Hacker News new | comments | ask | show | jobs | submit login
Tesla Model 3 Stolen from Mall of America Using Smartphone (thedrive.com)
50 points by tomohawk 4 months ago | hide | past | web | favorite | 49 comments

Like most "hacking" instances in real life this was an exploit of the service desk. He called Tesla support and had the VIN (easily readable through the windshield as required by law) added to his account so he could use the app on his phone to access the car.

This seems like a big security hole, but it puts a giant arrow on the thief that lets them be caught easily. It's a trap for dumb thieves. Basically only good for going for a joyride.

Tesla definitely needs to harden their support desk however, because that's just embarrassingly bad.

The automaker told Electrek that the alleged car thief likely had previously rented the vehicle and had an already-authenticated phone as a result. The owner of Trevla reportedly refuted this claim, stating that he had removed the phone's access following this person’s prior rental.

I suspect that the service desk could see that the phone was previously authenticated with that car. My theory is that between that and the VIN, the thief was able to social engineer the service desk into re-authenticating.

As currently realized, service desks can't be hardened against people with inside information, unless bad customer experiences for innocent customers are tolerated. This isn't just Tesla. Any company with customer service is probably like this. Either they're pushovers with decent customer service, or customers think they're a pain.

Couldn't the thief pretty easily set up an account and call from a burner phone?

Depends if you need to buy a Tesla first to set up an account.

Doesn't the car have a built-in GPS tracker anyway?

From the article: "Since this person disabled GPS tracking on the car, the owner had to utilize a different method of tracking down the alleged crook."

That the thief disabled. They tracked him via superCharger stops.

A gps jammer can be picked up for $20 on ebay.

So the "hacking" part was convincing a support agent to give him access, and the "with a smartphone" part was using the phone to talk to the agent?


Whatever gets you access.

>"with a smartphone"

The smartphone was both used to talk to the agent and also, once authorized, to unlock and turn on the car. See below:

"The person allegedly responsible for taking the car is believed to have reached out to Tesla's customer support to add the stolen Model 3 to his Tesla account by its vehicle identification number. Once the vehicle was accessible on a smartphone that was signed into this person’s account, he was reportedly able to unlock the car and drive away without ever needing a key."

> >"hacking"

> Whatever gets you access.

Social Engineering.

The smartphone lets you unlock the car and drive off. Keyless entry.

Social Engineering is in scope for Security Penetration Testing

Asking someone = social engineering = hack.

Clever, but the same case shows the difficulty of getting away with it, even if you are able to steal a Tesla. He was tracked by his use of the supercharging network, which allowed law enforcement to find and arrest him a few days later.

Could he not have just charged without using the superchargers?

Who's going to use a Tesla without superchargers? At some point, somebody will.

If one is going to plug into a US 220V outlet with an adaptor, then you're talking about adding back something like 180 miles range in 8 to 12 hours. Stealing such a car by driving it to a port city for shipment overseas would be a huge pain across most of the US. You'd at least need to tow it or haul it on a flat bed, unless you already lived in near a port city. (San Francisco and the Bay Area are fairly close to Oakland.)

> Who's going to use a Tesla without superchargers?

Well, if you stole the car, and now everyone is aware this is a way to track them...

Most people who steal cars either chop them up for parts or sell them. What do you think the new owner is going to do? Live without superchargers?

> What do you think the new owner is going to do? Live without superchargers?

Why not? Plenty of folks with electric vehicles charge at home and such.

I agree it's usually to chop or sell - in this kid's case though, he was probably planning on keeping it.

TSLA most certainly could have tracked it just using the GPS and woken the car (or even bricked it) remotely. Superchargers may have been used, but definitely weren't needed to track this vehicle.

From the article: "Since this person disabled GPS tracking on the car, the owner had to utilize a different method of tracking down the alleged crook."

I don't own a Tesla, but this implies it's possible to turn the GPS off.

Which is good news if you live in a locality where recovering traceable stolen cars is a law enforcement priority.

Recovering cars is a low priority for a reason.

Auto recovery has a terrible success rate. The goal is to get them chopped or into containers for overseas consumption. You will eventually be caught if you keep driving it around.

