanna
I don't think so. Amplification attacks with the right hardware adds only a
negligible delay. At the same time the protocol is not constant time,
requiring some margin.

The main difference to Tesla hack is that you don't keep your MacBook outside
the house at nights. And thief's don't need to unlock it to steal it, they
just take it and leave.

~~~
new_realist
The BMW i3 is known to be immune to amplification attacks, so it can be done.

~~~
panpanna
Any idea how they do it?

~~~
hebetude
Nobody wants an i3 so no reason to build software to steal one.

------
m_eiman
I don't understand how anyone in a security role in the car industry can
accept a system like this that's been broken and abused for years. Is the
convenience of not having to push a button on the key fob as you approach the
car really worth the risk of having it stolen fairly easily?

~~~
codedokode
Car security systems always were this unreliable. Earlier systems were
vulnerable to replay attacks or had weak encryption. I think they are made to
protect against random person walking by, not a professional and well-equipped
attacker.

~~~
tomatocracy
Ultimately a professional can just turn up with a trailer and load the car
onto it if they are really determined. Deterring the more casual end of theft
is the right solution.

What’s happened is that the accessibility of the technology to undertake eg
replay or relay attacks has increased so that’s now become a more casual theft
vector. It’s a cat and mouse game.

------
dagw
This was a headline in all the Swedish newspapers a few days ago. Apparently a
gang of car thieves has been sweeping through parts of the country and
stealing dozens of Teslas in a very short time span.

~~~
soup10
i think i saw that movie...

~~~
patrickreyesdev
The bus that couldn't slow down

------
dkaleta
When you unlock your Mac with an Apple Watch, the OS makes sure the watch is
actually close to it by measuring the distance it takes the signal to travel
to the device. Why won't car manufactures do that? Is there any reason?

[https://bgr.com/2016/06/27/macos-auto-unlock-security-
apple-...](https://bgr.com/2016/06/27/macos-auto-unlock-security-apple-watch/)

~~~
Kiro
What prevents the thieves from just standing closer in that case?

~~~
icebraining
The signal still has to travel from the car to the authentic key, the thieves
are just amplifying the signal, they can't make it faster.

------
natch
Everyone commenting on this should be aware that Tesla has different
generations of keyfob technology. The Model 3 keyfobs for instance make a
different tradeoff with convenience versus security, being slightly less
convenient and way more secure. The car in the story was a Model S.

~~~
makomk
The main problem with the earlier Tesla keyfobs is that they used a known-
broken 40-bit encryption scheme that allowed them to simply be cloned by an
attacker. I'm not sure what they fixed other than upgrading the crypto to
something that wasn'y horribly insecure. That's also the reason they
introduced the PIN feature.

------
retSava
While I really hate that this attack is even possible, a nice feature with a
car manufacturer that regularly and often update the software/firmware is
this:

"In response to those attacks, Tesla started rolling out [...] If an owner
activates the “PIN to Drive” function [...] anyone entering the car will have
to know your PIN in order to be able to drive away."

And why wouldn't the car (all vulnerable cars) deactivate when it one minute
later (or X meters) doesn't detect the key in the car? Ie do a second poll of
the key.

~~~
tomatocracy
> And why wouldn't the car (all vulnerable cars) deactivate when it one minute
> later (or X meters) doesn't detect the key in the car? Ie do a second poll
> of the key

This has been a solved problem for some time in luxury/expensive vehicles.
Vehicle tracking systems detect if the car is moved without the tracking card
in it and silently inform their control centre of the fact, along with
vehicle’s location. Control centre then calls owner and verifies if it’s them.
Doing it this way has the advantage that if the driver is being threatened
(carjacking for example), it doesn’t put them at further risk.

~~~
dagw
At least in the recent case of Tesla thefts here in Sweden the car thieves
also blocked/disabled the GPS tracking before driving away so tracing the cars
was impossible.

------
jackvalentine
Why are cars with keyfobs like this designed to be able to keep driving when
the keyfob goes out of range?

~~~
dewey
Having to rely on some wireless connection to stay connected while driving
doesn’t sound like a good idea.

------
pontifier
Very interesting seeing how this attack is performed. I'd imagine that future
keyfobs would use a time of flight based system of call and response to
prevent this sort of thing.

~~~
sdflhasjd
Something like a gyro/accelerometer could ensure the keyfob is on a person,
and not just sitting on a table.

~~~
pontifier
Not a perfect solution.

Keys are sometimes set down in the vehicle before starting. A time based rule
(motion within last x) won't help because sitting in a non-running car is
something that happens often enough that keys not working would be a problem.

Also, someone could steal your car while you have your keys in your pocket
inside your house, or walking around a store.

------
fmajid
What I can’t believe is why the carmakers are not liable for the loss since
their locks use such piss-poor cryptography.

~~~
kiallmacinnes
To me, locks of any kind are just a deterrent, they aren't meant to be
impossible to circumvent, there just meant to deter casual thieves.

Should Yale be responsible for all the stuff stolen from a house after someone
picks the lock? I don't think so.

~~~
Crosseye_Jack
Depends on how they advertise that lock imo.

If a locks manufacturer market a lock to be secure giving it a 8 out of 10
rating but that lock could be decoded without any tools in a very short period
of time then I believe that the manufacturer should bear some responsibility.

But then again Master Lock still exist lol... Take the 174SSD for example.
Master Lock list it for $38 so not a bargain basement lock. They say it’s
“best for“ For: Residential Gates & Fences, Sheds, Workshops, Garages, Storage
Lockers, Tool Chests, Tool Boxes[0], the packaging boasts about its
security[1] and yet it can be quickly decoded without tools[2].

Now I’m sure the people on this site are aware of the quality of Master Lock
but is your avg Joe walking into the hardware store? IMO there is a point
where your performance can’t back up your marketing you become libel.

But in Tesla’s case I don’t think they market the security of their keyless
entry/start. I would say they are aware of the security risks of the tech and
is why they released an OTA update that enables the need of a passcode to
start the car. The question for me then becomes, If Tesla we’re aware of this
risk and added a protection against it but didn’t advise customers of the
risks of keyless entry/start and the protections against it enough could they
have at least a little liability? OTA Cuts both ways, Yes it allows for easy
updating in the field, but it also provides a direct communication point with
your customer to be able to advise them of "such new information".

[0] [https://www.masterlock.com/personal-
use/product/174SSD](https://www.masterlock.com/personal-use/product/174SSD)

[1] [https://imgur.com/a/iaffVut](https://imgur.com/a/iaffVut)

[2] [https://youtu.be/CTLY4b3sG9E](https://youtu.be/CTLY4b3sG9E)

EDIT: Cleared up some spelling (fucking auto correct). But I would also like
to make it clear that I wouldn't expect a lock manufacturer to always be
responsible for the items the lock is "protecting". For an example: You put a
high security lock of your front door to protect your home, A burglar cases
your joint and instead of picking the lock which will take too much time they
break a window and enter your home though that instead. The lock did its job
so I couldn't hold the manufacturer responsible at all.

My gripe is when weak locks, or locks with known defects are being sold to the
general public as "secure". If a car manufacturer said their car was safe in a
crash, giving themselves a high safety score but it found out that "safe"
meant that it was only deemed safe under lab conditions were the impact was at
exactly 55mph but in the real world a defect meant it was hit and miss that
the airbags would actually deploy in the event of a collision people would be
up in arms about it, lawsuits filed, recalls issued, etc.

I don't expect any lock to be 100% secure (nor any car 100% safe in a
collision) but when the marketing team for a manufacturer take it on
themselves to talk up the security then I don't think its wrong to expect that
manufacturer to held to account when their claims don't hold up.

~~~
Crosseye_Jack
Replying to self as I can no longer edit:

Tesla released an update in 2017 giving users the ability to disable keyless
entry. That paired with OTA I wonder if it would be wise of them to push an
advisory to all cars with keyless entry still enabled advising the customer of
the risk of keyless entry and asking the customer if they would like to
disable it? If you have made it explicitly clear that keyless gives a
convenience bump at the sacrifice of security but the customer still decides
to leave keyless enabled that is a choice the customer willingly made.

Just thinking outloud.

~~~
labawi
I seems to me it shouldn't be too expensive to offer a key upgrade, if the new
models are safer.

~~~
Crosseye_Jack
I thought a key upgrade might work if they can get the time of flight working
correctly to kill of amplify attacks. But it was more an "in the mean time"
fix until they release new keys with time of flight or your new service.

------
roelschroeven
I'm glad my car has a keyfob that I can easily turn off. Relay attacks don't
work then. In fact I'd much rather have a keyfob where I have to push a button
to unlock the car; I don't really see how not having to push a button adds all
that much convenience.

~~~
Crosseye_Jack
When you are wrangling your kids and your keys are in a bag somewhere.

Just one instance of not having to push a button could be a convenience.

Not that I disagree that I much prefer having keyless entry disabled on my
car. Just giving a situation where I could see keyless as being more
convenient because I’m an argumentative little shit ;-)

------
hanche
One can get RF blocking pouches for the keyfob. It’s a cheap countermeasure; a
bit inconvenient, though.

~~~
natch
The newer Tesla keyfobs don’t emit RF unless you either click a button, or are
inches away from the RFID reader on the driver door pillar.

Maybe could still be defeated with a very long range RFID reader? I don’t know
how long range they get.

~~~
labawi
I read about ~1m boosting, though not sure what type of technology it was. It
might still be a good idea to limit time-of-flight to eliminate relay attacks.

------
ec109685
What happens the next time they want to start the car?

~~~
function_seven
What car? You mean that pile of ready-to-fence parts over there? And the big-
ass battery that’ll fetch $4,000? And those seats that I just listed on eBay?
;)

------
2rsf
Israeli thieves (well, mostly Palestinians) are already over that- they open a
door (or smash a window), open the hood and in seconds change the car's
computer with one the bring with them.

Insurance companies try to fight that by forcing the installation of a "safe"
around the computer

------
sansnomme
Are Tesla seriously that bad at crypto that they can't prevent a replay
attack? A time-based MAC (Message Authentication Code) system like those used
by bank 2FAs can go quite a long way. You just have to resync the clock when
you change the battery.

E.g. See Tuomas Aura's most excellent paper:

[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.69....](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.69.1965&rep=rep1&type=pdf)

~~~
cbanek
The article said it's a relay attack, not a replay attack:

[https://hackernoon.com/signal-amplification-relay-attack-
sar...](https://hackernoon.com/signal-amplification-relay-attack-
sara-609ce6c20d4f)