There is a new feature called "Pin To Drive" which would have likely foiled most of this "attack".


I strongly encourage anyone with a Tesla (I have a Model 3) to enable Pin to Drive:

    Controls > Safety and Security > PIN to Drive

It's a rental car. They're not going to add a PIN.

> without ever needing a key

That's disingenuous and the author knows it. Just prior they state that the thief had to call in to Tesla to get authorized.

They mean without a traditional physical key.

yes but there's no difference in this case between a traditional key and an electronic key. A key, of some sort, was required.

He didn't do some fancy hack of the car as if he could walk up to any Tesla anywhere and steal it.

It seems that by your logic, any bypass of a car's authentication system functions as a surrogate key.

Punching out an ignition column with a screwdriver and jumping wires is no more having a key than calling customer service and fooling them into transferring remote control to you. In all cases, you don't have what is commonly understood to be "a key," yet you leave with what you came for.

The common vernacular has an accepted definition of what it means to require a key to do something. Given that this is a criminal matter, you'd have a hard time convincing a jury of yokels to share your understanding.

He didn't (locally) bypass the car's authentication system.

As far as the car is concerned, he used a proper key.

I'm not sure what your comment about a jury of yokel's refers to. I clearly do not mean that he didn't actually steal the car. It doesn't matter if that was with a key or not.

"without a key" is clearly meant to imply that he walked right up. But what he actually did is the equivalent of copying an existing key. IOW, he had a "key" made.

To be clear, I do think your point/distinction is valid in a technical sense, but not relevant to explanation of the crime.

He walked right up, made a phone call and Tesla support literally handed him the car. What encrypted bits got shuffled around to make this happen are secondary to the fact that he did steal the car (and yes, had Tesla fabricate an ethereal key) using nothing but his phone.

> He didn't do some fancy hack of the car as if he could walk up to any Tesla anywhere and steal it.

That makes this all the more concerning. You can't social engineer technical support to give you a new keyfob in a time that would be practical enough to steal a car.

And in fact, if he could socially engineer his way into one car, he can do it to all of them.

“Key” in the context of cars means a long thin metal rectangle with notches cut out on the side matching the pattern encoded in the lock cylinder.

How is that disingenuous? He didn't need a key to call Tesla and convince them to add the car to his account.

>... enabling the convenience of driving using only one's phone is a luxury which most people have yet to experience just how insanely convenient it can be.

Imagine the inconvenience of having to pull out the key like if it was the 20th century. This is idiotic as now you have the added problem that your car will be stolen for using "password" as a password.

Before luddites get in arms about "This would never happen with normal keys" ... Nothing stopping someone from making a copy of the keys _after renting the car_ and coming back later to use them.

Well, yes there is. Many if not most new cars require the ECU to be programmed to accept a new key. That's how typical theft deterrence works today. You must also have possession of all keys to be programmed. You can't just add a key and leave the others in place.

> You must also have possession of all keys to be programmed. You can't just add a key and leave the others in place.

Sure, if you do it at the dealer.

Find someone with a programmer and they can add a key without having the other keys - I've done it myself on my own vehicle.

Depends on the car, newer models need a special authorization to access security related ECUs

Officially, yes, but virtually all of them have a bypass programmer ~6 months after the vehicle is released.

I still keep my decade old beater around, and even that thing isn't susceptible to someone making a new key at Home Depot.

Copying keys nowadays require some car hacking knowledge. If you can copy the keys easily, you can get easily better job than stealing cars. And if one wants to steal THAT car, there is no way to stop it. It might just take longer.

Seems the thief in this story is a kind of counter argument to your point. He didnt seem to prefer the jobs available to him versus stealing the car.

It didn't work very well for him though, except for the joyride that is.

Getting a replacement car key made is a surprisingly slow/expensive process for most modern cars (not as easy as a replacement house key at Home Depot, for example)

That’s what dealerships would like you to believe, but my local OSH can make chipped keys in minutes. Programming them generally only requires access to an already programmed key and youtube.

exactly. Physical security is the only security.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact